MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd
SHA3-384 hash: e38c6a047e54855ad6b0d0537b1e1800a793a29e002e7f6d5e26b97d584359b6e235703faf582516142ea4f22d818492
SHA1 hash: a131b43135247ba6044cab6d6072754deb5ce0ae
MD5 hash: 880da3fa5fbca3a838cf66e54b11df9c
humanhash: high-carpet-arizona-undress
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:694'272 bytes
First seen:2024-07-20 11:39:40 UTC
Last seen:2024-07-20 12:27:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4d7bc3fdef18bca35b7253afc196af9 (11 x Stealc)
ssdeep 12288:wgyN2aUBIo7YNQe1F85ZwKd89BcFLasaOWAjRydmKcF+YMeM6/mZtfxnuN4:wgyN2PBJwQ6yEvOesNWAym1+GM6/K5G
Threatray 389 similar samples on MalwareBazaar
TLSH T1BBE423BC522BA824C13094BC2895828D37DCFEFD7548669B18DF1AE62DB009F7727D46
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://77.91.77.81/stealc/random.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
323
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd.exe
Verdict:
Malicious activity
Analysis date:
2024-07-21 08:19:00 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/3f5d2a71-7a70-434f-a6cd-0857d344eb7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669ba214b302ab76f4480fe7
Tags:
Execution Generic Infostealer Network Stealth Trojan
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm enigma lolbin microsoft_visual_cc obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/669ba22bf1068d66afbf90a2/reports/478dfaba-1631-4a74-a5ce-23dc79d586bf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c13b190-a090-4fff-a3c9-456396fa22b5
Result
Threat name:
Amadey, Babadeda, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1477212
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477212 Sample: file.exe Startdate: 20/07/2024 Architecture: WINDOWS Score: 100 119 youtube-ui.l.google.com 2->119 121 www.youtube.com 2->121 123 16 other IPs or domains 2->123 155 Snort IDS alert for network traffic 2->155 157 Found malware configuration 2->157 159 Antivirus / Scanner detection for submitted sample 2->159 161 14 other signatures 2->161 11 file.exe 1 39 2->11         started        16 msedge.exe 2->16         started        18 explorti.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 135 85.28.47.31, 49730, 49839, 80 GES-ASRU Russian Federation 11->135 137 77.91.77.81, 49731, 49832, 49840 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 11->137 95 C:\Users\user\DocumentsFCAAAAFBKF.exe, PE32 11->95 dropped 97 C:\Users\user\AppData\...\softokn3[1].dll, PE32 11->97 dropped 99 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 11->99 dropped 109 14 other files (10 malicious) 11->109 dropped 177 Detected unpacking (changes PE section rights) 11->177 179 Drops PE files to the document folder of the user 11->179 181 Tries to steal Mail credentials (via file / registry access) 11->181 193 8 other signatures 11->193 22 cmd.exe 1 11->22         started        24 cmd.exe 1 11->24         started        26 cmd.exe 1 11->26         started        101 topTraffic_1705401...0506234197983529371, data 16->101 dropped 103 C:\Users\user\AppData\Local\...\topTraffic, ASCII 16->103 dropped 105 C:\Users\user\AppData\Local\...\Login Data, SQLite 16->105 dropped 107 C:\Users\user\AppData\Local\...\History, SQLite 16->107 dropped 183 Creates multiple autostart registry keys 16->183 185 Maps a DLL or memory area into another process 16->185 28 msedge.exe 16->28         started        37 4 other processes 16->37 187 Hides threads from debuggers 18->187 189 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->189 191 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->191 31 firefox.exe 20->31         started        33 firefox.exe 20->33         started        35 msedge.exe 20->35         started        39 4 other processes 20->39 file6 signatures7 process8 dnsIp9 41 userCFHDHIJDGC.exe 4 22->41         started        45 conhost.exe 22->45         started        47 DocumentsFCAAAAFBKF.exe 8 24->47         started        49 conhost.exe 24->49         started        51 conhost.exe 26->51         started        53 timeout.exe 26->53         started        139 13.107.246.40, 443, 49798, 49799 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->139 141 googlehosted.l.googleusercontent.com 142.250.184.193, 443, 49758 GOOGLEUS United States 28->141 147 14 other IPs or domains 28->147 143 172.217.16.206 GOOGLEUS United States 31->143 145 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49795, 49796, 80 GOOGLEUS United States 31->145 149 2 other IPs or domains 31->149 55 firefox.exe 31->55         started        57 firefox.exe 31->57         started        151 3 other IPs or domains 33->151 59 firefox.exe 33->59         started        process10 file11 93 C:\Users\user\AppData\Local\...\explorti.exe, PE32 41->93 dropped 167 Antivirus detection for dropped file 41->167 169 Multi AV Scanner detection for dropped file 41->169 171 Detected unpacking (changes PE section rights) 41->171 175 6 other signatures 41->175 61 explorti.exe 41->61         started        173 Detected unpacking (overwrites its own PE header) 47->173 66 cmd.exe 1 47->66         started        signatures12 process13 dnsIp14 153 77.91.77.82, 49826, 49838, 49845 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 61->153 111 C:\Users\user\AppData\...\0f61f2418d.exe, PE32 61->111 dropped 113 C:\Users\user\AppData\...\04984f6ab3.exe, PE32 61->113 dropped 115 C:\Users\user\AppData\Local\...\random[1].exe, PE32 61->115 dropped 117 C:\Users\user\AppData\Local\...\random[1].exe, PE32 61->117 dropped 195 Detected unpacking (changes PE section rights) 61->195 197 Tries to detect sandboxes and other dynamic analysis tools (window names) 61->197 199 Creates multiple autostart registry keys 61->199 201 4 other signatures 61->201 68 04984f6ab3.exe 61->68         started        71 0f61f2418d.exe 61->71         started        73 chrome.exe 66->73         started        76 msedge.exe 16 66->76         started        78 conhost.exe 66->78         started        80 firefox.exe 1 66->80         started        file15 signatures16 process17 dnsIp18 163 Detected unpacking (changes PE section rights) 68->163 165 Contains functionality to detect sleep reduction / modifications 68->165 82 firefox.exe 71->82         started        131 192.168.2.4, 443, 49723, 49724 unknown unknown 73->131 133 239.255.255.250 unknown Reserved 73->133 84 chrome.exe 73->84         started        87 chrome.exe 73->87         started        89 chrome.exe 73->89         started        91 msedge.exe 76->91         started        signatures19 process20 dnsIp21 125 www.google.com 142.250.184.228, 443, 49746, 49837 GOOGLEUS United States 84->125 127 play.google.com 142.250.185.110, 443, 49830, 49831 GOOGLEUS United States 84->127 129 4 other IPs or domains 84->129
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2024-07-20 11:40:06 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mcjx5ujfekq2p7yktz3omzifxeamfycizifkydqquz7dz5njspoq._file
Verdict:
malicious
Similar samples:
0ce28511b648d489dbc5de2fa6862f4c63b547547c7ea62830f56690397df458
Stealc
32e45a2553dd7faa47a4cf03ebaf78b6278f0c0198ff59e70991495c4262a88f
Stealc
32f298b9605a0cc1cfb21e14d2fd74e2a265b8ce75cd6a1580a35473992d2886
Stealc
37a7ad7e8ace3477705c037277832204c5296be48c38fcdd4e8056e8d2a6e4c1
Stealc
a4e51ce0f2bcb0159ce826e68319a9387660406b965727c473d6603a2615daa7
Stealc
+ 379 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:default stealer
Link:
https://tria.ge/reports/240720-nsvwlayfjq/
Behaviour
Suspicious use of SetWindowsHookEx
Stealc
Malware Config
C2 Extraction:
http://85.28.47.31
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e680ec5-f63b-4bd1-b395-2dd9e9579479
Unpacked files
SH256 hash:
60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd
MD5 hash:
880da3fa5fbca3a838cf66e54b11df9c
SHA1 hash:
a131b43135247ba6044cab6d6072754deb5ce0ae
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/30ece457-a8a1-4d3e-a7bf-2546756f74e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 60937ed12522a1a7ff0a9e76e66505b900c2e048ca0aac0e10a67e3cf5a993dd

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3050871/
  
URLhaus
https://urlhaus.abuse.ch/url/2909131/
  
URLhaus
https://urlhaus.abuse.ch/url/2909129/
  
URLhaus
https://urlhaus.abuse.ch/url/2908698/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments