MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f806da85a44aa81dcf77305bbcfdaa692a13baae6cb44af778b8f9bc0edb0ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f806da85a44aa81dcf77305bbcfdaa692a13baae6cb44af778b8f9bc0edb0ba
SHA3-384 hash: 2a55870799c401a1d0d5dde806a2be8aca63954b8376489d25d7ffa120f0aba6d9986ec99b47d391beef4e470fa4bbeb
SHA1 hash: 406d68e061e551eeec4df8ce6358c306110c3263
MD5 hash: 0df32dc06820fa65121d50db20760c8d
humanhash: enemy-golf-indigo-south
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:3'928'064 bytes
First seen:2024-04-21 20:30:34 UTC
Last seen:2024-04-21 21:25:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5929190c8765f5bc37b052ab5c6c53e7 (74 x LummaStealer, 14 x RedLineStealer, 8 x Stealc)
ssdeep 49152:RXXX4EDkLoGDzatJ23roMjmRjw5EnaCtqOCGWPEwDw:loU4oGiQ9tE+lPP
Threatray 735 similar samples on MalwareBazaar
TLSH T12C065B07FCA554F8C1AAE63589629153BA217C881B3027D72F60F7782F76BD09EB9740
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: https://vk.com/doc5294803_668841850?hash=zldlhzBQeEfEiuKrXEzpn2RScV3H9hS113LKEdoYy3k&dl=Dynv0q6Fwp0VKC0q2i8RHZefZ5zTpmtwxdIiHONAAbs&api=1&no_preview=1#inst

Intelligence

File Origin
# of uploads :
2
# of downloads :
519
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f806da85a44aa81dcf77305bbcfdaa692a13baae6cb44af778b8f9bc0edb0ba.exe
Verdict:
Malicious activity
Analysis date:
2024-04-21 20:32:38 UTC
Tags:
stealer stealc loader discord
Link:
https://app.any.run/tasks/eb972e8d-f0be-4664-9314-ace00938c462

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug golang installer packed
Link:
https://www.filescan.io/uploads/662577873137a4e0f3bd3e8f/reports/a482dde4-97a0-4e49-a419-932e6d12614e/overview
Verdict:
Malicious
Labled as:
WinGo/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/4f806da85a44aa81dcf77305bbcfdaa692a13baae6cb44af778b8f9bc0edb0ba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82211e9c-a144-48ca-b9d7-be5bc62187cb
Result
Threat name:
Mars Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1429310
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429310 Sample: file.exe Startdate: 21/04/2024 Architecture: WINDOWS Score: 100 82 roYYIUmBpZdeMrkfyjiCCoJrIrXp.roYYIUmBpZdeMrkfyjiCCoJrIrXp 2->82 84 cdn.discordapp.com 2->84 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Found malware configuration 2->96 98 10 other signatures 2->98 13 file.exe 2 2->13         started        16 wscript.exe 1 2->16         started        signatures3 process4 signatures5 124 Writes to foreign memory regions 13->124 126 Allocates memory in foreign processes 13->126 128 Injects a PE file into a foreign processes 13->128 18 BitLockerToGo.exe 35 13->18         started        130 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->130 23 CyberCrafter.pif 16->23         started        process6 dnsIp7 86 89.105.201.188, 49699, 80 NOVOSERVE-ASNL Netherlands 18->86 88 cdn.discordapp.com 162.159.133.233, 443, 49705 CLOUDFLARENETUS United States 18->88 58 C:\Users\user\AppData\...\JECBGCFHCF.exe, PE32 18->58 dropped 60 C:\Users\user\AppData\...\softokn3[1].dll, PE32 18->60 dropped 62 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 18->62 dropped 64 11 other files (7 malicious) 18->64 dropped 102 Tries to steal Mail credentials (via file / registry access) 18->102 104 Found many strings related to Crypto-Wallets (likely being stolen) 18->104 106 Tries to harvest and steal ftp login credentials 18->106 108 6 other signatures 18->108 25 cmd.exe 1 18->25         started        file8 signatures9 process10 signatures11 116 Uses ping.exe to sleep 25->116 118 Drops PE files with a suspicious file extension 25->118 120 Uses ping.exe to check the status of other devices and networks 25->120 122 Writes many files with high entropy 25->122 28 JECBGCFHCF.exe 37 25->28         started        32 conhost.exe 25->32         started        process12 file13 74 C:\Users\user\AppData\Local\...74avigator, COM 28->74 dropped 76 C:\Users\user\AppData\Local\Microsoft\...\Und, data 28->76 dropped 78 C:\Users\user\AppData\Local\...\Transcription, data 28->78 dropped 80 16 other malicious files 28->80 dropped 132 Writes many files with high entropy 28->132 34 cmd.exe 2 28->34         started        signatures14 process15 file16 56 C:\Users\user\AppData\Local\...\Reality.pif, PE32 34->56 dropped 100 Uses ping.exe to sleep 34->100 38 Reality.pif 4 34->38         started        42 PING.EXE 1 34->42         started        45 cmd.exe 2 34->45         started        47 7 other processes 34->47 signatures17 process18 dnsIp19 66 C:\Users\user\AppData\...\CyberCrafter.pif, PE32 38->66 dropped 68 C:\Users\user\AppData\Local\...\p, data 38->68 dropped 70 C:\Users\user\AppData\...\CyberCrafter.js, ASCII 38->70 dropped 110 Machine Learning detection for dropped file 38->110 112 Drops PE files with a suspicious file extension 38->112 114 Writes many files with high entropy 38->114 49 cmd.exe 2 38->49         started        90 127.0.0.1 unknown unknown 42->90 72 C:\Users\user\AppData\Local\Microsoft\...\d, data 45->72 dropped file20 signatures21 process22 file23 54 C:\Users\user\AppData\...\CyberCrafter.url, MS 49->54 dropped 52 conhost.exe 49->52         started        process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4f806da85a44aa81dcf77305bbcfdaa692a13baae6cb44af778b8f9bc0edb0ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f806da85a44aa81dcf77305bbcfdaa692a13baae6cb44af778b8f9bc0edb0ba/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-04-21 20:31:06 UTC
File Type:
PE+ (Exe)
Extracted files:
20
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6ag3kc2isvidxhxomc3xt62u2jkco5k43fujl3xrohzxqhnwc5a._file
Verdict:
malicious
Similar samples:
06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab
Stealc
3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd
Stealc
3fe3d1dde71fcd12d4f23149c19255df9571bf3b5db5e221d9be7e8657e1aa35
Stealc
4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4
Stealc
53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247
Stealc
58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
Stealc
81adbb94cf5758852ad9d3e7ba4d958b1943715c3837074c7fcaeeee22aadb7b
Stealc
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
Stealc
a6544621e2269b086855e399b0cb58f830ffaa613e0afc563e8f7e72d3087011
Stealc
a8eed563dfc4c42a1f4aae628df948566bceda3aa3297eb61647156a52737e6f
Stealc
+ 725 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc spyware stealer
Link:
https://tria.ge/reports/240421-zapseabd31/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://89.105.201.188
Unpacked files
SH256 hash:
4f806da85a44aa81dcf77305bbcfdaa692a13baae6cb44af778b8f9bc0edb0ba
MD5 hash:
0df32dc06820fa65121d50db20760c8d
SHA1 hash:
406d68e061e551eeec4df8ce6358c306110c3263
Link:
https://www.unpac.me/results/d42823a6-dd4d-4b58-a72f-bd63e93c08f4/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f806da85a44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Stealc_str
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:Stealc infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Stealc_b8ab9ab5
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stealc.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 4f806da85a44aa81dcf77305bbcfdaa692a13baae6cb44af778b8f9bc0edb0ba

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetSystemDirectoryA

Comments