MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs YARA 12 File information Comments

SHA256 hash:	617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc
SHA3-384 hash:	1aab3d8df7135ca3e8e95a65fee55cc4cc399845689e9729a5ae18f9a717fabf1fb475a60b4c3cc9b700fec4bc54d3f1
SHA1 hash:	772999c112054ce18acdbec98d86c670791214c2
MD5 hash:	50275f63091d7094b9e2dd71df287323
humanhash:	march-kentucky-golf-fix
File name:	a3608a51db9df14c42f8c6e37ac49969de70b4be0862d82b5823c00aed395f9d_dump.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	212'480 bytes
First seen:	2024-06-08 00:20:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a34c7216d6536a950566187b3d5a3285 (3 x Stealc, 2 x Vidar)
ssdeep	3072:WqaddXw+Se8qGLLFiYP0ZLB826Fpw1YTxfJUzvFgWyGRt:9adRw+SxiYPyBKY1YTJiOYt
TLSH	T198245B303554883AF5321670EBDC72BDC5BAEAB525321C1BB3660F3819606B29529F7F
TrID	36.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 23.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.0% (.EXE) Win32 Executable (generic) (4504/4/1) 4.6% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	ukycircle
Tags:	exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

384

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc.exe

Verdict:

Malicious activity

Analysis date:

2024-06-08 00:22:26 UTC

Tags:

telegram stealer vidar stealc

Link:

https://app.any.run/tasks/69fc10ce-135a-4c15-a688-642b39360f1a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Trojanx-10020177-0

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Launching a process

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm crypto lolbin microsoft_visual_cc shell32 stealer

Link:

https://www.filescan.io/uploads/6663a3b46b8dba248b3e3726/reports/9db958d2-969e-4e97-8ea2-e16c5fa1da2f/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4e7e330-7ee1-4fbc-bd14-52d1dc187ca7

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1453955

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc/

Threat name:

Win32.Infostealer.Multiverze

Status:

Malicious

First seen:

2024-06-08 00:21:04 UTC

File Type:

PE (Exe)

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mf6p6qlttqo5fvufyg3pfwoexnlksz4iuujhnbejniuikx77dk6a._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:stealc family:vidar discovery spyware stealer

Link:

https://tria.ge/reports/240608-amrebsfd45/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Malware Config

C2 Extraction:

https://t.me/r8z0l
https://steamcommunity.com/profiles/76561199698764354

Unpacked files

SH256 hash:

617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc

MD5 hash:

50275f63091d7094b9e2dd71df287323

SHA1 hash:

772999c112054ce18acdbec98d86c670791214c2

Detections:

VidarStealer

win_stealc_a0

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Link:

https://www.unpac.me/results/f221a471-9f34-4636-acbe-947e9362ee97/

Parent samples :

220fe23a30228c363d816fb619345ab1ce40dd67541ec6b17083a45c67cc4a9b
410845b99861fdc39fbe003a3cd469fb4e4cec2f50b59c7697d4834b7fb9c4d8
a3608a51db9df14c42f8c6e37ac49969de70b4be0862d82b5823c00aed395f9d
617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc
2b2fc854e5f12ad01f3e39ec3aafa9ff9338907f393a4b5f27702dc458d32d93
56ad460c63c005e8049142132ffa08c7c30f2fe9dbd24c60ff746c2e61138495

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/617cff41739c1dd2d685c1b6f2d9c4bb56a96788a5127684896a28855fff1abc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Dlls Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	EXE_Vidar_May_2024 Create hunting rule
Author:	NDA0E
Description:	Detects Vidar payload

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	Stealc_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Stealc Payload

Rule name:	Telegram_Links Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Vidar_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Vidar Payload

Rule name:	Windows_Generic_Threat_c374cd85 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
SHELL_API	Manipulates System Shell	SHELL32.dll::SHFileOperationA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameA ADVAPI32.dll::GetUserNameA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegGetValueA ADVAPI32.dll::RegOpenKeyExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample