MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
SHA3-384 hash: cbd68a2e45f02a895424282972aa4800fa3745f0cf4a3d184580e488ebcc4afe4ff94c7a5f3ae2e6f3e88bacf4e94f40
SHA1 hash: 87c9f29d58f57a5e025061d389be2655ee879d5d
MD5 hash: 55dba6e7aa4e8cc73415f4e3f9f6bdae
humanhash: fish-wolfram-violet-hamper
File name:bomb.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:12'288 bytes
First seen:2024-10-05 06:51:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:vnpYaU28zxHdo4ZMgQl9q+4ua7HhdSbwxz1ULU87glpK/b26J4Uf1XXr5:vWZdoWMR96uaLhM6ULU870gJR
Threatray 17 similar samples on MalwareBazaar
TLSH T124423E18BAF94335E77BCB3D58B7920195787746E802CB2C85F61A4D141B7026DE0E3E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter JAMESWT_WT
Tags:exe Patchwork Stealc

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.45.44.116:33619 https://threatfox.abuse.ch/ioc/1333750/

Intelligence

File Origin
# of uploads :
1
# of downloads :
400
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
bomb.exe
Verdict:
Malicious activity
Analysis date:
2024-05-14 11:15:01 UTC
Tags:
opendir loader keylogger rat remcos remote covid19 phorpiex asyncrat lokibot stealer evasion smtp trojan exfiltration agenttesla formbook xloader spyware xworm risepro
Link:
https://app.any.run/tasks/c8c9a99c-63b3-4514-bf61-7f252af151bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Downloader.Ursu-10021375-0
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6700e214b932c04ee8fcfe39
Tags:
Agenttesla Phorpiex Redline Remcos
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aa494916-8c4d-452a-a8c1-11aa6477d65a
Result
Threat name:
Amadey, Go Injector, LummaC Stealer, Pho
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1526331
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Search for Antivirus process
Sigma detected: Stop multiple services
Stops critical windows services
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Go Injector
Yara detected LummaC Stealer
Yara detected Phorpiex
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1526331 Sample: bomb.exe Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 156 Multi AV Scanner detection for domain / URL 2->156 158 Found malware configuration 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 27 other signatures 2->162 10 bomb.exe 14 33 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 process3 dnsIp4 140 185.215.113.66 WHOLESALECONNECTIONSNL Portugal 10->140 142 147.45.44.104 FREE-NET-ASFREEnetEU Russian Federation 10->142 148 4 other IPs or domains 10->148 114 httpmales.mugutu.c...5efe38_lyla.exe.exe, PE32 10->114 dropped 116 httpmales.mugutu.c...0354a7_Burn.exe.exe, PE32 10->116 dropped 118 httpmales.mugutu.c...BitcoinCore.exe.exe, PE32+ 10->118 dropped 120 24 other malicious files 10->120 dropped 216 Found many strings related to Crypto-Wallets (likely being stolen) 10->216 218 Found strings related to Crypto-Mining 10->218 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->220 21 httpjask.powerforxes.shopldmsfedf8679e8d2.exe#d12.exe 10->21         started        24 http185.215.113.66pei.exe.exe 16 10->24         started        27 http77.105.161.194file1.exe.exe 10->27         started        31 8 other processes 10->31 29 WerFault.exe 15->29         started        144 184.28.90.27 AKAMAI-ASUS United States 17->144 146 127.0.0.1 unknown unknown 17->146 file5 signatures6 process7 dnsIp8 188 Writes to foreign memory regions 21->188 190 Allocates memory in foreign processes 21->190 192 Injects a PE file into a foreign processes 21->192 34 MSBuild.exe 1 249 21->34         started        39 MSBuild.exe 21->39         started        41 WerFault.exe 21->41         started        100 C:\Users\user\AppData\Local\...\323057790.exe, PE32 24->100 dropped 102 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 24->102 dropped 194 Multi AV Scanner detection for dropped file 24->194 196 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->196 43 323057790.exe 24->43         started        45 cmd.exe 27->45         started        150 142.250.185.78 GOOGLEUS United States 31->150 152 216.58.212.132 GOOGLEUS United States 31->152 154 188.114.97.3 CLOUDFLARENETUS European Union 31->154 104 C:\Windows\sysvplervcs.exe, PE32 31->104 dropped 198 Found evasive API chain (may stop execution after checking mutex) 31->198 200 Contains functionality to check if Internet connection is working 31->200 202 Found many strings related to Crypto-Wallets (likely being stolen) 31->202 204 2 other signatures 31->204 47 RegSvcs.exe 31->47         started        49 sysvplervcs.exe 31->49         started        51 conhost.exe 31->51         started        53 RegAsm.exe 31->53         started        file9 signatures10 process11 dnsIp12 122 45.132.206.251 LIFELINK-ASRU Russian Federation 34->122 124 141.98.233.156 CH-NET-ASRO Russian Federation 34->124 88 C:\Users\user\AppData\...\freebl3[1].dll, PE32 34->88 dropped 90 C:\Users\user\AppData\...\a43486128347[1].exe, PE32 34->90 dropped 92 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 34->92 dropped 98 12 other files (8 malicious) 34->98 dropped 164 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->164 166 Found many strings related to Crypto-Wallets (likely being stolen) 34->166 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->168 184 4 other signatures 34->184 170 Contains functionality to inject code into remote processes 39->170 172 Searches for specific processes (likely to inject) 39->172 126 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->126 94 C:\Users\user\sysvplervcs.exe, PE32 43->94 dropped 174 Drops PE files to the user root directory 43->174 176 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->176 55 sysvplervcs.exe 43->55         started        96 C:\Users\user\AppData\Local\...\Batch.pif, PE32 45->96 dropped 178 Drops PE files with a suspicious file extension 45->178 180 Adds a directory exclusion to Windows Defender 45->180 182 Stops critical windows services 45->182 60 Batch.pif 45->60         started        62 cmd.exe 45->62         started        64 conhost.exe 45->64         started        66 7 other processes 45->66 128 45.202.35.101 ONL-HKOCEANNETWORKLIMITEDHK Seychelles 47->128 file13 signatures14 process15 dnsIp16 130 91.202.233.141 M247GB Russian Federation 55->130 132 198.163.193.244 WINDSTREAMUS United States 55->132 138 73 other IPs or domains 55->138 106 C:\Users\user\AppData\Local\...\454830019.exe, PE32+ 55->106 dropped 108 C:\Users\user\AppData\...\1534331641.exe, PE32 55->108 dropped 110 C:\Users\user\AppData\...\1037419404.exe, PE32 55->110 dropped 112 4 other malicious files 55->112 dropped 206 Changes security center settings (notifications, updates, antivirus, firewall) 55->206 208 Adds a directory exclusion to Windows Defender 55->208 210 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->210 68 cmd.exe 55->68         started        71 cmd.exe 55->71         started        134 49.12.197.9 HETZNER-ASDE Germany 60->134 136 104.102.49.254 AKAMAI-ASUS United States 60->136 212 Tries to harvest and steal browser information (history, passwords, etc) 60->212 73 Conhost.exe 62->73         started        file17 signatures18 process19 signatures20 186 Adds a directory exclusion to Windows Defender 68->186 75 powershell.exe 68->75         started        78 conhost.exe 68->78         started        80 conhost.exe 71->80         started        82 sc.exe 71->82         started        84 sc.exe 71->84         started        86 3 other processes 71->86 process21 signatures22 214 Loading BitLocker PowerShell Module 75->214
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a/
Threat name:
ByteCode-MSIL.Trojan.Marsilia
Create hunting rule
Status:
Malicious
First seen:
2024-02-14 14:59:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=htviaxyts3prlpn42qyxhcfai2sbuydz3oqek5vfrot3fsasgofa._file
Verdict:
malicious
Label(s):
phorpiex_netbios_worm_module
Create hunting rule
phorpiex
Create hunting rule
stealc
Create hunting rule
phorpiex_tldr
Create hunting rule
cryptbot
Create hunting rule
Similar samples:
075d0dafd7b794fbabaf53d38895cfd7cffed4a3fe093b0fc7853f3b3ce642a4
Stealc
1fc3e92f7f30f4f68861d3ceb8284853ae30c11cbd0ed3e46ea9eb698b3ec348
Stealc
2840fc1ad0f4162c7d92390d67e178f07a59a3101e9be493defb9e190f4f1697
Stealc
9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707
Stealc
b8927abe41a230bb684bcd01fa78d688ccf6c0df1c2177a46510b76df9f6ea6a
Stealc
d65629e6028c54eb383b310547426ed1907296a14a2e8977b9d469126de1f8a9
Stealc
error
Stealc
+ 7 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:phorphiex family:stealc family:vidar botnet:550eb4 botnet:cry botnet:uniq credential_access discovery evasion execution loader persistence spyware stealer trojan worm
Link:
https://tria.ge/reports/241005-hm25tsvhjf/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Embeds OpenSSL
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Power Settings
.NET Reactor proctector
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Windows security modification
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Amadey
Detect Vidar Stealer
Lumma Stealer, LummaC
Modifies security service
Phorphiex payload
Phorphiex, Phorpiex
Stealc
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://45.152.113.10
http://proxy.johnmccrea.com/
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
http://45.202.35.101
https://caffegclasiqwp.shop/api
https://stamppreewntnq.shop/api
https://stagedchheiqwo.shop/api
https://millyscroqwp.shop/api
https://evoliutwoqm.shop/api
https://condedqpwqm.shop/api
https://traineiwnqo.shop/api
https://locatedblsoqp.shop/api
https://awwardwiqi.shop/api
http://91.202.233.158
https://spirittunek.store/api
https://mobbipenju.store/api
https://eaglepawnoy.store/api
https://dissapoiznw.store/api
https://studennotediw.store/api
https://bathdoomgaz.store/api
Gathering data
Unpacked files
SH256 hash:
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
MD5 hash:
55dba6e7aa4e8cc73415f4e3f9f6bdae
SHA1 hash:
87c9f29d58f57a5e025061d389be2655ee879d5d
Detections:
INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Link:
https://www.unpac.me/results/08febfde-9a58-4689-b5b5-445c255f5397/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3cea805f1396/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments