MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Steal


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4
SHA3-384 hash: 0cafc54af4b19b56dd9e2da994bf13bd1ece6dd0e99c609d044c897b26913c2daadf68e154b07ff968edd02e238ef82d
SHA1 hash: e370ece8434b4c87a7ce1c70982b98c0654c6b05
MD5 hash: 588da7a05fe6d237b82ea541c0e9d1cb
humanhash: arkansas-virginia-monkey-magnesium
File name:file
Download: download sample
Signature Steal
Create hunting rule
File size:210'472 bytes
First seen:2024-09-09 17:04:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:Kn10TMU/nQ5PcyZbEGTxjUAh046MoAKEO:Kn10YU/ne3EGTxjUFtM3KEO
TLSH T1E3241294AED53812F9D49B3449A185A27FF4BC1BF6BBC09DB1A66E78DE003541E13338
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe Steal


Avatar
Bitsight
url: http://147.45.44.104/revada/66df29a06624c_cry.exe#kiscrypto

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-09 17:06:11 UTC
Tags:
stealer stealc loader raccoonclipper
Link:
https://app.any.run/tasks/44d51b14-1b68-4330-a7ff-8b2de600cc5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.30629.22618.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66df2ac176bc4542b04947f0
Tags:
Encryption Static
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66df2ac1f13dedfc447421b7/reports/1b7c90a6-fc61-4de4-b6c3-4d9141f54266/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/822f9e82-4dff-42dd-97d9-3c3a94439b78
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1508152
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Score:
78%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4/
Threat name:
Win32.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-09-09 17:05:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2xfxotp5eslevxwxlssoywstalp4k4skafxxyf2xiwkb3bznw2a._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:cry discovery stealer
Link:
https://tria.ge/reports/240909-vlttaa1hmb/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Stealc
Malware Config
C2 Extraction:
http://45.152.113.10
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b0dfe00-a2a6-4e72-a514-4c63458a4765
Unpacked files
SH256 hash:
b942a672a54a729085b437eb710b62c64183331c6a57fe0ec22039201de6b689
MD5 hash:
118f57a4bbb5a429ff1fc129c0c739dc
SHA1 hash:
653e9577e9878e3b930bfa178c0aa224fb61f8d5
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/2354c45c-62fa-43e9-9ef5-e5dc8139fd34/
Parent samples :
39799cbca0280a21fa444531c85521db039ef70f963a8960f3fcaca71d3cf802
f7e542218783c81229c438685de0c7c29a619790796833069eddb97b2eb34d29
56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4
3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac
e45ef7fdd1a92c5ed40b3365a895623a112ee16444cf0ebe70619cf09d8628ca
c5d5a4fd2200126f32170a7fd214850c244eed7c7279c5773e41c45049202526
SH256 hash:
56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4
MD5 hash:
588da7a05fe6d237b82ea541c0e9d1cb
SHA1 hash:
e370ece8434b4c87a7ce1c70982b98c0654c6b05
Link:
https://www.unpac.me/results/2354c45c-62fa-43e9-9ef5-e5dc8139fd34/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56ae5bba6fe9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Steal

Executable exe 56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3164340/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments