MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50825b3dcf4e1bb958dfd1c2e49cc394f3a508f214ddce67bc111c40eed157e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50825b3dcf4e1bb958dfd1c2e49cc394f3a508f214ddce67bc111c40eed157e4
SHA3-384 hash: a7a1485ae730d96f05e321c3871f70a30d72f12ccfc6aa8bc66a8824934d85155253a315efffedfba0fb357c2bc99c97
SHA1 hash: ea3b64273b25e15a5ba2b90994d2d19ac7661d4b
MD5 hash: dd96157fc6c122c211960030b5d21852
humanhash: nebraska-robin-social-louisiana
File name:Roopsai.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:17'387'640 bytes
First seen:2023-10-09 05:14:15 UTC
Last seen:2023-10-09 05:38:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6011984d7c1f1b97a34d7517a498bff8 (8 x RedLineStealer, 5 x STRRAT, 3 x LummaStealer)
ssdeep 393216:tXcgHzA3BduqIv34puhlHC1wXs+acJYlTF:tXc6A33IGuhlHlX/iTF
Threatray 68 similar samples on MalwareBazaar
TLSH T1B4072273F1DA2471F9331A36B8A25432393E088CE08729A929B49BD7F572D4C4F4B795
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0038a0cc8e8ef6e2 (1 x PovertyStealer, 1 x Stealc)
Reporter Reverse
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
RO RO
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-PSW.Win32.Stealerc.ebo.10305.25817.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/50825b3dcf4e1bb958dfd1c2e49cc394f3a508f214ddce67bc111c40eed157e4
Result
Verdict:
MALICIOUS
Malware family:
OWASP
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/66782a11-d026-4694-93a7-05a26a2ba144
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321927
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1321927 Sample: Roopsai.exe Startdate: 09/10/2023 Architecture: WINDOWS Score: 100 76 242.116.3.0.in-addr.arpa 2->76 84 Found malware configuration 2->84 86 Antivirus detection for URL or domain 2->86 88 Yara detected Stealc 2->88 90 6 other signatures 2->90 11 explorer.exe 2->11         started        13 Roopsai.exe 2->13         started        signatures3 process4 process5 15 majormathematicspro.exe 4 11->15         started        19 javaw.exe 27 13->19         started        dnsIp6 66 C:\Users\user\...\majormathematiics.exe, PE32 15->66 dropped 68 C:\Users\user\...\majormathematics.exe, PE32+ 15->68 dropped 80 Multi AV Scanner detection for dropped file 15->80 82 Machine Learning detection for dropped file 15->82 22 majormathematiics.exe 15 2 15->22         started        25 majormathematics.exe 15->25         started        78 77.105.140.191, 49713, 49715, 49718 PLUSTELECOM-ASRU Russian Federation 19->78 70 C:\Users\user\...\majormathematicspro.exe, PE32+ 19->70 dropped 27 cmd.exe 1 19->27         started        29 icacls.exe 1 19->29         started        31 explorer.exe 1 19->31         started        file7 signatures8 process9 signatures10 106 Multi AV Scanner detection for dropped file 22->106 108 Machine Learning detection for dropped file 22->108 110 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->110 33 majormathematiics.exe 22->33         started        38 majormathematiics.exe 22->38         started        40 majormathematiics.exe 22->40         started        50 2 other processes 22->50 112 Writes to foreign memory regions 25->112 114 Modifies the context of a thread in another process (thread injection) 25->114 116 Injects a PE file into a foreign processes 25->116 42 InstallUtil.exe 25->42         started        118 Bypasses PowerShell execution policy 27->118 120 Adds a directory exclusion to Windows Defender 27->120 44 powershell.exe 21 27->44         started        46 conhost.exe 27->46         started        48 conhost.exe 29->48         started        process11 dnsIp12 72 95.216.187.218, 49717, 80 HETZNER-ASDE Germany 33->72 56 C:\Users\user\AppData\...\softokn3[1].dll, PE32 33->56 dropped 58 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 33->58 dropped 60 C:\Users\user\AppData\...\mozglue[1].dll, PE32 33->60 dropped 64 9 other files (5 malicious) 33->64 dropped 92 Tries to steal Mail credentials (via file / registry access) 33->92 94 Found many strings related to Crypto-Wallets (likely being stolen) 33->94 96 Tries to harvest and steal browser information (history, passwords, etc) 33->96 98 Tries to steal Crypto Currency Wallets 33->98 74 31.222.238.209 GIGALIS-ASFR unknown 42->74 62 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 42->62 dropped 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->100 102 DLL side loading technique detected 42->102 104 Tries to harvest and steal Bitcoin Wallet information 42->104 52 powershell.exe 42->52         started        file13 signatures14 process15 process16 54 conhost.exe 52->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50825b3dcf4e1bb958dfd1c2e49cc394f3a508f214ddce67bc111c40eed157e4/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2023-10-08 16:54:38 UTC
File Type:
PE (Exe)
Extracted files:
3555
AV detection:
11 of 22 (50.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcbfwpopjyn3swg72hbojhgdstz2kchscto44z54ceoeb3wrk7sa._file
Verdict:
malicious
Similar samples:
14a10ef4f604c227bfa74bae7dd4b0ea95e27f0d1711080cd31efe6ab1141e95
Stealc
261eb7c731cb98ad18fa86952bc4f0c923d9f1080e63b98536382f71de2729b9
Stealc
4239478f1ff05d0014ba2492e155e733b661473d7299cbf98eb8f81bbf6e719a
Stealc
5658649d60ad2eb973e1c657001af54d8c1c927d0abada7a13b743a3c90ee6d9
Stealc
6490e5498bf6ca3c0b3cb40d581e019e8c4135fd8bc49580c30160f6b02450c6
Stealc
9cbc043b211f653116dc64d489a79918a215577985d473c56ce9ca3e4b12c2da
Stealc
ad21aff38e3b20ca7c9c7236977dfb0821d515962cb5c705d8a5b9a8cbc43859
Stealc
b835220d18074195e2df569e8088470b7f400c334aef1dd54dfe30e2019dab7a
Stealc
bec28def672957143374413ca61cc8bc072551e0547d9597de026f2592b562fc
Stealc
+ 58 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/231009-fxkmescg39/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Unpacked files
SH256 hash:
50825b3dcf4e1bb958dfd1c2e49cc394f3a508f214ddce67bc111c40eed157e4
MD5 hash:
dd96157fc6c122c211960030b5d21852
SHA1 hash:
ea3b64273b25e15a5ba2b90994d2d19ac7661d4b
Link:
https://www.unpac.me/results/68e0a023-c9cb-4c38-b6b6-c7367b736c01/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50825b3dcf4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50825b3dcf4e1bb958dfd1c2e49cc394f3a508f214ddce67bc111c40eed157e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MinGWGCC3x
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 50825b3dcf4e1bb958dfd1c2e49cc394f3a508f214ddce67bc111c40eed157e4

(this sample)

  
Delivery method
Distributed via web download

Comments