MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486
SHA3-384 hash: 4a1e90c8a652ec0b08101f37ac3085b931ce125c503a059a38520c6ea80fb978b3ff9897ffdea8043061dd207371cc3d
SHA1 hash: 759d4e1a119d584d51adbd23d62b1fb119315c9b
MD5 hash: 8c02dd7abb7632bd09399eae59ce60e6
humanhash: solar-jupiter-pluto-october
File name:8c02dd7abb7632bd09399eae59ce60e6
Download: download sample
Signature Stealc
Create hunting rule
File size:423'136 bytes
First seen:2024-03-16 03:53:23 UTC
Last seen:2024-03-16 05:16:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:/liMqOup/A33wdHkt2+RGqZPsU1rBiH3KVaxdyR/aEfQ9hbbAIiOGMorfUtV/J1I:lqOupdt05M69reasxdyRSpNkCoLUJzgp
Threatray 2 similar samples on MalwareBazaar
TLSH T1239402055E1D4D23EC8372F06A64F1A14836FF2894A1EFC6F74150CEB9A636B65F8236
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-15T07:43:12Z
Valid to:2025-03-15T07:43:12Z
Serial number: 734832a3afd7c95377768eb44ab94132
Thumbprint Algorithm:SHA256
Thumbprint: 72d485e480dcc99e67486743c0048f49c6a0c4779670fcd25160e0bd990c1026
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
466
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486.exe
Verdict:
Malicious activity
Analysis date:
2024-03-16 03:54:55 UTC
Tags:
opendir stealer stealc glupteba loader trojan
Link:
https://app.any.run/tasks/3f2b0dcd-ab01-4898-b82b-f1182a3e0afe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/479194/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.30173.9893.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Searching for the window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65f517db87137159d443570c/reports/ace7b09b-1a12-4c2c-a6ea-2a941af4b2dc/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
dotRunpeX
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3145817-4c7b-4c5e-93e1-47fc38babf20
Result
Threat name:
Amadey, Glupteba, Mars Stealer, Stealc,
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410095
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410095 Sample: QN1omDissd.exe Startdate: 16/03/2024 Architecture: WINDOWS Score: 100 109 5.42.64.44 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 2->109 155 Found malware configuration 2->155 157 Malicious sample detected (through community Yara rule) 2->157 159 Antivirus detection for dropped file 2->159 161 21 other signatures 2->161 11 QN1omDissd.exe 2 2->11         started        14 svchost.exe 1 1 2->14         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 175 Found many strings related to Crypto-Wallets (likely being stolen) 11->175 177 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->177 179 Writes to foreign memory regions 11->179 181 3 other signatures 11->181 19 RegAsm.exe 15 369 11->19         started        24 WerFault.exe 11->24         started        135 23.51.58.94 TMNET-AS-APTMNetInternetServiceProviderMY United States 14->135 137 127.0.0.1 unknown unknown 14->137 26 WerFault.exe 17->26         started        signatures6 process7 dnsIp8 111 45.95.11.69 ULTRA-PACKETUS Italy 19->111 113 91.92.250.47 THEZONEBG Bulgaria 19->113 117 15 other IPs or domains 19->117 65 C:\Users\...\zwZlwcjEzQGjvxH0TOkGHH0r.exe, PE32+ 19->65 dropped 67 C:\Users\...\zUldb0mTs3kw0Zp2szY4UOzj.exe, PE32 19->67 dropped 69 C:\Users\...\yrZqw5zUxuhWM0vEu9RbI2kK.exe, PE32 19->69 dropped 71 246 other malicious files 19->71 dropped 163 Drops script or batch files to the startup folder 19->163 165 Creates HTML files with .exe extension (expired dropper behavior) 19->165 28 ETQZWOcZlq7YdlmaXNpXWugf.exe 19->28         started        32 yrZqw5zUxuhWM0vEu9RbI2kK.exe 19->32         started        35 kE6e0U3NM0jAMNCA6xRy5O8z.exe 19->35         started        37 23 other processes 19->37 115 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->115 file9 signatures10 process11 dnsIp12 121 185.172.128.187 NADYMSS-ASRU Russian Federation 28->121 123 185.172.128.90 NADYMSS-ASRU Russian Federation 28->123 91 C:\Users\user\AppData\Local\...\syncUpd.exe, PE32 28->91 dropped 93 C:\Users\user\AppData\Local\...\INetC.dll, PE32 28->93 dropped 95 C:\Users\user\AppData\...\BroomSetup.exe, PE32 28->95 dropped 39 syncUpd.exe 28->39         started        44 BroomSetup.exe 28->44         started        125 107.167.110.217 OPERASOFTWAREUS United States 32->125 127 107.167.125.189 OPERASOFTWAREUS United States 32->127 133 3 other IPs or domains 32->133 97 Opera_installer_2403160354592958108.dll, PE32 32->97 dropped 105 6 other malicious files 32->105 dropped 139 Found many strings related to Crypto-Wallets (likely being stolen) 32->139 46 yrZqw5zUxuhWM0vEu9RbI2kK.exe 32->46         started        48 yrZqw5zUxuhWM0vEu9RbI2kK.exe 32->48         started        50 yrZqw5zUxuhWM0vEu9RbI2kK.exe 32->50         started        141 Detected unpacking (changes PE section rights) 35->141 143 Detected unpacking (overwrites its own PE header) 35->143 145 Found Tor onion address 35->145 147 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->147 129 107.167.110.218 OPERASOFTWAREUS United States 37->129 131 184.28.190.75 AKAMAI-ASN1EU United States 37->131 99 Opera_installer_2403160355212546444.dll, PE32 37->99 dropped 101 Opera_installer_2403160355120777648.dll, PE32 37->101 dropped 103 C:\Users\user\AppData\Local\...\Install.exe, PE32 37->103 dropped 107 5 other malicious files 37->107 dropped 149 Contains functionality to inject code into remote processes 37->149 151 Modifies the hosts file 37->151 153 Adds a directory exclusion to Windows Defender 37->153 52 hxQWhN1ywKUwLWympZNcjFLl.exe 37->52         started        54 powershell.exe 37->54         started        file13 signatures14 process15 dnsIp16 119 185.172.128.145 NADYMSS-ASRU Russian Federation 39->119 73 C:\Users\user\AppData\...\softokn3[1].dll, PE32 39->73 dropped 75 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 39->75 dropped 77 C:\Users\user\AppData\...\mozglue[1].dll, PE32 39->77 dropped 87 9 other files (5 malicious) 39->87 dropped 167 Detected unpacking (changes PE section rights) 39->167 169 Detected unpacking (overwrites its own PE header) 39->169 171 Found many strings related to Crypto-Wallets (likely being stolen) 39->171 173 6 other signatures 39->173 56 cmd.exe 44->56         started        79 Opera_installer_2403160355053378072.dll, PE32 46->79 dropped 58 yrZqw5zUxuhWM0vEu9RbI2kK.exe 46->58         started        81 Opera_installer_2403160355004146732.dll, PE32 48->81 dropped 83 Opera_installer_2403160355030307724.dll, PE32 50->83 dropped 85 Opera_installer_2403160355298825856.dll, PE32 52->85 dropped 61 conhost.exe 54->61         started        file17 signatures18 process19 file20 63 conhost.exe 56->63         started        89 Opera_installer_2403160355207387920.dll, PE32 58->89 dropped process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486/
Threat name:
Win64.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2024-03-15 11:25:55 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
15 of 37 (40.54%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kya4nsl2w3s36dtlkvimjpygontotunz6ibogrnx7x65c7z2asda._file
Verdict:
malicious
Similar samples:
d8f1979b2b2a3d59db7716e40738d5d2a3d557055831e54f8e1f52079dd04aa5
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:stealc dropper evasion loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/240316-ef7vysdb34/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of SetThreadContext
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
Glupteba
Glupteba payload
Stealc
Malware Config
C2 Extraction:
http://5.42.64.44
http://185.172.128.145
Unpacked files
SH256 hash:
5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486
MD5 hash:
8c02dd7abb7632bd09399eae59ce60e6
SHA1 hash:
759d4e1a119d584d51adbd23d62b1fb119315c9b
Link:
https://www.unpac.me/results/33ff8970-2009-49ca-8e5c-f401900e40f6/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5601c6c97ab6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 5601c6c97ab6e5bf0e6b5550c4bf067366e9d1b9f202e345b7fdfdd17f3a0486

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2781349/
Cape
Cape
https://www.capesandbox.com/analysis/479194/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-03-16 03:53:24 UTC

url : hxxp://15.204.38.240/files/Installsetup2.exe