MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185
SHA3-384 hash: ebbd9ff6915af358e7d34f1815d7dca69cacaa9d251d80b699190479ce9a51b36c4382177cc92651656c71be8497dbb9
SHA1 hash: f83e6487506067aab52550faf4179ecac77b17ee
MD5 hash: 56bbebff4b50d8298e46f3312915694c
humanhash: happy-green-summer-sierra
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:334'376 bytes
First seen:2024-09-24 13:47:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:9HjkqhJNb+r7hwLDH1L3nbGIR1M34fHwTDIlpCUOS7YYCUEO:Fj3Jb+QDHRX/rMAHouFOS7Y6EO
TLSH T1B36423362DA42517FBDD4E76D4132E7FBC23F3A974C1508355879BA92A053AC868C2E2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: https://orderhangthai.com/sdfbtw.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
434
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-24 13:50:32 UTC
Tags:
stealer stealc loader evasion
Link:
https://app.any.run/tasks/ef680f8e-1da1-42d4-9de0-a715b97744e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.439.4784.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f2c3188aca58c2b2c715da
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66f2c3175551d52611ffdd26/reports/df4c5c5a-3a34-4399-913d-3d42fd735c20/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0d3fb68-ac90-4ebc-bb0d-cc96de24c68d
Result
Threat name:
LummaC, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1516792
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516792 Sample: file.exe Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 100 yalubluseks.eu 2->100 102 vozmeatillu.shop 2->102 104 12 other IPs or domains 2->104 122 Suricata IDS alerts for network traffic 2->122 124 Found malware configuration 2->124 126 Antivirus detection for URL or domain 2->126 128 17 other signatures 2->128 11 file.exe 2 2->11         started        15 IDSM.exe 2->15         started        17 IDSM.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 88 C:\Users\user\AppData\Local\...\file.exe.log, CSV 11->88 dropped 144 Contains functionality to inject code into remote processes 11->144 146 Writes to foreign memory regions 11->146 148 Allocates memory in foreign processes 11->148 150 Injects a PE file into a foreign processes 11->150 21 RegAsm.exe 41 11->21         started        26 RegAsm.exe 11->26         started        28 conhost.exe 11->28         started        30 WerFault.exe 15->30         started        32 WerFault.exe 17->32         started        34 WerFault.exe 19->34         started        36 WerFault.exe 19->36         started        signatures6 process7 dnsIp8 106 46.8.231.109, 49708, 49722, 80 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 21->106 108 orderhangthai.com 103.221.222.95, 443, 49709, 49715 FPT-AS-APTheCorporationforFinancingPromotingTechnolo Viet Nam 21->108 80 C:\Users\user\AppData\RoamingEGIJKEHCAK.exe, PE32 21->80 dropped 82 C:\Users\user\AppData\...\vdshdfsd[1].exe, PE32 21->82 dropped 84 C:\Users\user\AppData\...\softokn3[1].dll, PE32 21->84 dropped 86 15 other files (11 malicious) 21->86 dropped 130 Tries to steal Mail credentials (via file / registry access) 21->130 132 Tries to harvest and steal browser information (history, passwords, etc) 21->132 134 Tries to steal Crypto Currency Wallets 21->134 136 Tries to harvest and steal Bitcoin Wallet information 21->136 38 cmd.exe 1 21->38         started        40 cmd.exe 1 21->40         started        42 cmd.exe 1 21->42         started        138 Found evasive API chain (may stop execution after checking locale) 26->138 140 Searches for specific processes (likely to inject) 26->140 file9 signatures10 process11 process12 44 userBAFCFHDHII.exe 2 38->44         started        47 conhost.exe 38->47         started        49 RoamingEGIJKEHCAK.exe 1 5 40->49         started        52 conhost.exe 40->52         started        54 userECFCBFBGDB.exe 2 42->54         started        56 conhost.exe 42->56         started        file13 152 Multi AV Scanner detection for dropped file 44->152 154 Writes to foreign memory regions 44->154 156 Allocates memory in foreign processes 44->156 58 RegAsm.exe 44->58         started        63 IDSM.exe 44->63         started        65 conhost.exe 44->65         started        78 C:\Users\user\AppData\Local\Temp\...\IDSM.exe, PE32 49->78 dropped 158 Creates multiple autostart registry keys 49->158 67 IDSM.exe 49->67         started        160 Injects a PE file into a foreign processes 54->160 162 LummaC encrypted strings found 54->162 69 RegAsm.exe 54->69         started        71 conhost.exe 54->71         started        signatures14 process15 dnsIp16 110 cowod.hopto.org 45.132.206.251, 49783, 80 LIFELINK-ASRU Russian Federation 58->110 112 116.203.15.34, 443, 49744, 49745 HETZNER-ASDE Germany 58->112 90 C:\Users\user\AppData\...\lkjhgfdfsd[1].exe, PE32 58->90 dropped 92 C:\Users\user\AppData\Local\...\dmsag[1].exe, PE32 58->92 dropped 94 C:\ProgramData\FBFCFIEBKE.exe, PE32 58->94 dropped 96 C:\ProgramData\AAEBAFBGID.exe, PE32 58->96 dropped 164 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 58->164 166 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 58->166 168 Tries to harvest and steal ftp login credentials 58->168 174 3 other signatures 58->174 73 WerFault.exe 63->73         started        114 api.ipify.org 104.26.12.205, 49728, 49777, 80 CLOUDFLARENETUS United States 67->114 98 C:\Users\user\AppData\Local\...\MSDNG.exe, PE32 67->98 dropped 170 Multi AV Scanner detection for dropped file 67->170 172 Creates multiple autostart registry keys 67->172 75 MSDNG.exe 67->75         started        116 performenj.shop 104.21.51.224, 443, 49734, 49789 CLOUDFLARENETUS United States 69->116 118 reinforcenh.shop 104.21.77.130, 443, 49731, 49787 CLOUDFLARENETUS United States 69->118 120 4 other IPs or domains 69->120 file17 signatures18 process19 signatures20 142 Multi AV Scanner detection for dropped file 75->142
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185/
Threat name:
Win32.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-09-24 13:48:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mca3khftlodx4wc6mvcakoo7slkoqulnplqipsyyw6t45b3qogcq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:stealc family:vidar botnet:3a15237aa92dcd8ccca447211fb5fc2a botnet:default credential_access discovery persistence spyware stealer
Link:
https://tria.ge/reports/240924-q34ycs1ard/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Detect Vidar Stealer
Lumma Stealer, LummaC
Stealc
Vidar
Malware Config
C2 Extraction:
http://46.8.231.109
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
https://ghostreedmnu.shop/api
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/678b4d96-0788-4c55-a319-0a103062be21
Unpacked files
SH256 hash:
951b300428f46c2a12417414eb10796307cbe9016bbd22193e3250f77bb8190c
MD5 hash:
733e54187892b23b2b7653e79925a2f0
SHA1 hash:
bcd5bfca9eb9fc9bdced6a3a43a96baf598fcd80
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/4d2eb5c0-3101-4815-8b26-faca38b6a364/
Parent samples :
6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524
c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008
8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616
2a9f856bc9fe5a41540aa3800cd8e50adfbfbc3661845a9791c02c13bcadddf6
56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5
84844b745d886eebbe814e0b9b05fd921a252019e27661a447a1103c8937f997
27055280296d10b811b4d76456dbc5d29aac8b4fc33708fa47b36334e1d85700
SH256 hash:
3986363fb8deb6927a153051c4d412001481d4cb60a113261c0e0402238bfef9
MD5 hash:
f5aa858b2cbbb784ca62b8891c9f557e
SHA1 hash:
f45f07667a035a43b06a5f43755e249a67a01f67
Link:
https://www.unpac.me/results/4d2eb5c0-3101-4815-8b26-faca38b6a364/
SH256 hash:
6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185
MD5 hash:
56bbebff4b50d8298e46f3312915694c
SHA1 hash:
f83e6487506067aab52550faf4179ecac77b17ee
Link:
https://www.unpac.me/results/4d2eb5c0-3101-4815-8b26-faca38b6a364/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6081b51cb35b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 6081b51cb35b877e585e65440539df92d4e8516d7ae087cb18b7a7ce87707185

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3189261/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments