MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a
SHA3-384 hash: 613bc127eda839d3f6200731fef439a629a8d0daa3704e3827bba4d1904897148b3709c90f22e65f030b35040ef8700c
SHA1 hash: f551911393cf7e88b8f15f2101e15573092d02f5
MD5 hash: 379656262d018e26ba6b07ca3bf10d50
humanhash: lamp-saturn-kilo-iowa
File name:379656262d018e26ba6b07ca3bf10d50.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:2'296'832 bytes
First seen:2023-07-23 13:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 247c4e38025a870047f8caabbf8e5dbf (1 x Stealc)
ssdeep 24576:NPBTw/qe21O+sCeviQoSsgAO2CuqYqYSgAisj4Keqv9B28+rB8c+AQqLQMJ2gV:DFqifHCuqYqjH28Hc+Ah5
Threatray 608 similar samples on MalwareBazaar
TLSH T1A8B5B40CB2E0DCB0C7A9817A3745CA6DD114FA341E0AE966F7D6EB5B21340CAD19EB17
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 24e4c8d0f0c8d4d4 (15 x AgentTesla, 7 x RemcosRAT, 6 x Formbook)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://5.42.64.28/bd852d02e12e1520.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
379656262d018e26ba6b07ca3bf10d50.exe
Verdict:
Malicious activity
Analysis date:
2023-07-23 13:16:04 UTC
Tags:
stealc stealer loader
Link:
https://app.any.run/tasks/bf58160d-0139-4d73-816d-83541f92c3b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/429531/
Detection(s):
SecuriteInfo.com.Variant.Babar.227482.27403.27736.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Gathering data
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7cec2581-e5cc-43dd-acae-f2bbc038fd36
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277882
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277882 Sample: tPNnpQ6Rkf.exe Startdate: 23/07/2023 Architecture: WINDOWS Score: 100 21 Snort IDS alert for network traffic 2->21 23 Found malware configuration 2->23 25 Antivirus detection for URL or domain 2->25 27 6 other signatures 2->27 7 tPNnpQ6Rkf.exe 17 2->7         started        process3 dnsIp4 19 5.42.64.28, 49682, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 7->19 29 Self deletion via cmd or bat file 7->29 31 Tries to harvest and steal browser information (history, passwords, etc) 7->31 33 Tries to steal Crypto Currency Wallets 7->33 11 cmd.exe 1 7->11         started        13 conhost.exe 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started        17 timeout.exe 1 11->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 21:37:59 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 25 (72.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6ao3cynicwsoqcpcdgxrh3ltzv7ldlyubdk2ungxwn3prmwtcna._file
Verdict:
malicious
Similar samples:
0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894
Stealc
1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1
Stealc
2ac28f2913c6e2d231d0b67b49a3491f4046221a42ca349f586e0532ac257575
Stealc
80854fed8904bb69c71467dae8cfc5d317c1c5e4531791b4811aa2ba089e7f42
Stealc
988076bd6d29e4027272a15de5c11337648d458b3384554328ed317f55dec1aa
Stealc
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
Stealc
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
Stealc
d4c465f27047a494b15d0cd45c9506d7e8acafb93d02b2acf601b7b36599d1af
Stealc
f244a694cb0f831e3fd68edf484444700378106be5fe03cc5b3dfd6125331871
Stealc
+ 598 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230723-qhsdtseb59/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a
MD5 hash:
379656262d018e26ba6b07ca3bf10d50
SHA1 hash:
f551911393cf7e88b8f15f2101e15573092d02f5
Link:
https://www.unpac.me/results/ca503edb-78fa-4724-9a85-deab56e3b6a3/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5780ed8b0d40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/429531/

Comments