MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a7e241ed991bc710a5cfe0528fce37d8bdf5be3c5e3b6d43b876fbf6f97686a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	4a7e241ed991bc710a5cfe0528fce37d8bdf5be3c5e3b6d43b876fbf6f97686a
SHA3-384 hash:	c5badda07f47a8ee9bbc645400a99fd00f4f19b31da5c9e471eacf3dde6b585444382639fcc880411c7e5c83b053687e
SHA1 hash:	4a739cb7fce0d5bff8d455f997fd7331e79d507d
MD5 hash:	183c01a9fd4495af6e4b7f33f45f0e24
humanhash:	minnesota-uniform-oscar-music
File name:	183c01a9fd4495af6e4b7f33f45f0e24.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	2'061'824 bytes
First seen:	2023-06-02 07:30:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	65d9c1a9ed29f52599b050c6a36bebe6 (3 x RedLineStealer, 1 x Rhadamanthys, 1 x Stealc)
ssdeep	3072:bel1V6eeKktRJ6wT1tkGHn+qbOJCbJWuIDD0OblCeAg0FujDK9WRLQ0+UVp5wnkg:bSq15RjKGxbOAWuIfRAOjLQ0ztUitA
Threatray	1'293 similar samples on MalwareBazaar
TLSH	T17B959D0271A18232D87310334EEBCAB9B93DFD5107561DFBA7943A6E8E20AD0973DE55
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://185.99.133.229/4107e896e74f964e.php

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

183c01a9fd4495af6e4b7f33f45f0e24.exe

Verdict:

Malicious activity

Analysis date:

2023-06-02 07:31:42 UTC

Tags:

stealc

Link:

https://app.any.run/tasks/bdfbb91c-8eca-4279-93cc-d536bce010cd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/394709/

Detection(s):

Win.Packed.Lazy-10002615-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Sending a custom TCP request

Changing a file

Creating a window

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/89027/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lolbin overlay packed zusy

Link:

https://www.filescan.io/uploads/64799ab79ce2e6bd7ed07cb1/reports/311dc2af-6a3c-40b7-9bfb-7d45aee4e576/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4a7e241ed991bc710a5cfe0528fce37d8bdf5be3c5e3b6d43b876fbf6f97686a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e5cec0c-8f62-44d1-8ace-332768f3bf66

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1247446

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Country aware sample found (crashes after keyboard check)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a7e241ed991bc710a5cfe0528fce37d8bdf5be3c5e3b6d43b876fbf6f97686a/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-05-30 03:08:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jj7cihwzsg6hccs47ycsr7hdpwf56w7dyxr3nvb3q5x3634xnbva._file

Verdict:

malicious

Stealc

2841d614844219e1c2e937b51d5cd94f816f6b1985bf7372f0ee41c5bcb176b5

Stealc

37aa7fbf692cbc7da1f9f233c37cd4e7f1a41e12d61f2c34d6bb1171863d2790

Stealc

40d0734b985f3b131a175222639d0621b1f7f7a0f90674c676df80191fb215aa

Stealc

86c349ad1aecf41f402adad10ff1c7a8e34b2f9f733db02bfd88bb1abac8128a

Stealc

8d00abb9dc2e8161d63530424d10b66ad851ce075be2db66aa7e25cf1883c15f

Stealc

a06867c5e8f32e4f33fc0455b26a792eb1647178918628765aec756c1a21c382

Stealc

b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0

Stealc

d182fa757e7b1a39ae31bb165ff358931a5454115363bd636faeeb41e2aee3c1

Stealc

+ 1'283 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware

Link:

https://tria.ge/reports/230602-jcc9dsag8v/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Downloads MZ/PE file

Unpacked files

SH256 hash:

525fb5c8e3c79b80c79f60e11526f127ab9c69299510a9875b52c33e8cc499c7

MD5 hash:

fd71c72093f5ce9079c0d66549034ffa

SHA1 hash:

888e2e6d11c0ab105691a3c86bad4529fa9246d8

Detections:

win_stealc_w0

win_stealc_auto

win_stealc_a0

Link:

https://www.unpac.me/results/1f81c2dc-34ec-43d5-801a-96063b9c6c99/

SH256 hash:

4a7e241ed991bc710a5cfe0528fce37d8bdf5be3c5e3b6d43b876fbf6f97686a

MD5 hash:

183c01a9fd4495af6e4b7f33f45f0e24

SHA1 hash:

4a739cb7fce0d5bff8d455f997fd7331e79d507d

Link:

https://www.unpac.me/results/1f81c2dc-34ec-43d5-801a-96063b9c6c99/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4a7e241ed991/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4a7e241ed991bc710a5cfe0528fce37d8bdf5be3c5e3b6d43b876fbf6f97686a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	win_stealc_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stealc.

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/394709/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample