MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 525a892469b4c88bf26e584ecf9a57c1f76aa9dd8e14d3a6840b73f59dbc5cf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Stealc
Vendor detections: 15
| SHA256 hash: | 525a892469b4c88bf26e584ecf9a57c1f76aa9dd8e14d3a6840b73f59dbc5cf8 |
|---|---|
| SHA3-384 hash: | d7185c0172207207e0235e3be256c3037375db3b44a16925a7c4c0c38e382c5d6d88ed0818a9e9a058551907dc7d112d |
| SHA1 hash: | 78378356bd87ca67da61826074c5737c09c197d3 |
| MD5 hash: | 1b1c6f48b7c91a48a0dcd736ed0c8d24 |
| humanhash: | eight-floor-apart-mirror |
| File name: | 1b1c6f48b7c91a48a0dcd736ed0c8d24 |
| Download: | download sample |
| Signature | Stealc |
| File size: | 378'368 bytes |
| First seen: | 2024-07-24 13:44:24 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 42eb2b50acad70f9618962bfa70c7f34 (1 x Stealc, 1 x LummaStealer) |
| ssdeep | 6144:w6GI/F3uwuhDo72LiYp4yH1j10sMJ45YZaZzzL3j7/YHYsI/VBnn0:w6tpBuy+H12JuZH7fw4sm |
| TLSH | T1CD84D011B4C0C073D67325350DF4DBB9AA7EBA604FA69E9FB7980B6E0F30181D625A17 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe Stealc |
Intelligence
File Origin
# of uploads :
1
# of downloads :
323
Origin country :
FRVendor Threat Intelligence
Detection(s):
Verdict:
Malicious
Score:
96.5%
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed
Verdict:
Malicious
Labled as:
Malware
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
Stealc, Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.Stealerc
Status:
Malicious
First seen:
2024-07-24 09:14:14 UTC
File Type:
PE (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
stealc
Score:
10/10
Tags:
family:stealc botnet:qll credential_access discovery spyware stealer
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Stealc
Malware Config
C2 Extraction:
http://85.28.47.70
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
3dd466806d4bf6e5c445a159c4a313a13a2a11621e253c84340305f8ab12fab8
MD5 hash:
f1ff36230f36d7292b279a3e1dd624f4
SHA1 hash:
2d9b1e903f5fca94e110a69a92c09a1e605bc4bf
Detections:
stealc
Parent samples :
6b19c935d0afd202d7424d7cb7e355e4c04645721176eae6e5814b7760dca5a0
6565ab8e7be0d3e8544a49cb90e79715df0120d03c187ba9443ab738ca4dca28
525a892469b4c88bf26e584ecf9a57c1f76aa9dd8e14d3a6840b73f59dbc5cf8
d695267de534c2c99ec2823acc193fdbec9f398b0f78155ae2b982457ff631aa
46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5
6565ab8e7be0d3e8544a49cb90e79715df0120d03c187ba9443ab738ca4dca28
525a892469b4c88bf26e584ecf9a57c1f76aa9dd8e14d3a6840b73f59dbc5cf8
d695267de534c2c99ec2823acc193fdbec9f398b0f78155ae2b982457ff631aa
46a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5
SH256 hash:
525a892469b4c88bf26e584ecf9a57c1f76aa9dd8e14d3a6840b73f59dbc5cf8
MD5 hash:
1b1c6f48b7c91a48a0dcd736ed0c8d24
SHA1 hash:
78378356bd87ca67da61826074c5737c09c197d3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | cobalt_strike_tmp01925d3f |
|---|---|
| Author: | The DFIR Report |
| Description: | files - file ~tmp01925d3f.exe |
| Reference: | https://thedfirreport.com |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | maldoc_find_kernel32_base_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::VirtualAllocEx KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread KERNEL32.dll::CreateThreadpoolWork |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://185.196.10.57/selectex-file-host/54gtxx.exe