MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ece35d565cc0b5274c6ce8cf9a782c9c8e07baa2296267454fbc325d194a1cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ece35d565cc0b5274c6ce8cf9a782c9c8e07baa2296267454fbc325d194a1cd
SHA3-384 hash: 8a8c1d2c61969df9f9c3e560bcccf4b272f590f407e3184e6df8761eb7534a4f127ccf8cc57b75900d27b98d73632dfa
SHA1 hash: 01acdeba8858275bfa3455d201212e894fa8b51a
MD5 hash: adce37ac236361903688788a1b67078c
humanhash: magnesium-uncle-carbon-hydrogen
File name:SecuriteInfo.com.Win64.PWSX-gen.7949.23910
Download: download sample
Signature Stealc
Create hunting rule
File size:817'888 bytes
First seen:2023-12-24 08:14:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b12336fa8cbb9bd1c3e11ad0d8477f71 (2 x Smoke Loader, 2 x Stealc, 1 x RemcosRAT)
ssdeep 24576:JMOChytCU3p5xpqDsY8EBf5FkNiA2M7Apd0fq:JgKhDcsYnbF4ipMs3
Threatray 6 similar samples on MalwareBazaar
TLSH T16F0523365F6A7707DF089830809EA117F17CF0975E7E842E70AAB193CA5A163352DB36
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 009286868686f800 (4 x Stealc, 4 x AgentTesla, 3 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-24T01:59:52Z
Valid to:2024-12-24T01:59:52Z
Serial number: df3af5fe6435dfadb55daeaa8a3c7f7b
Thumbprint Algorithm:SHA256
Thumbprint: 0fbe931c608495d774e2657a3395004721b4558f28e8542726762ea17a348092
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469176/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.7949.23910.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Running batch commands
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Changing a file
Launching cmd.exe command interpreter
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
monero overlay packed packed packed upx
Link:
https://www.filescan.io/uploads/6587e8887d4bdb7f8bfba8cc/reports/9c3b13a5-99be-43b0-a296-3046ed20c533/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/5ece35d565cc0b5274c6ce8cf9a782c9c8e07baa2296267454fbc325d194a1cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/be8104f3-7776-4df9-883c-a23a33d11b92
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366640
Signature
Adds extensions / path to Windows Defender exclusion list
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366640 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 24/12/2023 Architecture: WINDOWS Score: 100 153 pastebin.com 2->153 155 features.opera-api2.com 2->155 157 25 other IPs or domains 2->157 179 Multi AV Scanner detection for domain / URL 2->179 181 Malicious sample detected (through community Yara rule) 2->181 183 Antivirus detection for URL or domain 2->183 187 8 other signatures 2->187 13 SecuriteInfo.com.Win64.PWSX-gen.7949.23910.exe 2->13         started        16 cmd.exe 2->16         started        18 chrome.exe 2->18         started        21 wfplwfs.exe 2->21         started        signatures3 185 Connects to a pastebin service (likely for C&C) 153->185 process4 dnsIp5 241 Writes to foreign memory regions 13->241 243 Allocates memory in foreign processes 13->243 245 Injects a PE file into a foreign processes 13->245 23 InstallUtil.exe 15 33 13->23         started        28 AyOtWg5rG0zPzt7NQwARwrTe.exe 16->28         started        30 AyOtWg5rG0zPzt7NQwARwrTe.exe 16->30         started        32 conhost.exe 16->32         started        34 AyOtWg5rG0zPzt7NQwARwrTe.exe 16->34         started        159 192.168.2.1 unknown unknown 18->159 161 192.168.2.5, 443, 49706, 49707 unknown unknown 18->161 163 239.255.255.250 unknown Reserved 18->163 36 chrome.exe 18->36         started        38 WerFault.exe 21->38         started        signatures6 process7 dnsIp8 171 632432.site 194.104.136.64, 443, 49720 SMEERBOEL-ASSMEERBOELBVNL Netherlands 23->171 173 lati.lb.opera.technology 107.167.110.211, 443, 49713, 49716 OPERASOFTWAREUS United States 23->173 175 12 other IPs or domains 23->175 125 C:\Users\...\tm0bMWX1xi9eESy5QuqlPUyQ.exe, PE32 23->125 dropped 127 C:\Users\...\ZLe6OQzfrRxCqS4IAJX75oVS.exe, PE32 23->127 dropped 129 C:\Users\...\MKrJoDfSft0qDQybVEZnxgLL.exe, PE32 23->129 dropped 133 21 other malicious files 23->133 dropped 219 Drops script or batch files to the startup folder 23->219 221 Creates HTML files with .exe extension (expired dropper behavior) 23->221 40 0P8Vg6bCyifOb9Mf2xfRVTlT.exe 23->40         started        43 AHe9mMvuYr0jseJRXEXh9QlP.exe 2 23->43         started        46 tm0bMWX1xi9eESy5QuqlPUyQ.exe 23->46         started        50 4 other processes 23->50 223 Multi AV Scanner detection for dropped file 28->223 131 C:\Users\user\AppData\Local\...\INetC.dll, PE32 30->131 dropped 48 BroomSetup.exe 30->48         started        file9 signatures10 process11 dnsIp12 135 C:\Users\user\AppData\Local\...\Install.exe, PE32 40->135 dropped 53 Install.exe 40->53         started        137 C:\Users\user\AppData\Local\...\wfplwfs.exe, PE32 43->137 dropped 225 Multi AV Scanner detection for dropped file 43->225 227 Detected unpacking (overwrites its own PE header) 43->227 229 Found evasive API chain (may stop execution after checking mutex) 43->229 57 wfplwfs.exe 43->57         started        59 cmd.exe 43->59         started        61 WerFault.exe 43->61         started        139 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 46->139 dropped 141 C:\Users\user\AppData\Local\...\Checker.dll, PE32 46->141 dropped 143 C:\Users\user\AppData\Local\...\nsdB839.tmp, DOS 46->143 dropped 149 2 other malicious files 46->149 dropped 231 Query firmware table information (likely to detect VMs) 46->231 233 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->233 165 api4.ipify.org 104.237.62.212, 80 WEBNXUS United States 50->165 167 91.92.254.7 THEZONEBG Bulgaria 50->167 169 2 other IPs or domains 50->169 145 C:\Users\user\AppData\Local\...\INetC.dll, PE32 50->145 dropped 147 Opera_installer_2312240815560194432.dll, PE32 50->147 dropped 151 2 other malicious files 50->151 dropped 235 Detected unpacking (changes PE section rights) 50->235 237 Found Tor onion address 50->237 239 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 50->239 63 7m7Kl36KszXR8o8qrxsaySoz.exe 50->63         started        65 BroomSetup.exe 50->65         started        67 7m7Kl36KszXR8o8qrxsaySoz.exe 50->67         started        69 3 other processes 50->69 file13 signatures14 process15 file16 111 C:\Users\user\AppData\Local\...\Install.exe, PE32 53->111 dropped 189 Machine Learning detection for dropped file 53->189 71 Install.exe 53->71         started        191 Multi AV Scanner detection for dropped file 57->191 193 Detected unpacking (changes PE section rights) 57->193 195 Detected unpacking (overwrites its own PE header) 57->195 203 3 other signatures 57->203 75 rundll32.exe 57->75         started        197 Uses ping.exe to sleep 59->197 199 Uses cmd line tools excessively to alter registry or file data 59->199 201 Uses ping.exe to check the status of other devices and networks 59->201 77 PING.EXE 59->77         started        80 conhost.exe 59->80         started        113 Opera_installer_2312240815585167468.dll, PE32 63->113 dropped 82 7m7Kl36KszXR8o8qrxsaySoz.exe 63->82         started        115 Opera_installer_2312240815567407212.dll, PE32 67->115 dropped 117 Opera_installer_2312240815574137320.dll, PE32 69->117 dropped 84 conhost.exe 69->84         started        86 conhost.exe 69->86         started        signatures17 process18 dnsIp19 119 C:\Users\user\AppData\Local\...\OHTkWFQ.exe, PE32 71->119 dropped 121 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 71->121 dropped 207 Machine Learning detection for dropped file 71->207 209 Modifies Windows Defender protection settings 71->209 211 Adds extensions / path to Windows Defender exclusion list 71->211 213 Modifies Group Policy settings 71->213 88 forfiles.exe 71->88         started        91 forfiles.exe 71->91         started        177 127.0.0.1 unknown unknown 77->177 123 Opera_installer_2312240815594447600.dll, PE32 82->123 dropped file20 signatures21 process22 signatures23 215 Modifies Windows Defender protection settings 88->215 217 Adds extensions / path to Windows Defender exclusion list 88->217 93 cmd.exe 88->93         started        96 conhost.exe 88->96         started        98 cmd.exe 91->98         started        100 conhost.exe 91->100         started        process24 signatures25 247 Uses cmd line tools excessively to alter registry or file data 93->247 102 reg.exe 93->102         started        105 reg.exe 93->105         started        107 reg.exe 98->107         started        109 reg.exe 98->109         started        process26 signatures27 205 Adds extensions / path to Windows Defender exclusion list (Registry) 102->205
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ece35d565cc0b5274c6ce8cf9a782c9c8e07baa2296267454fbc325d194a1cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ece35d565cc0b5274c6ce8cf9a782c9c8e07baa2296267454fbc325d194a1cd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-24 08:15:07 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
10 of 37 (27.03%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3hdlvlfzqfve5ggz2gptj4czheoa65keklcm5cu7pbslumuuhgq._file
Verdict:
malicious
Similar samples:
4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
Stealc
55c7da2f4d95013b4e729edb54cfe78213bbcf01aec9c70357ff3f4d36cc871f
Stealc
b2060c4e3adfe2e823c677c1e1496211a062f0e805ed9d0e25b822a7ab441d79
Stealc
ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc dropper evasion loader stealer upx
Link:
https://tria.ge/reports/231224-j5j8eadgc7/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Modifies boot configuration data using bcdedit
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
Stealc
Malware Config
C2 Extraction:
http://77.91.76.36
Unpacked files
SH256 hash:
1b2d5122be350d771d4bb2b66d41092d7cf94b5f42affa9a56503bcbd978192e
MD5 hash:
46b80e236b46f9b15f178363f7f0d584
SHA1 hash:
d493fc236105efb4aae752f9575480547f9dc7ad
Link:
https://www.unpac.me/results/1192dd7f-30dc-4872-a3df-57944db9b17f/
SH256 hash:
5ece35d565cc0b5274c6ce8cf9a782c9c8e07baa2296267454fbc325d194a1cd
MD5 hash:
adce37ac236361903688788a1b67078c
SHA1 hash:
01acdeba8858275bfa3455d201212e894fa8b51a
Link:
https://www.unpac.me/results/1192dd7f-30dc-4872-a3df-57944db9b17f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ece35d565cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5ece35d565cc0b5274c6ce8cf9a782c9c8e07baa2296267454fbc325d194a1cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 5ece35d565cc0b5274c6ce8cf9a782c9c8e07baa2296267454fbc325d194a1cd

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/469176/
  
URLhaus
https://urlhaus.abuse.ch/url/2743800/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2738073/

Comments