MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
SHA3-384 hash: ed6d277b50ab3218017f09250ad337efe6b12ad06ee857f2ace5ac9ff17ff846bd63e5be34b1ddfff4131b26ec13b7d1
SHA1 hash: c1b1ec6b5e78fcaff4290bff55ae86ee8816f715
MD5 hash: e6dd6a25125edd4c21fe5cf7bafcd2bb
humanhash: timing-fourteen-neptune-angel
File name:e6dd6a25125edd4c21fe5cf7bafcd2bb.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:1'210'490 bytes
First seen:2024-10-08 01:50:41 UTC
Last seen:2024-10-08 02:21:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:5ACy4Y4Q1jqxeColSZkrmiZM/z+KpN/6xwA1u3l5y98IOyxa/VvEW:iF7NeY34+iNyxwg2vy9DOyWj
TLSH T1BF452332D6D452FFC87089B9227B14625FEA743CC864C657E3C4E39DB431EA0A50A76B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 8ec7830b0f8e0d8a (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://62.204.41.150/edd20096ecef326d.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.204.41.150/edd20096ecef326d.php https://threatfox.abuse.ch/ioc/1334498/

Intelligence

File Origin
# of uploads :
2
# of downloads :
385
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e6dd6a25125edd4c21fe5cf7bafcd2bb.exe
Verdict:
Malicious activity
Analysis date:
2024-10-08 01:53:38 UTC
Tags:
stealer stealc loader autoit-loader
Link:
https://app.any.run/tasks/c69295f3-9c39-473f-88b5-2bc0e114c527

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.8247.18893.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67049007a69182ddbe5cd1b0
Tags:
Powershell Autoit Emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/6704900776f0e2acf1420087/reports/f0a9983e-7757-4374-8727-700b642ee849/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b3cc3f32-7f71-44db-8015-2abd21b2bf89
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1528594
Signature
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528594 Sample: M13W1o3scc.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 42 OrCgYwgbqLzMaeWAfOkOCMa.OrCgYwgbqLzMaeWAfOkOCMa 2->42 44 post-to-me.com 2->44 56 Multi AV Scanner detection for domain / URL 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 10 other signatures 2->62 11 M13W1o3scc.exe 23 2->11         started        signatures3 process4 process5 13 cmd.exe 2 11->13         started        file6 40 C:\Users\user\AppData\Local\...\Welding.pif, PE32 13->40 dropped 64 Drops PE files with a suspicious file extension 13->64 17 Welding.pif 13->17         started        20 cmd.exe 2 13->20         started        22 conhost.exe 13->22         started        24 7 other processes 13->24 signatures7 process8 signatures9 52 Multi AV Scanner detection for dropped file 17->52 54 Injects a PE file into a foreign processes 17->54 26 Welding.pif 1 17 17->26         started        process10 dnsIp11 46 176.113.115.37, 60061, 80 SELECTELRU Russian Federation 26->46 48 post-to-me.com 172.67.179.207, 443, 60060 CLOUDFLARENETUS United States 26->48 36 C:\Users\user\AppData\Local\...\478F.tmp.exe, PE32 26->36 dropped 38 C:\Users\user\...\ScreenUpdateSync[1].exe, PE32 26->38 dropped 30 478F.tmp.exe 13 26->30         started        file12 process13 dnsIp14 50 62.204.41.150, 60062, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 30->50 66 Antivirus detection for dropped file 30->66 68 Multi AV Scanner detection for dropped file 30->68 70 Detected unpacking (changes PE section rights) 30->70 72 4 other signatures 30->72 34 WerFault.exe 21 16 30->34         started        signatures15 process16
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-10-08 01:51:06 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ki6nsakuyn3lp5uvh4piexvum6zddm777yykwmq4dju5uiwlcfea._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:default6_cap discovery execution stealer
Link:
https://tria.ge/reports/241008-b9vwpsxbkg/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://62.204.41.150
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/227e03f2-4a2a-4874-9c52-86159b9bc48c
Unpacked files
SH256 hash:
a92031c3f754070e8bca0a769b0c68828ad892aea84e79ea0c5309fc83a2bb0b
MD5 hash:
8dbba0d76f33bfe16abc6c9289329a79
SHA1 hash:
1d04f42c4e79d7af48e478c58c20ac4f610ba83a
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e2808fd5-6016-47a9-a3d4-6e3d2318ff6a/
Parent samples :
464e16f6d92d3c9eddeef69f7b1416fefb97817732155fe3549f37986d26fc44
bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295
8febc589fc4de7b009d3e406fddba66e389d5544bc5fad44d03f712ebf6c2bfa
de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb
1ef7ccb345b2132b8e1a38bdef87dd47a0a0588603703ee63a201a9a8b5ba51d
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
7b217c20a30ab1bdc4534f4adb62df226d128ec4d03c0eb2feb5ab35d2b7dc9f
92a24e160937ec00bd6a8e855cd55b9329760131c1412f35b18c92aacc299883
b7763f18a43e9727036d685576fe102901f45fd1b9407395bbc10966a9811d25
d480b6efcf1ccdc3a7cf4c1d22839e27e9701758b19c0a197b049b66bdcfe870
07d538c1cab4f197f08f0d1811a2e3538e373659e25bc08d129fe4caf631048a
049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415
0b3e1e30dae8e83d9e3832c6cb382dcfce5634a3f0d1610c575d890db11c77c7
3ec49e14a495f9bdafb8944db9125c0e8f7f4258c285962df393c8918b0665dd
f5dbb1b4280665ed5d85392c1f7050e4c15764ab222ccc2fbb63b0dcd7846507
b6c12a25d818dde41b6b677104f2f3de495a8175af811b5a71fc91e43c12c3fc
4c05c9ade0f5fa4dda9a53c74f8bc41c3ab59d29203dc11c2f5cc99a5dbf7df1
e5e142eea2e5369d6ddef616cd7acf6816ae9e194a77c00214be8575b983dc2f
891306bc14e8d196e6f229dfe9d713bb1e81af30efe5ea786672648cbe6fd032
69f1a8cbd899c9d340e4543d18fd75f5d2fdaaf1441b6c0c39b1ec2308408162
df4acc3856a25841fd14f01346473c85f5bc578d33daa488f78a59ca5649bef6
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874
c37ae928bbfd115a32dbf0060e1a2d191a06cab66c7251796f1fb7212fc8c8ff
db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c
0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc
6f2c63f929acd8918c8f21f6141d1b13ca35a2b291d2d8d66771c80f481aea49
08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc10a15e90
1c2ec4c72c2f31a327b6ba4dfe27a607d311578e25d96cf34c54845eea986f36
913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72
88f8b8834398bc8a18142466e963d14d08898c94aeef62f20209050fb08e7f1d
b8ed5a17150da2a420cc39505357223261437d4e99ce94599a7ffdbbfe71e6cf
c234e9cdff26c9f27b6c6365ffa668fdf4dfdb415694f3a4ab21f50dc3db0fac
48ac733e00c61226d506c26f12f6fdec6b67f3dd0a9f3a5dc6720c4096f8c0c8
35b325cf352fc1c4641f90fcc28bda81a4fa020334ba6d1fb71d06cbfc3ddf57
9ea5419cef3eba4b55697a827fa26e74e6fcc5fa4ff013cc97086d5e9e2d3f50
cbe9ac361320c689ea74990eb5b752c63b9bfec9deeb09ce7cfaaafb6baf41ef
d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf
2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f
2808948b635ccf20d4bf679457e45bfe21a783ec99e095e55382bede47f6579f
1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
fe4f289171283f597e3bf13a4cc5d2eff0f8606b4afa4db31e2c2ec63842590f
e770d2f423513285e4f7f92dafff648c3ccc9a3623e6134edcd03ac79858d1c8
8ffc2aa27b84ed0736d57be8b45dcc56c817d404b8c4904e795dc51861d281f4
72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545
a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
22fbefa1416f9ccc38791ac6198123e206f4e5b40590fe928f2a4148542c500c
beb7a3127427fa0560207cdb0becfebb2ed1c6d8dad335d3b3266ec741cdd495
8cbbab0078ffa7583aac63129650635a102ceb458dbc0bddf59758a04bfd5fe2
85104c53c0061dd183981df87ad8744c85d8c8c6f044698a1ed98705edaf4117
d731d91b237184f6dee0cfad065acb770ef904a70b4ca7a625f85d0a474a1714
e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6
523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
5afd5d949b10aa25737aeaf454ae3ad441311a50d0e8aace71ebec8ffe7118cf
986efaa8bb0469535ddac90dbe8cd3e7cd710e9570e7ff2edda7f82b893baa79
9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d
c5c3401f71f4361ed454bbd96ea7cdd8a9132a655815e35e207dfff0ea690469
bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5
613a067be7f86864c48431c6fe36e2cba8ccec593df598f5e3720e283e280a56
94b4b5b599c81c62f2ea6c44530f0058cf7e42c11ab9b6f16fd78bdfe5a5f44c
065a1a3575aac28ccb77e4d00b18907aab16f8432913425ffcde44abf24ef840
81d6f774c002106258af4350818c9c3687185584c59e1a797b4019bd462a086c
e407bd010e2e640169a2812066864cd837b10506f01316dc2cada9ba64d99428
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993
8ae2402f1925ee78bdf48ce3cf3e7eebecaaf26c4a45ccc105d6beb735657f31
f34dd7ec6030b1879d60faa8705fa1668adc210ddd52bcb2b0c2406606c5bccf
c26ce02368f7e800361b6174fb471e5499347e4205b354011908bff9409d2e1e
19c683016b8171a4bdb6c987b2045307289656d2c555d08f14ef6c342dca0ea0
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
8b2070fb57b6077848ffcbf2bc39f22e417efe372214d339dfc9460f1ecde920
a4e0fd3483e26b4c0dfda5b2c1cb89571e06a8162e88b8a47a810a4b38934b1f
c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59
bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939
4d2c2b9bf545415c67feb1dc50f92f629525994b9be6eb65648b16e1694ce864
8d23f5cb10165d0de3300234c684d134b0bded5edcd5f4522dda62b367993080
7305c4bb03ec5c017a4297e7e47d7749e56ca5bb56d3d5399a37cd0ae6b3bfd0
b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364
9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642
47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f
9c46859695bed9bd827e2292e634c39e2982f40d9be6b170d185ae154a1a6a5f
ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
SH256 hash:
523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
MD5 hash:
e6dd6a25125edd4c21fe5cf7bafcd2bb
SHA1 hash:
c1b1ec6b5e78fcaff4290bff55ae86ee8816f715
Link:
https://www.unpac.me/results/e2808fd5-6016-47a9-a3d4-6e3d2318ff6a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3224762/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments