MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
SHA3-384 hash: e29745fbc8da3ea87fb13ff1bf75eef2ab6c3753c831830ddb8efc707a796509de403751b9d3de7d6c0358702eb92074
SHA1 hash: 8880c1b473c372605398de10e377f3879883d639
MD5 hash: 07f1ad81086f15b5f2ab58e048b4dd51
humanhash: colorado-social-mexico-kilo
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:307'712 bytes
First seen:2023-11-30 18:01:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b499ecd51f921377740ef2835f6980a0 (2 x Smoke Loader, 1 x Tofsee, 1 x Stealc)
ssdeep 3072:4xnk/q6x3Ths05ltrgqHfZlOko+HV71Z0nR6vY75g9UX558:O36rsOu0lvL1Z0ajCA
Threatray 883 similar samples on MalwareBazaar
TLSH T11164185382F0BD46E9268B729F2FE6FC775EF6508E8A776522189E1F00B1172C263714
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0004018144332a86 (1 x Stealc)
Reporter andretavare5
Tags:exe Stealc


Avatar
andretavare5
Sample downloaded from http://5.42.64.35/timeSync.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461466/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6602eb92-4e21-44cb-978a-b38865583fdf
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1350712
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-30 18:02:05 UTC
File Type:
PE (Exe)
Extracted files:
73
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxzrla637rtfwkfxuoqygdj34qlqzljhxzdp4hyvvbb5cw47g2wa._file
Verdict:
malicious
Similar samples:
1c922d5d98f3333762eeea86319db57bef6ccf320f48b05b59166bc1451eb86c
Stealc
55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
Stealc
64489e0d20826dc8ca25c85b28b4b7e6b6d85f9aa7d5500939952f358ba77592
Stealc
86d9471d56a6882413c72628c79b3e58350c58b6e4c2785ca3e15944aa1f9d6d
Stealc
a26dc029cbda5105a0cb0a4a21b0f0001e6b1d957c5b5f8196cf01ea7b039d15
Stealc
a726ad80960cf547e9154a39a704a48b98079786d896c5544044a7c3044d5a18
Stealc
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
Stealc
e1a44604533a1b1d897da2c3263b0252043a9a5e8acc2c6d20a46e59f84e4a52
Stealc
+ 873 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/231130-wme7ysff6x/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://5.42.64.41
Unpacked files
SH256 hash:
2cb8f1b5d0419a80db8d6b13eaed2bfe60f1c053b465a72d4620ad8027c0d15a
MD5 hash:
c99986364003af19ed59e34b3c1f3d24
SHA1 hash:
c1d1f084ba481886039c589b464d18e892e42f74
Detections:
stealc
Create hunting rule
win_stealc_a0
Create hunting rule
win_stealc_bytecodes_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/ffddbea5-e675-4d8a-bf6d-52cd96be7351/
Parent samples :
f836045456af9da9a397af00ce4e70252a5b9c2416562de20ea1e63c7c908a8b
0148bb7b1f0e2a85950913783f58a58f806e4b5511e40d11ee8b5510983e1031
4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f
5fdc91ad771c9fc0b8f3fa547a3616468ce0b7bb448f726ad9c055083ac13c0f
65bc094bc96a1963c31c2acd9a564cc0486dce8fcf23d6f69e09a4c61a2d1528
904911e002a065b01a16fe92c9f86493bb9af9ba08b554c3da4011ade98a9936
c4fb74adbe02c3469b66e3e007c312a18736a343a8dca3f4c051a32de8ae135c
4495aea2bdca5be58cc0530892de3d3a983dbf47e73980c463b0048968c13074
47281571c8ba7092f5e7864377be0dc4c8d170f501203a6dc104a401ddc62eac
67126ea123114450c7cf76ad268976944fa96565b334652d6e5b1248d1970f42
ec8023c54a870806d4ba36d1dd4635fd69d3f7b0dd72c75d41b6c93b19a34b8a
d407f1314cc37bec7df6922d915a66f6b46d76d47f71bc6223884a2f218bdd09
9e7d1738d15d92b3bcd8838788eedd625ce7914b194696f3e3f448ec2ad6ef47
1f6011a2da78434b09f854d3ff86cb92ffdb3d6e953ce0a8535c32cac13cfdb3
7bee0b7e7a3c0a66e7bbbdf689bcd6d58f9f6fa4599a8f9f24d52d6946824a92
078751d09762788794092a2425538653f726a36b7f33d6f312b49bfcbcf8d001
834b73d2202e64d5ad7aca2f5763c5fa77683e7144ba53eb385a381cd99fc4ae
a6cbb9cd010b8a448fa1d0b702dd4f7b8a7892838cda3dac30b6d6b4171a4274
a8c7148da91a091247169f57067439a8204c1140fefb2d6d0d71751acb30dd22
55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
aae15c961d1ea186efb77a1357b8179a30a4dc3590a8bf76e11ff0f5091a16cc
0099b3b2a2214984005724020f9704153efcca043132a2c27aa741592d449b53
ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54
854454fcf6cdce3223bea2e9cabf030047d7f81537eda0e1ca94baff43cc59e6
7a5adde924262ecd4fa4d627b02796d7d338104bad89bf2ddc019b678c30d740
5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7
27f9fabd0c8cc215850373feb61598fc5e0ffce5b29f779fbdcc4e1f1583f609
02d4c69ea3f0fecf650085b84096dc9360675697531ca3e8eb053668603cf760
9b1f16fc5a7eb84cd73ad46c684151303bdacb2e9ea7bd239e5557822026426c
4a6344d67c4ab2b8360bd3f1051506a0d61a327a332c20f925c68c26afd176bd
55f1014c9332b18b45ee1a3f8e750900c3c53c0f5d94441a5cd889fc952383e6
028705f4f1cbc7e7aea4ac2469457c46fe7651cc366bd49ab1f832cce08bf05c
8bcace1ac73adbcc0d5a2bd4addbb5b07c74050f2a231b5f6d2b0d02cb942874
4a9df1083d5ea6c9eb009bb4cb4053896a267f0b5302a7d91670ac265022eab3
SH256 hash:
55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
MD5 hash:
07f1ad81086f15b5f2ab58e048b4dd51
SHA1 hash:
8880c1b473c372605398de10e377f3879883d639
Link:
https://www.unpac.me/results/ffddbea5-e675-4d8a-bf6d-52cd96be7351/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55f31583dbfc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2735175/
Cape
Cape
https://www.capesandbox.com/analysis/461466/

Comments