MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a18cd3d6cb8563c29b68b71d892d90945bac08b3e5c79a4597e98b40d7720f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	5a18cd3d6cb8563c29b68b71d892d90945bac08b3e5c79a4597e98b40d7720f8
SHA3-384 hash:	95acff4f47c720ae8656eb748c4e5b39323d6ad3fbecd4ea53e8b857ead36e019540d0ce719aeb5768ffbaf8f0138e51
SHA1 hash:	1cd27cee73aa7a4f6174a0394a6a84e36d06f0bb
MD5 hash:	d6cf4262e813fd2cf5ceb5740d38ef92
humanhash:	aspen-zulu-asparagus-oven
File name:	d6cf4262e813fd2cf5ceb5740d38ef92.exe
Download:	download sample
Signature	Stealc Alert Create hunting rule
File size:	271'360 bytes
First seen:	2023-07-26 15:36:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5ea3be81e8b97dd70aa776c5063da42c (2 x Stealc)
ssdeep	3072:8IshrTU85g7yxVdvOnXt/4GihBrGE4EVbDwFuPwQ+GIx3TjoRIL:8RIKg7SV5On14GUG/EbEyd+vn
Threatray	34 similar samples on MalwareBazaar
TLSH	T13544AE123590C032D46369315970C6A21B7BBCE29B7886CB33983F3EAE726D05B75B57
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	70d0ded0d4c4d2dd (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

269

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

d6cf4262e813fd2cf5ceb5740d38ef92.exe

Verdict:

Malicious activity

Analysis date:

2023-07-26 15:43:22 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/998f8ac4-e0d0-48ac-805e-c07618b4b33f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/434146/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.68357894.5080.14065.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

FileScan.io

Gathering data

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5a18cd3d6cb8563c29b68b71d892d90945bac08b3e5c79a4597e98b40d7720f8

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Oski Stealer

Malware family:

Oski Stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a4214e29-acf2-4900-a596-4f7c1ef174ee

Joe Sandbox Stealc, Vidar

Result

Threat name:

Stealc, Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1280321

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a18cd3d6cb8563c29b68b71d892d90945bac08b3e5c79a4597e98b40d7720f8/

ReversingLabs TitaniumCloud Win32.Spyware.Stealc

Threat name:

Win32.Spyware.Stealc

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-26 03:47:59 UTC

File Type:

PE (Exe)

Extracted files:

11

AV detection:

28 of 38 (73.68%)

Threat level:

  2/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=limm2plmxbldyknwrny5rewzbfc3vqelhzohtjczp2mlidlxed4a._file

Threatray malicious

Verdict:

malicious

Similar samples:

0ac7f379b3325d3b367cda31efc43ddf96e2b3f0426cc4d7d4912add6ef8d87c

Stealc

80854fed8904bb69c71467dae8cfc5d317c1c5e4531791b4811aa2ba089e7f42

Stealc

8933096a3a5c51c79403a2dd9bb1db722ec059cb135b203ec1393c0ea3bd15de

Stealc

8a2cf17eb94a6e38695b90efc25180fe632979ecad0e84954bde357c97d3695b

Stealc

90281bc45013c23a0ac60de26a46ab84dd9ccb6930a29a6f5c81004093908734

Stealc

970a7ff3bab4b5fffe226cf5e66d997c9a8692623c2fa17fb5e2d35b16686564

Stealc

a1a47aa6139e363e0c8aaf7e5fe00ba1f5df02b660fd158deec23c3f4c910cfa

Stealc

d5b4716082c735fbf29d7984ff7a99d1a5b35fb8071b94223cb34d9d77199a74

Stealc

fd41ab5fa1562ff06b5a81eace78e7e493e3320b4684e218abf8a47a798e684b

Stealc

+ 24 additional samples on MalwareBazaar

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230726-s2g4baec7z/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

UnpacMe 2

Unpacked files

SH256 hash:

67e733069b858d3b1755210f96834936db5e61cb94f485027fae194c41d04a60

MD5 hash:

2c53a0953fe69825b45ffc2078afa720

SHA1 hash:

7fd7b6be80586deff8af51e8d45ed4b5fca512d2

Link:

https://www.unpac.me/results/7c95de69-015c-4b07-875b-cf50d1571e3a/

SH256 hash:

5a18cd3d6cb8563c29b68b71d892d90945bac08b3e5c79a4597e98b40d7720f8

MD5 hash:

d6cf4262e813fd2cf5ceb5740d38ef92

SHA1 hash:

1cd27cee73aa7a4f6174a0394a6a84e36d06f0bb

Link:

https://www.unpac.me/results/7c95de69-015c-4b07-875b-cf50d1571e3a/

VMRay Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5a18cd3d6cb8/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a18cd3d6cb8563c29b68b71d892d90945bac08b3e5c79a4597e98b40d7720f8

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 5a18cd3d6cb8563c29b68b71d892d90945bac08b3e5c79a4597e98b40d7720f8

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2689718/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/434146/