MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5405f0714c71e6b015be0b4e8b694e7a659fbea90a8bc50792d824a9c19f9914. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5405f0714c71e6b015be0b4e8b694e7a659fbea90a8bc50792d824a9c19f9914
SHA3-384 hash: 9333ae1355a68069574b8708cbfeac512cc69ee9f63c0ea0c8d5f2ed9ce182d3662a3d79876a9ed76ba6cccc3ca87274
SHA1 hash: cf0792e7f038d8a63ebb71c0d63aa291d959974a
MD5 hash: 84d643d14a2ef991ed448b763d190f31
humanhash: robin-east-pennsylvania-berlin
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'779'200 bytes
First seen:2024-11-17 17:04:55 UTC
Last seen:2024-11-17 17:05:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:0NVAdl1dtZAdA2KWY6gIiBmeBazNLMUuminctGz0DoOf:0NVulXt94gZQNnum9M0U
TLSH T18A85332FC9B8B87BD82F9532C74B035DBFFC7A2614AD0D369784883475B278595A3844
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
425
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-17 17:06:41 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/b7014125-a8df-4c4b-99eb-affeea3b2b47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.27110.2966.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673a23095107a56eacc70a7a
Tags:
vmdetect autorun autoit lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/673a224124fa57b2b2400faf/reports/d48a9554-21ca-413b-9eba-2fa7e91cf699/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/5405f0714c71e6b015be0b4e8b694e7a659fbea90a8bc50792d824a9c19f9914
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/627d68f0-fb7a-4ad6-a4fa-2fa5c9eea3bc
Result
Threat name:
LummaC, Amadey, Credential Flusher, Cryp
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557177
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557177 Sample: file.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 114 youtube.com 2->114 116 youtube-ui.l.google.com 2->116 118 30 other IPs or domains 2->118 156 Suricata IDS alerts for network traffic 2->156 158 Found malware configuration 2->158 160 Antivirus detection for dropped file 2->160 162 17 other signatures 2->162 9 skotes.exe 4 30 2->9         started        14 file.exe 36 2->14         started        16 0661edde6c.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 138 185.215.113.43, 49774, 49788, 80 WHOLESALECONNECTIONSNL Portugal 9->138 140 31.41.244.11, 49794, 80 AEROEXPRESS-ASRU Russian Federation 9->140 84 C:\Users\user\AppData\...\d4ca1e922c.exe, PE32 9->84 dropped 86 C:\Users\user\AppData\...\dcb83bde29.exe, PE32 9->86 dropped 88 C:\Users\user\AppData\...\ddba920805.exe, PE32 9->88 dropped 96 7 other malicious files 9->96 dropped 190 Creates multiple autostart registry keys 9->190 192 Hides threads from debuggers 9->192 194 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->194 20 0661edde6c.exe 9->20         started        24 d4ca1e922c.exe 9->24         started        26 ddba920805.exe 9->26         started        37 2 other processes 9->37 142 185.215.113.206, 49730, 49747, 80 WHOLESALECONNECTIONSNL Portugal 14->142 144 185.215.113.16, 49759, 80 WHOLESALECONNECTIONSNL Portugal 14->144 146 127.0.0.1 unknown unknown 14->146 90 C:\Users\user\DocumentsBFHJJJDAFB.exe, PE32 14->90 dropped 92 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->92 dropped 94 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->94 dropped 98 12 other files (8 malicious) 14->98 dropped 196 Detected unpacking (changes PE section rights) 14->196 198 Attempt to bypass Chrome Application-Bound Encryption 14->198 200 Drops PE files to the document folder of the user 14->200 210 7 other signatures 14->210 28 cmd.exe 1 14->28         started        30 chrome.exe 14->30         started        202 Query firmware table information (likely to detect VMs) 16->202 204 Tries to harvest and steal ftp login credentials 16->204 206 Tries to harvest and steal browser information (history, passwords, etc) 16->206 208 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->208 32 firefox.exe 18->32         started        35 firefox.exe 18->35         started        39 5 other processes 18->39 file6 signatures7 process8 dnsIp9 120 cook-rain.sbs 188.114.96.3 CLOUDFLARENETUS European Union 20->120 164 Antivirus detection for dropped file 20->164 166 Multi AV Scanner detection for dropped file 20->166 168 Detected unpacking (changes PE section rights) 20->168 184 3 other signatures 20->184 41 chrome.exe 20->41         started        170 Machine Learning detection for dropped file 24->170 172 Modifies windows update settings 24->172 174 Disables Windows Defender Tamper protection 24->174 186 2 other signatures 24->186 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->176 178 Tries to evade debugger and weak emulator (self modifying code) 26->178 180 Hides threads from debuggers 26->180 43 DocumentsBFHJJJDAFB.exe 4 28->43         started        47 conhost.exe 28->47         started        122 192.168.2.4, 443, 49672, 49723 unknown unknown 30->122 124 239.255.255.250 unknown Reserved 30->124 49 chrome.exe 30->49         started        126 youtube.com 172.217.18.14 GOOGLEUS United States 32->126 130 5 other IPs or domains 32->130 82 C:\Users\user\AppData\...\places.sqlite-wal, SQLite 32->82 dropped 56 2 other processes 32->56 52 firefox.exe 35->52         started        128 home.fvtejj5vs.top 37->128 132 3 other IPs or domains 37->132 182 Binary is likely a compiled AutoIt script file 37->182 188 2 other signatures 37->188 54 chrome.exe 37->54         started        58 6 other processes 37->58 60 5 other processes 39->60 file10 signatures11 process12 dnsIp13 62 chrome.exe 41->62         started        100 C:\Users\user\AppData\Local\...\skotes.exe, PE32 43->100 dropped 212 Detected unpacking (changes PE section rights) 43->212 214 Tries to evade debugger and weak emulator (self modifying code) 43->214 216 Tries to detect virtualization through RDTSC time measurements 43->216 218 3 other signatures 43->218 64 skotes.exe 43->64         started        102 play.google.com 142.250.185.174, 443, 49751 GOOGLEUS United States 49->102 104 www.google.com 142.250.186.164, 443, 49734, 49735 GOOGLEUS United States 49->104 112 2 other IPs or domains 49->112 106 push.services.mozilla.com 34.107.243.93 GOOGLEUS United States 52->106 108 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 52->108 110 prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 ATGS-MMD-ASUS United States 52->110 67 firefox.exe 52->67         started        69 firefox.exe 52->69         started        71 chrome.exe 54->71         started        74 conhost.exe 58->74         started        76 conhost.exe 58->76         started        78 conhost.exe 58->78         started        80 2 other processes 58->80 file14 signatures15 process16 dnsIp17 148 Antivirus detection for dropped file 64->148 150 Detected unpacking (changes PE section rights) 64->150 152 Machine Learning detection for dropped file 64->152 154 4 other signatures 64->154 134 142.250.184.228 GOOGLEUS United States 71->134 136 www.google.com 71->136 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5405f0714c71e6b015be0b4e8b694e7a659fbea90a8bc50792d824a9c19f9914
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5405f0714c71e6b015be0b4e8b694e7a659fbea90a8bc50792d824a9c19f9914/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-11-17 17:05:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqc7a4kmohtlafn6bnhiw2kopjsz7pvjbkf4kb4s3asktqm7teka._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion
Link:
https://tria.ge/reports/241117-vlthhsypap/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/243c5f86-5b75-4f93-92d0-5ba67036e5fc
Unpacked files
SH256 hash:
2ea1d92c6d7000529e9feb1e62b1efe75dd5ed422a26f6418b699cc31938a896
MD5 hash:
1a61c6bfb165607403dfd1da806a91af
SHA1 hash:
0868574e0b0f8c0c06abf7aa7c0d77861f30b35a
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/494b035f-7864-40fc-a2c9-1757bdfa2f8a/
SH256 hash:
5405f0714c71e6b015be0b4e8b694e7a659fbea90a8bc50792d824a9c19f9914
MD5 hash:
84d643d14a2ef991ed448b763d190f31
SHA1 hash:
cf0792e7f038d8a63ebb71c0d63aa291d959974a
Link:
https://www.unpac.me/results/494b035f-7864-40fc-a2c9-1757bdfa2f8a/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5405f0714c71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5405f0714c71e6b015be0b4e8b694e7a659fbea90a8bc50792d824a9c19f9914

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 5405f0714c71e6b015be0b4e8b694e7a659fbea90a8bc50792d824a9c19f9914

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3273391/
  
URLhaus
https://urlhaus.abuse.ch/url/3284801/
  
URLhaus
https://urlhaus.abuse.ch/url/3079150/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments