MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7
SHA3-384 hash:	2130a8980d63ca0a3be8debf8373a321460cbf9eb24cf3cc85704107af988ee000ca53b271e4a870cb01eb48e4f65fc5
SHA1 hash:	e103bb6a5cf9b60ebec5b44e69d7c043d8f2bb82
MD5 hash:	f104cda5b630712f2a089cc5721e9e8e
humanhash:	east-massachusetts-leopard-sweet
File name:	file
Download:	download sample
Signature	Stealc Create hunting rule
File size:	250'880 bytes
First seen:	2023-12-01 08:55:38 UTC
Last seen:	2023-12-01 10:24:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e8e51dea98dc7701b104446165cbe5db (5 x Stealc, 4 x Smoke Loader, 2 x Tofsee)
ssdeep	3072:5/8oF2VTT+VjH/HBG/AgO/UOdZSDie7wTipr+b3n/KpEwywCl+:HKTejfHcIgO/UOnI4mprWn/dHl
TLSH	T1DA34BE3236A0C072E16359394971CAA55A37FCA29B6585CB37D43F3E5E322D28BB4707
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00210d0515250309 (1 x Stealc)
Reporter	andretavare5
Tags:	exe Stealc

andretavare5

Sample downloaded from http://5.42.64.35/timeSync.exe

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461654/

Detection(s):

Win.Dropper.Tofsee-10015945-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Sending an HTTP GET request to an infection source

Gathering data

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9f84224d-42ee-4fe6-8cb0-56d8e7227f84

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1351237

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-12-01 08:56:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kqrncj5tiijvuyde5d4hwzwxlbsvdurar7jbz722brz7mfq333lq._file

Verdict:

malicious

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/231201-kv5xssgd8v/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://5.42.64.41

Unpacked files

SH256 hash:

2cb8f1b5d0419a80db8d6b13eaed2bfe60f1c053b465a72d4620ad8027c0d15a

MD5 hash:

c99986364003af19ed59e34b3c1f3d24

SHA1 hash:

c1d1f084ba481886039c589b464d18e892e42f74

Detections:

stealc

win_stealc_a0

win_stealc_bytecodes_oct_2023

Link:

https://www.unpac.me/results/c0ef1309-93c8-4108-9f42-214e3cecdcc5/

Parent samples :

f836045456af9da9a397af00ce4e70252a5b9c2416562de20ea1e63c7c908a8b
0148bb7b1f0e2a85950913783f58a58f806e4b5511e40d11ee8b5510983e1031
4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f
5fdc91ad771c9fc0b8f3fa547a3616468ce0b7bb448f726ad9c055083ac13c0f
65bc094bc96a1963c31c2acd9a564cc0486dce8fcf23d6f69e09a4c61a2d1528
904911e002a065b01a16fe92c9f86493bb9af9ba08b554c3da4011ade98a9936
c4fb74adbe02c3469b66e3e007c312a18736a343a8dca3f4c051a32de8ae135c
4495aea2bdca5be58cc0530892de3d3a983dbf47e73980c463b0048968c13074
47281571c8ba7092f5e7864377be0dc4c8d170f501203a6dc104a401ddc62eac
67126ea123114450c7cf76ad268976944fa96565b334652d6e5b1248d1970f42
ec8023c54a870806d4ba36d1dd4635fd69d3f7b0dd72c75d41b6c93b19a34b8a
d407f1314cc37bec7df6922d915a66f6b46d76d47f71bc6223884a2f218bdd09
9e7d1738d15d92b3bcd8838788eedd625ce7914b194696f3e3f448ec2ad6ef47
1f6011a2da78434b09f854d3ff86cb92ffdb3d6e953ce0a8535c32cac13cfdb3
7bee0b7e7a3c0a66e7bbbdf689bcd6d58f9f6fa4599a8f9f24d52d6946824a92
078751d09762788794092a2425538653f726a36b7f33d6f312b49bfcbcf8d001
834b73d2202e64d5ad7aca2f5763c5fa77683e7144ba53eb385a381cd99fc4ae
a6cbb9cd010b8a448fa1d0b702dd4f7b8a7892838cda3dac30b6d6b4171a4274
a8c7148da91a091247169f57067439a8204c1140fefb2d6d0d71751acb30dd22
55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
aae15c961d1ea186efb77a1357b8179a30a4dc3590a8bf76e11ff0f5091a16cc
0099b3b2a2214984005724020f9704153efcca043132a2c27aa741592d449b53
ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54
854454fcf6cdce3223bea2e9cabf030047d7f81537eda0e1ca94baff43cc59e6
7a5adde924262ecd4fa4d627b02796d7d338104bad89bf2ddc019b678c30d740
5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7
27f9fabd0c8cc215850373feb61598fc5e0ffce5b29f779fbdcc4e1f1583f609
02d4c69ea3f0fecf650085b84096dc9360675697531ca3e8eb053668603cf760
9b1f16fc5a7eb84cd73ad46c684151303bdacb2e9ea7bd239e5557822026426c
4a6344d67c4ab2b8360bd3f1051506a0d61a327a332c20f925c68c26afd176bd
55f1014c9332b18b45ee1a3f8e750900c3c53c0f5d94441a5cd889fc952383e6
028705f4f1cbc7e7aea4ac2469457c46fe7651cc366bd49ab1f832cce08bf05c
8bcace1ac73adbcc0d5a2bd4addbb5b07c74050f2a231b5f6d2b0d02cb942874
4a9df1083d5ea6c9eb009bb4cb4053896a267f0b5302a7d91670ac265022eab3

SH256 hash:

5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7

MD5 hash:

f104cda5b630712f2a089cc5721e9e8e

SHA1 hash:

e103bb6a5cf9b60ebec5b44e69d7c043d8f2bb82

Link:

https://www.unpac.me/results/c0ef1309-93c8-4108-9f42-214e3cecdcc5/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5422d127b342/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	Trojan_W32_Gh0stMiancha_1_0_0 Create hunting rule

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	yarahub_win_stealc_bytecodes_oct_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2735175/

Cape

https://www.capesandbox.com/analysis/461654/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample