MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392
SHA3-384 hash: 7e27e7a7fcf4b6b860f0bd2907168dfb63f78759f85e8606edbeedd7c72d582624a4dd1909d721e909dc51dd73a80d9c
SHA1 hash: b58c4c391f488e339f3d693235eeb7fc8732fe1c
MD5 hash: 3d8cba6301a392e92140a191fedbb805
humanhash: double-skylark-emma-ceiling
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'773'568 bytes
First seen:2024-11-17 14:57:30 UTC
Last seen:2024-11-17 14:58:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:fGQrfd4c3IM2T/6lsa8LHuJyYDZ3HiGAAXXlIHHy:f3Dd4c3IM2mELHWDtdfWHS
TLSH T1C78533C1CF6394B2D1B70833E6589B31C3D55BBBA1BE01BD5B2BA422C16F6285B51C78
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
452
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-17 14:58:39 UTC
Tags:
themida lumma loader stealer stealc
Link:
https://app.any.run/tasks/1f719fdc-1170-48f6-b0d1-51446f61e2c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.9880.1927.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673a05c64ca0f9db40c4cb07
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/673a047b270d19d07a2d44c1/reports/1e5c9c6f-a50c-4e0f-a4c9-b47ad3b41904/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f93aada-7584-4e35-889d-921b714cfe00
Result
Threat name:
PureCrypter, LummaC, Amadey, Credential
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557156
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Panda Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557156 Sample: file.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 106 joxi.net 2->106 108 cook-rain.sbs 2->108 110 chrome.cloudflare-dns.com 2->110 158 Suricata IDS alerts for network traffic 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 164 17 other signatures 2->164 10 skotes.exe 2->10         started        15 file.exe 37 2->15         started        17 397b802102.exe 2->17         started        19 msedge.exe 106 626 2->19         started        signatures3 process4 dnsIp5 132 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 10->132 134 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 10->134 88 C:\Users\user\AppData\...\73bc1b7ec3.exe, PE32 10->88 dropped 90 C:\Users\user\AppData\...\08f0dfde59.exe, PE32 10->90 dropped 92 C:\Users\user\AppData\...\026d2ba730.exe, PE32 10->92 dropped 100 7 other malicious files 10->100 dropped 184 Detected unpacking (changes PE section rights) 10->184 186 Creates multiple autostart registry keys 10->186 188 Tries to evade debugger and weak emulator (self modifying code) 10->188 204 4 other signatures 10->204 21 397b802102.exe 10->21         started        25 installer.exe 10->25         started        28 026d2ba730.exe 10->28         started        30 08f0dfde59.exe 10->30         started        136 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 15->136 138 185.215.113.206, 49704, 49800, 49854 WHOLESALECONNECTIONSNL Portugal 15->138 140 127.0.0.1 unknown unknown 15->140 94 C:\Users\user\DocumentsBKKFCFBKFC.exe, PE32 15->94 dropped 96 C:\Users\user\AppData\...\softokn3[1].dll, PE32 15->96 dropped 98 C:\Users\user\AppData\Local\...\random[1].exe, PE32 15->98 dropped 102 11 other files (3 malicious) 15->102 dropped 190 Attempt to bypass Chrome Application-Bound Encryption 15->190 192 Drops PE files to the document folder of the user 15->192 194 Tries to steal Mail credentials (via file / registry access) 15->194 206 5 other signatures 15->206 32 cmd.exe 15->32         started        34 msedge.exe 2 11 15->34         started        36 chrome.exe 15->36         started        196 Query firmware table information (likely to detect VMs) 17->196 198 Found many strings related to Crypto-Wallets (likely being stolen) 17->198 200 Tries to harvest and steal ftp login credentials 17->200 142 192.168.2.23 unknown unknown 19->142 144 192.168.2.4 unknown unknown 19->144 202 Overwrites Mozilla Firefox settings 19->202 38 msedge.exe 19->38         started        40 4 other processes 19->40 file6 signatures7 process8 dnsIp9 112 cook-rain.sbs 188.114.96.3 CLOUDFLARENETUS European Union 21->112 166 Multi AV Scanner detection for dropped file 21->166 168 Detected unpacking (changes PE section rights) 21->168 170 Query firmware table information (likely to detect VMs) 21->170 182 5 other signatures 21->182 82 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 25->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 25->84 dropped 42 cmd.exe 25->42         started        172 Tries to evade debugger and weak emulator (self modifying code) 28->172 174 Hides threads from debuggers 28->174 176 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->176 178 Binary is likely a compiled AutoIt script file 30->178 44 taskkill.exe 30->44         started        46 taskkill.exe 30->46         started        48 DocumentsBKKFCFBKFC.exe 32->48         started        52 conhost.exe 32->52         started        180 Monitors registry run keys for changes 34->180 54 msedge.exe 34->54         started        114 192.168.2.7, 443, 49703, 49704 unknown unknown 36->114 116 239.255.255.250 unknown Reserved 36->116 56 chrome.exe 36->56         started        118 13.107.246.57, 443, 49903, 49911 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->118 120 20.125.209.212, 443, 49953, 49978 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->120 124 23 other IPs or domains 38->124 86 C:\Users\user\AppData\Local\...\Cookies, SQLite 38->86 dropped 122 ntp.msn.com 40->122 file10 signatures11 process12 dnsIp13 59 windows_updater.exe 42->59         started        63 7z.exe 42->63         started        66 conhost.exe 42->66         started        74 7 other processes 42->74 68 conhost.exe 44->68         started        70 conhost.exe 46->70         started        80 C:\Users\user\AppData\Local\...\skotes.exe, PE32 48->80 dropped 150 Detected unpacking (changes PE section rights) 48->150 152 Tries to evade debugger and weak emulator (self modifying code) 48->152 154 Tries to detect virtualization through RDTSC time measurements 48->154 156 4 other signatures 48->156 72 skotes.exe 48->72         started        126 play.google.com 142.250.186.174, 443, 49806 GOOGLEUS United States 56->126 128 plus.l.google.com 142.250.186.46, 443, 49796 GOOGLEUS United States 56->128 130 2 other IPs or domains 56->130 file14 signatures15 process16 dnsIp17 146 joxi.net 176.9.162.205 HETZNER-ASDE Germany 59->146 208 Writes to foreign memory regions 59->208 210 Allocates memory in foreign processes 59->210 212 Injects a PE file into a foreign processes 59->212 76 RegSvcs.exe 59->76         started        104 C:\Users\user\AppData\...\windows_updater.exe, PE32 63->104 dropped 214 Hides threads from debuggers 72->214 216 Tries to detect sandboxes / dynamic malware analysis system (registry check) 72->216 218 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 72->218 file18 signatures19 process20 dnsIp21 148 109.94.208.20 RETN-ASEU Russian Federation 76->148 220 Tries to harvest and steal ftp login credentials 76->220 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-11-17 14:58:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4h7uvzyobsoyjzciux4sikiawdykwraedqffvhaqlwxvqnbeoja._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:9c9aa5 credential_access discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/241117-sb5rpasdlh/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
http://185.215.113.43
https://processhol.sbs/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d1cabec6-7f72-408e-8447-4c2777cc967c
Unpacked files
SH256 hash:
d778adf1b4ba97a9394326c8b5f2d992ed61b3341ae6cf38bc849d5283f3978a
MD5 hash:
11641caf9e02b5089e8dd9950efa945d
SHA1 hash:
ce56d84de9c762d9383c06a10e4ac30f3e44ee30
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/27f6e2b5-08fb-4d8b-8078-c0f797d7e970/
SH256 hash:
570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392
MD5 hash:
3d8cba6301a392e92140a191fedbb805
SHA1 hash:
b58c4c391f488e339f3d693235eeb7fc8732fe1c
Link:
https://www.unpac.me/results/27f6e2b5-08fb-4d8b-8078-c0f797d7e970/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 570ffa57387064ec2722452fc921480587855a2020e052d4e082ed7ac1a12392

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3079150/
  
URLhaus
https://urlhaus.abuse.ch/url/3279845/
  
URLhaus
https://urlhaus.abuse.ch/url/3284801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments