MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60e882524f7806297abc258cd01a910542451b468bd5463ac58b34a297b207b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	60e882524f7806297abc258cd01a910542451b468bd5463ac58b34a297b207b0
SHA3-384 hash:	9701c23dbb47c841b931ff5cd399918bb23a3cacb7fd87d30df81c816ffd89a69af964260e941bec91b1509fad504991
SHA1 hash:	3f665626c923f576b7d100470d338463a9b25620
MD5 hash:	44dd6b1f85224283e99ccad26817c67a
humanhash:	equal-delaware-leopard-florida
File name:	44dd6b1f85224283e99ccad26817c67a.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	219'648 bytes
First seen:	2023-02-24 10:35:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4d3abe319a86be18efea13e549546a45 (1 x Stealc, 1 x Amadey)
ssdeep	3072:tFapeHmKLQBxR8LuscGllBj+IYs83a2guI7UUec/ORGbrM2W8B8Ip/:bLQlCf83xIveZ8823Bh/
Threatray	1'163 similar samples on MalwareBazaar
TLSH	T15C24DF11B5A3C471D59A49349834C6F86E3BBCB15A9B894B33283BBF2D312D1077B792
TrID	38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	383470c8c0c8cc01 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://91.215.85.213/8621de5ba9a36454.php

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

44dd6b1f85224283e99ccad26817c67a.exe

Verdict:

Malicious activity

Analysis date:

2023-02-24 10:38:39 UTC

Tags:

stealer loader

Link:

https://app.any.run/tasks/b89f8439-4219-4a73-98a2-5d76af5a5d12

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369387/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63f893145d47c2515e7fad8a/reports/1fcbba73-e685-4756-9bb5-b854d06e59db/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/60e882524f7806297abc258cd01a910542451b468bd5463ac58b34a297b207b0

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5755ad41-d2d1-4008-a446-107bae949cbf

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1181773

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60e882524f7806297abc258cd01a910542451b468bd5463ac58b34a297b207b0/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-02-24 10:36:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mduieusppadcs6v4ewgnaguravbekg2grpkumowfrm2kff5sa6ya._file

Verdict:

malicious

Stealc

505d85e3f2cc036bd585825a9bf3fd03a90a849d76dc29e842a1b3725d0b86ce

Stealc

77570db1195a42024717d6223e0c55bc77e0246080b2fa7de24eac97391cdeda

Stealc

86c349ad1aecf41f402adad10ff1c7a8e34b2f9f733db02bfd88bb1abac8128a

Stealc

a06867c5e8f32e4f33fc0455b26a792eb1647178918628765aec756c1a21c382

Stealc

cbfca62676f5f4653e7151e00a3fabc91fae98e1c8beab6b2e05eb79cd3b342d

Stealc

d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944

Stealc

e53d06c97fba2a905b2471bed2de6069ff9e244337d630dd63252712824c9afd

Stealc

f23bf048e15eb819af71c70acfb23c1cb4f2812d68eef9f53c326662e3b68225

Stealc

+ 1'153 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230224-mm81laah94/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

fd966e9c017e8efa9129709d6d66893169f85c50a901f404357e32a69af8d188

MD5 hash:

6f255d66534f3bfd7f71816ccc10a3b2

SHA1 hash:

9383c4fdd8fc5cc0ae7757be7f89ca552a61bc13

Detections:

win_stealc_w0

Link:

https://www.unpac.me/results/0fb7bad3-19ca-4bb2-a747-3dbbe70dd7df/

Parent samples :

e53d06c97fba2a905b2471bed2de6069ff9e244337d630dd63252712824c9afd
60e882524f7806297abc258cd01a910542451b468bd5463ac58b34a297b207b0
5da2c89544a639d421829c909f77128059902cf319e8295aab7fa6d580f2c275
30e41e9f83dad57db2860db40144dbb44f0863087480a55dab2b62039654ccb2

SH256 hash:

60e882524f7806297abc258cd01a910542451b468bd5463ac58b34a297b207b0

MD5 hash:

44dd6b1f85224283e99ccad26817c67a

SHA1 hash:

3f665626c923f576b7d100470d338463a9b25620

Link:

https://www.unpac.me/results/0fb7bad3-19ca-4bb2-a747-3dbbe70dd7df/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/60e882524f78/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60e882524f7806297abc258cd01a910542451b468bd5463ac58b34a297b207b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/369387/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample