MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f
SHA3-384 hash: 9e359507095830b901d2ee75dd7becb32ad07fdcd70e794a69d66aa5ff187737353442f40585379d7210efe804f6286f
SHA1 hash: 4c06866fe7a04fd5b691c59d5a7376af574d7e0e
MD5 hash: e5dbe60dbe305d5b512a93c80f2575ad
humanhash: pasta-kansas-solar-triple
File name:e5dbe60dbe305d5b512a93c80f2575ad.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:288'768 bytes
First seen:2023-11-28 22:35:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 11c9fcb70393a93c4fb8b893cde399ed (4 x Smoke Loader, 4 x Stealc, 2 x Tofsee)
ssdeep 1536:KRMnjlzPHO8gx9Ojlwxygf9l6py/ofzors4xgXtk1uQ8SDyv6Fs6C24EooJ55nzU:KO+Vxfr6YwfIOk1uQTxCc5V7Q5LleQ
TLSH T1A854E65382E13D44F9268B729F3FD6EC7B0EF2928E493B6921199E1F04B1172E263754
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 001494889892c0c0 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://5.42.64.41/40d570f44e84a454.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461038/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58bdef5e-3b35-4cc1-8e71-1d0a84e0ac0b
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349573
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 22:37:30 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
23 of 23 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifayglnizngcznuz4sikm7aw7ardwdn5wd6eqyznt6mz4gnypkhq._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/231128-2h7z3adb29/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://5.42.64.41
Unpacked files
SH256 hash:
2cb8f1b5d0419a80db8d6b13eaed2bfe60f1c053b465a72d4620ad8027c0d15a
MD5 hash:
c99986364003af19ed59e34b3c1f3d24
SHA1 hash:
c1d1f084ba481886039c589b464d18e892e42f74
Detections:
stealc
Create hunting rule
win_stealc_a0
Create hunting rule
win_stealc_bytecodes_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/521ff0e1-2bea-43a3-adb9-4ec2ef4bbc3e/
Parent samples :
f836045456af9da9a397af00ce4e70252a5b9c2416562de20ea1e63c7c908a8b
0148bb7b1f0e2a85950913783f58a58f806e4b5511e40d11ee8b5510983e1031
4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f
5fdc91ad771c9fc0b8f3fa547a3616468ce0b7bb448f726ad9c055083ac13c0f
65bc094bc96a1963c31c2acd9a564cc0486dce8fcf23d6f69e09a4c61a2d1528
904911e002a065b01a16fe92c9f86493bb9af9ba08b554c3da4011ade98a9936
c4fb74adbe02c3469b66e3e007c312a18736a343a8dca3f4c051a32de8ae135c
4495aea2bdca5be58cc0530892de3d3a983dbf47e73980c463b0048968c13074
47281571c8ba7092f5e7864377be0dc4c8d170f501203a6dc104a401ddc62eac
67126ea123114450c7cf76ad268976944fa96565b334652d6e5b1248d1970f42
ec8023c54a870806d4ba36d1dd4635fd69d3f7b0dd72c75d41b6c93b19a34b8a
d407f1314cc37bec7df6922d915a66f6b46d76d47f71bc6223884a2f218bdd09
9e7d1738d15d92b3bcd8838788eedd625ce7914b194696f3e3f448ec2ad6ef47
1f6011a2da78434b09f854d3ff86cb92ffdb3d6e953ce0a8535c32cac13cfdb3
7bee0b7e7a3c0a66e7bbbdf689bcd6d58f9f6fa4599a8f9f24d52d6946824a92
078751d09762788794092a2425538653f726a36b7f33d6f312b49bfcbcf8d001
834b73d2202e64d5ad7aca2f5763c5fa77683e7144ba53eb385a381cd99fc4ae
a6cbb9cd010b8a448fa1d0b702dd4f7b8a7892838cda3dac30b6d6b4171a4274
a8c7148da91a091247169f57067439a8204c1140fefb2d6d0d71751acb30dd22
55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
aae15c961d1ea186efb77a1357b8179a30a4dc3590a8bf76e11ff0f5091a16cc
0099b3b2a2214984005724020f9704153efcca043132a2c27aa741592d449b53
ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54
854454fcf6cdce3223bea2e9cabf030047d7f81537eda0e1ca94baff43cc59e6
7a5adde924262ecd4fa4d627b02796d7d338104bad89bf2ddc019b678c30d740
5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7
27f9fabd0c8cc215850373feb61598fc5e0ffce5b29f779fbdcc4e1f1583f609
02d4c69ea3f0fecf650085b84096dc9360675697531ca3e8eb053668603cf760
9b1f16fc5a7eb84cd73ad46c684151303bdacb2e9ea7bd239e5557822026426c
4a6344d67c4ab2b8360bd3f1051506a0d61a327a332c20f925c68c26afd176bd
55f1014c9332b18b45ee1a3f8e750900c3c53c0f5d94441a5cd889fc952383e6
028705f4f1cbc7e7aea4ac2469457c46fe7651cc366bd49ab1f832cce08bf05c
8bcace1ac73adbcc0d5a2bd4addbb5b07c74050f2a231b5f6d2b0d02cb942874
4a9df1083d5ea6c9eb009bb4cb4053896a267f0b5302a7d91670ac265022eab3
SH256 hash:
4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f
MD5 hash:
e5dbe60dbe305d5b512a93c80f2575ad
SHA1 hash:
4c06866fe7a04fd5b691c59d5a7376af574d7e0e
Link:
https://www.unpac.me/results/521ff0e1-2bea-43a3-adb9-4ec2ef4bbc3e/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4141832da8cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2735175/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/461038/

Comments