MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5450fc4b520268ea71f2bd5ff96f7cb74fa8aca6a6b34aa666b78c1d317287c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5450fc4b520268ea71f2bd5ff96f7cb74fa8aca6a6b34aa666b78c1d317287c1
SHA3-384 hash: bdcea304a71017b6efe57c1b388c01b6e597229c5a1a2ee3ad9cc5991bb729d7e9dbec8702ba920f16d1d1f6d83b2c8e
SHA1 hash: ff4e006a15d8abb4e245dd5b5176a016c124cb97
MD5 hash: 2f0fb88a80fb9bfc89482f72fed9509c
humanhash: idaho-eighteen-berlin-finch
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'840'128 bytes
First seen:2024-09-27 19:49:01 UTC
Last seen:2024-09-27 20:29:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:URTpQ4gK46kEMPAJW32KyF1a1fT/Vqsh8GHOe8:csK/kEMoJWGTsL/VqG8GX
TLSH T156853316367140B3C94791B13417CAA63FDFEE1A615D0F786B8F84036BE3FAA1976188
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.103/steam/random.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
411
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-27 19:52:15 UTC
Tags:
stealer stealc loader opendir themida amadey botnet
Link:
https://app.any.run/tasks/97750429-d5f1-48e0-901a-90d24348e9b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.29612.17619.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f70c3079032805ce8e9b04
Tags:
Execution Generic Infostealer Network Stealth Trojan Autorun Emotet Spam Lien
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66f70c30f71b9c224c13c1f7/reports/fbfeb5f2-56ed-4faf-9c03-3c8478134ab7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5450fc4b520268ea71f2bd5ff96f7cb74fa8aca6a6b34aa666b78c1d317287c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
StrelaStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84dbe708-52c6-4e16-8301-7f2209b2efa1
Result
Threat name:
Amadey, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1520772
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520772 Sample: file.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 Antivirus detection for dropped file 2->102 104 13 other signatures 2->104 9 file.exe 39 2->9         started        14 skotes.exe 3 20 2->14         started        16 skotes.exe 2->16         started        18 5 other processes 2->18 process3 dnsIp4 92 185.215.113.37, 49704, 49720, 49772 WHOLESALECONNECTIONSNL Portugal 9->92 94 185.215.113.103, 49712, 49769, 49771 WHOLESALECONNECTIONSNL Portugal 9->94 64 C:\Users\user\DocumentsHDGCGHIJKE.exe, PE32 9->64 dropped 66 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->66 dropped 68 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->68 dropped 78 13 other files (9 malicious) 9->78 dropped 138 Detected unpacking (changes PE section rights) 9->138 140 Drops PE files to the document folder of the user 9->140 142 Tries to steal Mail credentials (via file / registry access) 9->142 160 7 other signatures 9->160 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        96 185.215.113.43, 49764, 49768, 49770 WHOLESALECONNECTIONSNL Portugal 14->96 70 C:\Users\user\AppData\...\4f5b33ac48.exe, PE32 14->70 dropped 72 C:\Users\user\AppData\...\1b4284521e.exe, PE32 14->72 dropped 74 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->74 dropped 76 C:\Users\user\1000026002\ff6273e747.exe, PE32 14->76 dropped 144 Creates multiple autostart registry keys 14->144 146 Hides threads from debuggers 14->146 148 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->148 24 ff6273e747.exe 14->24         started        27 1b4284521e.exe 14->27         started        29 4f5b33ac48.exe 14->29         started        150 Antivirus detection for dropped file 16->150 152 Machine Learning detection for dropped file 16->152 154 Tries to evade debugger and weak emulator (self modifying code) 16->154 156 Binary is likely a compiled AutoIt script file 18->156 158 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->158 31 chrome.exe 18->31         started        file5 signatures6 process7 signatures8 33 DocumentsHDGCGHIJKE.exe 4 20->33         started        37 conhost.exe 20->37         started        39 userHCBFIJJECF.exe 1 22->39         started        41 conhost.exe 22->41         started        122 Antivirus detection for dropped file 24->122 124 Multi AV Scanner detection for dropped file 24->124 126 Detected unpacking (changes PE section rights) 24->126 136 3 other signatures 24->136 128 Machine Learning detection for dropped file 27->128 130 Tries to evade debugger and weak emulator (self modifying code) 27->130 132 Hides threads from debuggers 27->132 134 Binary is likely a compiled AutoIt script file 29->134 43 chrome.exe 29->43         started        45 chrome.exe 31->45         started        process9 file10 62 C:\Users\user\AppData\Local\...\skotes.exe, PE32 33->62 dropped 106 Antivirus detection for dropped file 33->106 108 Detected unpacking (changes PE section rights) 33->108 110 Machine Learning detection for dropped file 33->110 120 5 other signatures 33->120 47 skotes.exe 33->47         started        112 Multi AV Scanner detection for dropped file 39->112 114 Binary is likely a compiled AutoIt script file 39->114 116 Found API chain indicative of debugger detection 39->116 118 Found API chain indicative of sandbox detection 39->118 50 chrome.exe 9 39->50         started        53 chrome.exe 43->53         started        signatures11 process12 dnsIp13 162 Hides threads from debuggers 47->162 164 Tries to detect sandboxes / dynamic malware analysis system (registry check) 47->164 166 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 47->166 80 192.168.2.5, 443, 49703, 49704 unknown unknown 50->80 82 192.168.2.16 unknown unknown 50->82 84 2 other IPs or domains 50->84 55 chrome.exe 50->55         started        58 chrome.exe 50->58         started        60 chrome.exe 6 50->60         started        signatures14 process15 dnsIp16 86 142.250.184.196, 443, 49796 GOOGLEUS United States 55->86 88 youtube.com 142.250.185.78, 443, 49715, 49718 GOOGLEUS United States 55->88 90 7 other IPs or domains 55->90
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5450fc4b520268ea71f2bd5ff96f7cb74fa8aca6a6b34aa666b78c1d317287c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5450fc4b520268ea71f2bd5ff96f7cb74fa8aca6a6b34aa666b78c1d317287c1/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2024-09-27 19:50:05 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kripys2sajuou4psxvp7s334w5h2rlfgu2zuvjtgw6gb2mlsq7aq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:stealc botnet:9c9aa5 botnet:save credential_access discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/240927-yjne9syepg/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Stealc
Malware Config
C2 Extraction:
http://185.215.113.37
http://185.215.113.43
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/9ee67524-2665-4772-9dc8-1d4679f26063
Unpacked files
SH256 hash:
c4dc46d8968e0fd7dd63d0b674384a196cc4aab15600f9d334127ee4dfddcfcf
MD5 hash:
b574f3e9d0a04cce92d4f7322f2316bb
SHA1 hash:
52b55a1ac9ece5e653b52a680e30a0d3abb4ee31
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/b3411ce4-3df9-424a-92b8-e30cdd88b609/
SH256 hash:
5450fc4b520268ea71f2bd5ff96f7cb74fa8aca6a6b34aa666b78c1d317287c1
MD5 hash:
2f0fb88a80fb9bfc89482f72fed9509c
SHA1 hash:
ff4e006a15d8abb4e245dd5b5176a016c124cb97
Link:
https://www.unpac.me/results/b3411ce4-3df9-424a-92b8-e30cdd88b609/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5450fc4b5202/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5450fc4b520268ea71f2bd5ff96f7cb74fa8aca6a6b34aa666b78c1d317287c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 5450fc4b520268ea71f2bd5ff96f7cb74fa8aca6a6b34aa666b78c1d317287c1

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3182950/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments