MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e92cafeb19680b98ceff1ac9103d0f132b19af61aa9241ff6b59dd1bb96cffd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e92cafeb19680b98ceff1ac9103d0f132b19af61aa9241ff6b59dd1bb96cffd
SHA3-384 hash: 5fb0023a773d987d462ae3288b6a0dab18ae8b16507394004f4f243cd625d0577399a8f383eb94805005792291a5c61f
SHA1 hash: 04eaaf80465f962815d9bc0a063011f658c97985
MD5 hash: e241e34c6b235cff33f5dbad80999167
humanhash: massachusetts-mississippi-island-bacon
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'139'712 bytes
First seen:2024-07-22 09:12:28 UTC
Last seen:2024-07-22 10:24:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 001806c33a6e9fe5fbff34bdbd79b591 (112 x Stealc, 9 x MarsStealer, 1 x Amadey)
ssdeep 24576:5/+BUCQmlV+u56VXAfCQb3EwqSgvCli5QmXTq:oUCQeV+uMJfCICli+mXT
TLSH T16535338688AC44DAFBB81EF581F61816405B704F48DAE2451669D3CCC2FD26E9FF7389
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://77.91.77.81/stealc/random.exe

Intelligence

File Origin
# of uploads :
20
# of downloads :
352
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10033606-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669e229f2f6eaff4b90f279d
Tags:
Execution Generic Infostealer Network Stealth Trojan
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma lolbin microsoft_visual_cc obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/669e229fcbb32227b6aa2a3e/reports/c0603dd2-5e73-4d4c-969d-22d3b9bf161c/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/3e92cafeb19680b98ceff1ac9103d0f132b19af61aa9241ff6b59dd1bb96cffd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bfd949d2-1fb0-48f5-a026-cfce022e8905
Result
Threat name:
Amadey, Babadeda, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1478201
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1478201 Sample: file.exe Startdate: 22/07/2024 Architecture: WINDOWS Score: 100 122 youtube-ui.l.google.com 2->122 124 www.youtube.com 2->124 126 33 other IPs or domains 2->126 166 Snort IDS alert for network traffic 2->166 168 Found malware configuration 2->168 170 Antivirus detection for URL or domain 2->170 172 16 other signatures 2->172 11 file.exe 38 2->11         started        16 msedge.exe 2->16         started        18 explorti.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 154 85.28.47.31, 49730, 49731, 49835 GES-ASRU Russian Federation 11->154 156 77.91.77.81, 49738, 49822, 49837 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 11->156 106 C:\Users\user\AppData\...\softokn3[1].dll, PE32 11->106 dropped 108 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 11->108 dropped 110 C:\Users\user\AppData\...\mozglue[1].dll, PE32 11->110 dropped 120 13 other files (9 malicious) 11->120 dropped 192 Detected unpacking (changes PE section rights) 11->192 194 Tries to steal Mail credentials (via file / registry access) 11->194 196 Found many strings related to Crypto-Wallets (likely being stolen) 11->196 208 4 other signatures 11->208 22 cmd.exe 1 11->22         started        24 cmd.exe 1 11->24         started        112 topTraffic_1705401...0506234197983529371, data 16->112 dropped 114 C:\Users\user\AppData\Local\...\topTraffic, ASCII 16->114 dropped 116 C:\Users\user\AppData\Local\...\Login Data, SQLite 16->116 dropped 118 C:\Users\user\AppData\Local\...\History, SQLite 16->118 dropped 198 Creates multiple autostart registry keys 16->198 200 Maps a DLL or memory area into another process 16->200 26 msedge.exe 16->26         started        29 msedge.exe 16->29         started        31 msedge.exe 16->31         started        38 2 other processes 16->38 202 Hides threads from debuggers 18->202 204 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->204 206 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->206 33 firefox.exe 20->33         started        36 firefox.exe 20->36         started        40 2 other processes 20->40 file6 signatures7 process8 dnsIp9 42 userIJEGDBGDBF.exe 4 22->42         started        46 conhost.exe 22->46         started        48 userIDGIJEGHDA.exe 8 24->48         started        50 conhost.exe 24->50         started        138 13.107.246.40, 443, 49791, 49792 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->138 140 142.251.32.100, 443, 49803 GOOGLEUS United States 26->140 146 14 other IPs or domains 26->146 142 142.250.185.206, 443, 49888, 49889 GOOGLEUS United States 33->142 148 6 other IPs or domains 33->148 92 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 33->92 dropped 94 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 33->94 dropped 52 firefox.exe 33->52         started        144 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49812, 49817, 49887 GOOGLEUS United States 36->144 150 2 other IPs or domains 36->150 54 firefox.exe 36->54         started        56 firefox.exe 36->56         started        file10 process11 file12 96 C:\Users\user\AppData\Local\...\explorti.exe, PE32 42->96 dropped 174 Antivirus detection for dropped file 42->174 176 Detected unpacking (changes PE section rights) 42->176 178 Machine Learning detection for dropped file 42->178 182 5 other signatures 42->182 58 explorti.exe 42->58         started        180 Detected unpacking (overwrites its own PE header) 48->180 63 cmd.exe 1 48->63         started        signatures13 process14 dnsIp15 152 77.91.77.82, 49818, 49836, 49841 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 58->152 98 C:\Users\user\AppData\...\554b4880a1.exe, PE32 58->98 dropped 100 C:\Users\user\AppData\...\dffcdf36f6.exe, PE32 58->100 dropped 102 C:\Users\user\AppData\Local\...\random[1].exe, PE32 58->102 dropped 104 2 other malicious files 58->104 dropped 184 Detected unpacking (changes PE section rights) 58->184 186 Tries to detect sandboxes and other dynamic analysis tools (window names) 58->186 188 Creates multiple autostart registry keys 58->188 190 5 other signatures 58->190 65 dffcdf36f6.exe 58->65         started        68 554b4880a1.exe 58->68         started        70 explorti.exe 58->70         started        72 chrome.exe 63->72         started        75 msedge.exe 16 63->75         started        77 conhost.exe 63->77         started        79 firefox.exe 1 63->79         started        file16 signatures17 process18 dnsIp19 158 Multi AV Scanner detection for dropped file 65->158 160 Detected unpacking (changes PE section rights) 65->160 162 Hides threads from debuggers 65->162 164 Binary is likely a compiled AutoIt script file 68->164 81 firefox.exe 68->81         started        134 192.168.2.4, 443, 49723, 49724 unknown unknown 72->134 136 239.255.255.250 unknown Reserved 72->136 83 chrome.exe 72->83         started        86 chrome.exe 72->86         started        88 chrome.exe 72->88         started        90 msedge.exe 75->90         started        signatures20 process21 dnsIp22 128 www.google.com 142.250.185.132, 443, 49831 GOOGLEUS United States 83->128 130 www3.l.google.com 142.250.186.46, 443, 49821 GOOGLEUS United States 83->130 132 4 other IPs or domains 83->132
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e92cafeb19680b98ceff1ac9103d0f132b19af61aa9241ff6b59dd1bb96cffd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e92cafeb19680b98ceff1ac9103d0f132b19af61aa9241ff6b59dd1bb96cffd/
Threat name:
Win32.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-07-22 09:13:11 UTC
File Type:
PE (Exe)
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2jmv7vrs2altdhp6gwjca6q6ezldgxwdkusih7wwwo5do4wz76q._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:sila stealer
Link:
https://tria.ge/reports/240722-k6qx1szajb/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Stealc
Malware Config
C2 Extraction:
http://85.28.47.31
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ef090f87-c313-43e7-9205-2774a9ba4ab6
Unpacked files
SH256 hash:
3e92cafeb19680b98ceff1ac9103d0f132b19af61aa9241ff6b59dd1bb96cffd
MD5 hash:
e241e34c6b235cff33f5dbad80999167
SHA1 hash:
04eaaf80465f962815d9bc0a063011f658c97985
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/408a5a18-ee61-4f04-b6f0-fac4dd50d10a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e92cafeb19680b98ceff1ac9103d0f132b19af61aa9241ff6b59dd1bb96cffd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 3e92cafeb19680b98ceff1ac9103d0f132b19af61aa9241ff6b59dd1bb96cffd

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3058171/
  
URLhaus
https://urlhaus.abuse.ch/url/2909131/
  
URLhaus
https://urlhaus.abuse.ch/url/2909129/
  
URLhaus
https://urlhaus.abuse.ch/url/2908698/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments