MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 576ae20ecf51decbf1e8a5a934975b451f8a11e03766928535a49e70c368175b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 576ae20ecf51decbf1e8a5a934975b451f8a11e03766928535a49e70c368175b
SHA3-384 hash: eae837762921029a8421beac8990273b2aae917fb006976719f78ac26920bdd3456543d7edbc0bf1fa8c360d3c37f87f
SHA1 hash: 1627372f4af395cb4b08ea603112fb993adb962c
MD5 hash: 0d4e145bf382b81a0520ef473e402ea6
humanhash: harry-oscar-carpet-neptune
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:247'808 bytes
First seen:2023-09-27 08:12:02 UTC
Last seen:2023-09-27 12:54:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 14051e4df4c36cf261bf236adfea8971 (3 x RedLineStealer, 2 x Gozi, 2 x TeamBot)
ssdeep 3072:uYWC+vyQw35qSBmUFCOxFEQyfUG/GuPP8sfpjJJ6/CPZtsn5cpUkZTWLm:/JBd34imsC+FEHG0fpjGGpvZTf
Threatray 475 similar samples on MalwareBazaar
TLSH T10734CF1175A0D076F5AB40395830C6F42E7FB8B39A68C95733982FAF6D3139167A6332
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000010943231903 (1 x Stealc)
Reporter andretavare5
Tags:exe Stealc


Avatar
andretavare5
Sample downloaded from http://christopherantonio.top/calc2.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-27 08:14:52 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/7706cd3e-d913-4aa4-a9d0-ed9d795a219d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451507/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6513e3d833582f234e045144/reports/4c829dd8-d844-4d0e-84cf-dea00fc3f6ad/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/576ae20ecf51decbf1e8a5a934975b451f8a11e03766928535a49e70c368175b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd2dd3f1-cd70-477b-bdfc-07e580353f19
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315078
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/576ae20ecf51decbf1e8a5a934975b451f8a11e03766928535a49e70c368175b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 08:13:05 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
19 of 22 (86.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5voedwpkhpmx4piuwutjf23iupyuepag5tjfbjvusphbq3ic5nq._file
Verdict:
malicious
Similar samples:
09d0c1b8d3b4e342f35326bc754e7a05ac3b31fed0c60a86477a4336554059f4
Stealc
3045545357b095b5e32bf2d338ec052cf035d88ec6d2ddd06ce545eaa7eea573
Stealc
6f4d3d35e9fe47b1bd6bb03386aeab883f4f32c0a9fc4eac5f850b7cdd6e2046
Stealc
774a5633a5cf948de71702480044e7466daaaea595d4149c2414cb995b7c3378
Stealc
7ead8e741e86da1488da1bc6793807380c26a09518a7532ea1247d4a69e82070
Stealc
926bb9311b6d628c34e16f770695418656be7158d16b412c5954faa74ff57fbe
Stealc
b2aa1408b77d5272d0e9f7250e196124fd2cc5d86f8ef90abe0ec37ea27b41af
Stealc
+ 465 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/230927-j3whnaad97/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://bryanzachary.top
Unpacked files
SH256 hash:
fe6edbc42a1b391d80eac4c06b5dd169cebbc353f67a6e1d780770be829ce27e
MD5 hash:
7b1a0ddf9afe48ddd7a79a9c3964f353
SHA1 hash:
db3922ddda9702a979090b50cd640521ce0eed99
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/671daba4-2dbb-4e50-9aaa-b2a687ed6574/
Parent samples :
926bb9311b6d628c34e16f770695418656be7158d16b412c5954faa74ff57fbe
b2aa1408b77d5272d0e9f7250e196124fd2cc5d86f8ef90abe0ec37ea27b41af
774a5633a5cf948de71702480044e7466daaaea595d4149c2414cb995b7c3378
09d0c1b8d3b4e342f35326bc754e7a05ac3b31fed0c60a86477a4336554059f4
576ae20ecf51decbf1e8a5a934975b451f8a11e03766928535a49e70c368175b
SH256 hash:
576ae20ecf51decbf1e8a5a934975b451f8a11e03766928535a49e70c368175b
MD5 hash:
0d4e145bf382b81a0520ef473e402ea6
SHA1 hash:
1627372f4af395cb4b08ea603112fb993adb962c
Link:
https://www.unpac.me/results/671daba4-2dbb-4e50-9aaa-b2a687ed6574/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/576ae20ecf51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/576ae20ecf51decbf1e8a5a934975b451f8a11e03766928535a49e70c368175b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2712591/
Cape
Cape
https://www.capesandbox.com/analysis/451507/
  
URLhaus
https://urlhaus.abuse.ch/url/2709826/
  
URLhaus
https://urlhaus.abuse.ch/url/2712461/

Comments