MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bc5cdd0c50f063e0f356ea7279481080e101208e4e1f7698f656ff8b91f0685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


000Stealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bc5cdd0c50f063e0f356ea7279481080e101208e4e1f7698f656ff8b91f0685
SHA3-384 hash: 4ffa1d7aa394dfaee24fb22c03712c3aef9eaaff74cabb52e134bd5bff65286c3360a564b7c2acebee789f988a25dc98
SHA1 hash: c59b480b4ca11079161875b803082ba378f32b8c
MD5 hash: 69b309453ffe8674a6025fac0dd1a1ae
humanhash: kilo-sixteen-november-hamper
File name:file
Download: download sample
Signature 000Stealer
Create hunting rule
File size:7'255'040 bytes
First seen:2022-11-28 02:00:53 UTC
Last seen:2022-11-28 03:30:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 196608:hvZeSceAfJLfZA0PW9XaBTWp5vzIKwx2iLMvU:vePeOZA0ph+5bSIi4vU
Threatray 16 similar samples on MalwareBazaar
TLSH T1E07601A1FDDB94B2E202E2310857A2AFE32178451F35CB87D6547B6EAC736E10D2F215
gimphash 95c8e5b3b26c4debfcf56e0bdaabb54d8e6a4389994054e9b3d98c084b85a665
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter jstrosch
Tags:000Stealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-28 02:04:30 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/3a631d89-c7c5-4057-ad96-9841821445ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339213/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.1592.29439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
Using the Windows Management Instrumentation requests
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/638416659c57db591d88ef75/reports/b117ddf5-fd55-40e5-a1a6-1068249339be/overview
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/039b58b5-5fca-495f-89b8-0d31021bdabb
Result
Threat name:
000Stealer
Create hunting rule
Detection:
malicious
Classification:
evad.phis.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122160
Signature
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected 000Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bc5cdd0c50f063e0f356ea7279481080e101208e4e1f7698f656ff8b91f0685/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 02:07:12 UTC
File Type:
PE (Exe)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpc43ugfb4dd4dzvn2tspfebbahbaeqi4tq7o2mpmvx7roi7a2cq._file
Verdict:
malicious
Similar samples:
0077e7d6e90ad972b64e90c343c617482f39505deff44ebff99ff49041252dcb
000Stealer
1023a522ff7c6abdd3bb32004ca28d89d82a2cd03c627519baea3543a8603f84
000Stealer
203f591e084a2ece60b2be5c13fbafa673ecac10ef91055ad7bd73fddc656b5d
000Stealer
7aa17be3b8a5d82c4ffcb0a88cf2a64339c59fceaea5201cf6c7b3c7c906cdc3
000Stealer
b924bd60cc419ee92e7c55cb20eb5fe43e2a9c440b5d6ed8b78446bbd180795c
000Stealer
ddf46263a07e42ae3c237f9745d49df8dc803c4c3b9b423cb335f9fbc21e57cc
000Stealer
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221128-cfkpbabe5s/
Unpacked files
SH256 hash:
5bc5cdd0c50f063e0f356ea7279481080e101208e4e1f7698f656ff8b91f0685
MD5 hash:
69b309453ffe8674a6025fac0dd1a1ae
SHA1 hash:
c59b480b4ca11079161875b803082ba378f32b8c
Link:
https://www.unpac.me/results/42de2fa2-cc4c-4acf-92fe-4c020e8767ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5bc5cdd0c50f063e0f356ea7279481080e101208e4e1f7698f656ff8b91f0685

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

000Stealer

Executable exe 5bc5cdd0c50f063e0f356ea7279481080e101208e4e1f7698f656ff8b91f0685

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/339213/
  
URLhaus
https://urlhaus.abuse.ch/url/2435504/

Comments