MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51d8d1c7a0b2aa618b476ff090fe95509c96241a0a7bbfe04663b24c1e89c6f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51d8d1c7a0b2aa618b476ff090fe95509c96241a0a7bbfe04663b24c1e89c6f3
SHA3-384 hash: b061f1dc1b193f30641da1cb68a685716cd1e8cbe4435c0faf03f05a00e3299d5bdb1f5ad02a200f05b06408c65c2a23
SHA1 hash: 05265338cd2bb8170a0411b8c42f45515012da83
MD5 hash: 1ce6ab95b8ff2ec3eb81d2293a98a15c
humanhash: fish-wisconsin-bravo-lima
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'304'360 bytes
First seen:2023-12-09 02:37:25 UTC
Last seen:2023-12-09 18:24:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:sIemImBSCuI2bFTWuL87Etqq6vOSpd57vwvN4j6Ii3Vke38:sIhCR/87jd57v243akJ
TLSH T15C55F13849C85F63C37542728F98104EAFA090433619DE66BD993FCA4ED2BF20956E5F
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter andretavare5
Tags:exe signed Stealc

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-09T00:55:19Z
Valid to:2024-12-09T00:55:19Z
Serial number: cb2073c849f53b775d32bd608be01b64
Thumbprint Algorithm:SHA256
Thumbprint: b031ad951cc7634e1f2562a00e211fe22bdce85f3b0d35c4881d05f6ad250240
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://15.204.49.148/files/Installsetup2.exe

Intelligence

File Origin
# of uploads :
35
# of downloads :
332
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463846/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23615.26200.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6573d30b3f60a810348cb1d6/reports/64ed586a-4ea5-439e-b668-a1153d8f731b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/51d8d1c7a0b2aa618b476ff090fe95509c96241a0a7bbfe04663b24c1e89c6f3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a167c57-c00f-41cd-9f6b-a6aadd11d7ba
Result
Threat name:
Glupteba, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356725
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1356725 Sample: file.exe Startdate: 09/12/2023 Architecture: WINDOWS Score: 100 168 Multi AV Scanner detection for domain / URL 2->168 170 Malicious sample detected (through community Yara rule) 2->170 172 Antivirus detection for URL or domain 2->172 174 14 other signatures 2->174 12 file.exe 2 4 2->12         started        process3 signatures4 182 Writes to foreign memory regions 12->182 184 Allocates memory in foreign processes 12->184 186 Adds extensions / path to Windows Defender exclusion list (Registry) 12->186 188 3 other signatures 12->188 15 InstallUtil.exe 15 273 12->15         started        20 powershell.exe 22 12->20         started        22 CasPol.exe 12->22         started        24 AddInProcess32.exe 12->24         started        process5 dnsIp6 154 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 15->154 156 5.42.65.57 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 15->156 158 9 other IPs or domains 15->158 94 C:\Users\...\zfkH6JkE1vMbuXCqWQGAxLqk.exe, PE32 15->94 dropped 96 C:\Users\...\zeBpNRxs4ae1EfL4rsmTevgk.exe, PE32 15->96 dropped 98 C:\Users\...\zaZBLEp5cUzHrGOS8rQsRaPM.exe, PE32 15->98 dropped 100 234 other malicious files 15->100 dropped 162 Drops script or batch files to the startup folder 15->162 164 Creates HTML files with .exe extension (expired dropper behavior) 15->164 166 Writes many files with high entropy 15->166 26 x81wC21cX2ENBxjX9jknuTZZ.exe 15->26         started        31 7n16FYH7R5pKcr87CbVvYoZO.exe 15->31         started        33 K5H4bN5BUPxKjbAdt9xy99KH.exe 15->33         started        37 10 other processes 15->37 35 conhost.exe 20->35         started        file7 signatures8 process9 dnsIp10 142 107.167.110.218 OPERASOFTWAREUS United States 26->142 144 107.167.125.189 OPERASOFTWAREUS United States 26->144 150 5 other IPs or domains 26->150 122 Opera_installer_2312090239010757552.dll, PE32 26->122 dropped 124 C:\Users\...\x81wC21cX2ENBxjX9jknuTZZ.exe, PE32 26->124 dropped 136 5 other malicious files 26->136 dropped 190 Writes many files with high entropy 26->190 39 x81wC21cX2ENBxjX9jknuTZZ.exe 26->39         started        42 x81wC21cX2ENBxjX9jknuTZZ.exe 26->42         started        44 x81wC21cX2ENBxjX9jknuTZZ.exe 26->44         started        126 C:\Users\user\AppData\Local\...\Install.exe, PE32 31->126 dropped 128 C:\Users\user\AppData\Local\...\config.txt, data 31->128 dropped 46 Install.exe 31->46         started        192 Contains functionality to inject code into remote processes 33->192 194 Writes to foreign memory regions 33->194 196 Allocates memory in foreign processes 33->196 198 Injects a PE file into a foreign processes 33->198 48 AppLaunch.exe 33->48         started        146 104.237.62.212 WEBNXUS United States 37->146 148 64.185.227.156 WEBNXUS United States 37->148 152 4 other IPs or domains 37->152 130 C:\Users\user\AppData\...\nssDF53.tmp.exe, PE32 37->130 dropped 132 C:\Users\user\AppData\Local\...\INetC.dll, PE32 37->132 dropped 134 C:\Users\user\AppData\...\nsmF7FB.tmp.exe, PE32 37->134 dropped 138 17 other malicious files 37->138 dropped 200 Detected unpacking (changes PE section rights) 37->200 202 Detected unpacking (overwrites its own PE header) 37->202 204 Found Tor onion address 37->204 206 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->206 50 powershell.exe 37->50         started        52 Broom.exe 37->52         started        54 Broom.exe 37->54         started        56 2 other processes 37->56 file11 signatures12 process13 file14 102 Opera_installer_2312090239029627792.dll, PE32 39->102 dropped 104 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 39->104 dropped 106 C:\Users\user\...\win10_share_handler.dll, PE32+ 39->106 dropped 114 21 other malicious files 39->114 dropped 58 x81wC21cX2ENBxjX9jknuTZZ.exe 39->58         started        108 Opera_installer_2312090239015977612.dll, PE32 42->108 dropped 110 Opera_installer_2312090239021547728.dll, PE32 44->110 dropped 112 C:\Users\user\AppData\Local\...\Install.exe, PE32 46->112 dropped 61 Install.exe 46->61         started        64 dialer.exe 48->64         started        67 WerFault.exe 48->67         started        69 WerFault.exe 48->69         started        71 conhost.exe 50->71         started        process15 dnsIp16 116 Opera_installer_2312090239034737880.dll, PE32 58->116 dropped 118 C:\Users\user\AppData\Local\...\UtonuVb.exe, PE32 61->118 dropped 120 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 61->120 dropped 208 Uses schtasks.exe or at.exe to add and modify task schedules 61->208 210 Modifies Windows Defender protection settings 61->210 212 Adds extensions / path to Windows Defender exclusion list 61->212 214 Modifies Group Policy settings 61->214 73 forfiles.exe 61->73         started        76 forfiles.exe 61->76         started        78 schtasks.exe 61->78         started        140 193.233.132.5 FREE-NET-ASFREEnetEU Russian Federation 64->140 file17 signatures18 process19 signatures20 176 Modifies Windows Defender protection settings 73->176 178 Adds extensions / path to Windows Defender exclusion list 73->178 80 cmd.exe 73->80         started        83 conhost.exe 73->83         started        85 conhost.exe 76->85         started        87 cmd.exe 76->87         started        process21 signatures22 160 Uses cmd line tools excessively to alter registry or file data 80->160 89 reg.exe 80->89         started        92 reg.exe 80->92         started        process23 signatures24 180 Adds extensions / path to Windows Defender exclusion list (Registry) 89->180
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/51d8d1c7a0b2aa618b476ff090fe95509c96241a0a7bbfe04663b24c1e89c6f3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51d8d1c7a0b2aa618b476ff090fe95509c96241a0a7bbfe04663b24c1e89c6f3/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-09 02:38:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khmndr5awkvgdc2hn7yjb7uvkcojmja2bj537ycgmozeyhujy3zq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:rhadamanthys family:stealc discovery dropper evasion loader persistence ransomware rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231209-c4q61aecbk/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.76.36
Unpacked files
SH256 hash:
51d8d1c7a0b2aa618b476ff090fe95509c96241a0a7bbfe04663b24c1e89c6f3
MD5 hash:
1ce6ab95b8ff2ec3eb81d2293a98a15c
SHA1 hash:
05265338cd2bb8170a0411b8c42f45515012da83
Link:
https://www.unpac.me/results/33f7d230-77f9-4eb3-abed-1aab5293decf/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51d8d1c7a0b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51d8d1c7a0b2aa618b476ff090fe95509c96241a0a7bbfe04663b24c1e89c6f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2738073/
Cape
Cape
https://www.capesandbox.com/analysis/463846/

Comments