MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d
SHA3-384 hash:	1bbf74d8c1c3109324673371da525dbd4bacd76b43518b821f1fd09ab598705779e7bcf44053b892e54a6b292e5dc5c1
SHA1 hash:	408f2b7550053efd52e0954e7aa0f767a7fbb64b
MD5 hash:	320a062b2e5a45a5c5298a7cc50d949d
humanhash:	fruit-alabama-kentucky-gee
File name:	file
Download:	download sample
Signature	Stealc Create hunting rule
File size:	263'680 bytes
First seen:	2023-11-19 16:49:32 UTC
Last seen:	2023-11-20 02:28:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	eb2b7f9c7e630bef5e1bf00f3d34e673 (3 x Stealc, 2 x Smoke Loader, 1 x Vidar)
ssdeep	3072:VPowSp/yBSAnXbjHDN8zceIB05fZz3jnpPXHjXRBy97ovb1Yrz:loyBSA3jN8z4ozTlLytMe
Threatray	15 similar samples on MalwareBazaar
TLSH	T186448C2369D0BC71C56A87744E2D9AEEBB2E74614D61C78B27D41E6A1D302B1FF1B302
TrID	45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.4% (.EXE) Win64 Executable (generic) (10523/12/4) 9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0008286c04020200 (1 x Stealc)
Reporter	andretavare5
Tags:	exe Stealc

andretavare5

Sample downloaded from http://gons23cl.top/build.exe

Intelligence

File Origin

# of uploads :

# of downloads :

422

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://romvalstudios.com/wp-content/server/reliase_1_9.rar

Verdict:

Malicious activity

Analysis date:

2023-11-19 21:03:32 UTC

Tags:

privateloader evasion opendir loader risepro stealer redline raccoon recordbreaker miner tofsee botnet g0njxa

Link:

https://app.any.run/tasks/656fc167-d41a-4dd1-bc63-e2aedbd541de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/459152/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

greyware lolbin shell32

Link:

https://www.filescan.io/uploads/655a3cbb3d244c103088297a/reports/7d1f470b-374f-4dfd-821b-17a9674d207d/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3167c352-5c1a-421c-a349-67c8545ce41f

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1344795

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking computer name)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d/

Threat name:

Win32.Backdoor.Tofsee

Status:

Malicious

First seen:

2023-11-19 16:50:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=it36glm5cu3jfp4otbkwnjbocgdrdrohyrmdktm5fog2ru7mwngq._file

Verdict:

malicious

Stealc

2b64b187c3f36ebcfeb40e5f975d923167d4e981cae7f4e2861611d1e1ae036d

Stealc

44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d

Stealc

72363354fdb8847c45c1dc44e2a87a20da0fa04d52c2afddd24f8050a260b99b

Stealc

82c275cb45227b5f3b3d6b222a1e1b4a52f37d0de58655fd8daaa71efc4e0d1b

Stealc

b95a23162d43842a9b7535baf294320fb90ac892898e8eebe4bec9ff259539e4

Stealc

+ 5 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231119-vb9rrabf4x/

Behaviour

Delays execution with timeout.exe

Program crash

Unpacked files

SH256 hash:

038cc1f0f44c6c6ec1c71e3952357a04ed52fb70b4ed110d2c6d178e910cb552

MD5 hash:

b1e3ae8d4c67578f054d25c69ce5139a

SHA1 hash:

6a3e1115f8aa9a0cd4b0901f5d55d12566cd6c04

Detections:

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Link:

https://www.unpac.me/results/e9735e4e-b66c-4912-923b-fd4e709da408/

Parent samples :

1df3ca3f121e7606f16c05fbec1f2d97925002242cf534118f522664ba689a52
82c275cb45227b5f3b3d6b222a1e1b4a52f37d0de58655fd8daaa71efc4e0d1b
72363354fdb8847c45c1dc44e2a87a20da0fa04d52c2afddd24f8050a260b99b
a50880d6cbbc39560c99a3999e2b1fd0df3f0d5855a0f638a27489747a7f8877
bc182c1ad875034766bf6f30db48ccd680a19757d51c21624d40c29f8609eb9f
2b64b187c3f36ebcfeb40e5f975d923167d4e981cae7f4e2861611d1e1ae036d
44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d
3d6f60107b831b2c10f7788c2c47f9ca6c3804b42f83e77c6e5e9993b7392378

SH256 hash:

44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d

MD5 hash:

320a062b2e5a45a5c5298a7cc50d949d

SHA1 hash:

408f2b7550053efd52e0954e7aa0f767a7fbb64b

Link:

https://www.unpac.me/results/e9735e4e-b66c-4912-923b-fd4e709da408/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/44f7e32d9d15/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/44f7e32d9d153692bf8e985566a42e118711c5c7c458354d9d2b8da8d3ecb34d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.