MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61d96a5e2801bd758c772791ad37a990c2c1952598dc3074a51ddf0048744995. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61d96a5e2801bd758c772791ad37a990c2c1952598dc3074a51ddf0048744995
SHA3-384 hash: 46cb9e55f06a8b153d5b1c38748265b0b605deaa58f96946ed2418babbfa16e139edc755f907add9470405abf27cdc50
SHA1 hash: cd773c7d3cd9434dc5c6fd3dc771947052687568
MD5 hash: 6df35d93a39288ecdb77c9b7aeeb480f
humanhash: july-video-princess-may
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:274'432 bytes
First seen:2023-09-27 14:50:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c979a88e8595d029726dd8a9185ca5bc (3 x Smoke Loader, 1 x RedLineStealer, 1 x Tofsee)
ssdeep 3072:S1iGAF3Yb2eI9aso7CD4ZJajtNwf+5QDhEhSh5JnjokMxNTxGt:6c3Y6UsACD8Ud5Q9NvMxNT4
Threatray 9 similar samples on MalwareBazaar
TLSH T100449F1262A0FCA0F66746328D2DC7E8FE6EF8618E59A7D732186F5F1870162D363711
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000214143313511 (1 x MarsStealer)
Reporter andretavare5
Tags:exe MarsStealer


Avatar
andretavare5
Sample downloaded from http://christopherantonio.top/calc2.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
US US
Vendor Threat Intelligence
Malware family:
oski
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-27 14:52:32 UTC
Tags:
stealc oski stealer
Link:
https://app.any.run/tasks/3a469218-14e0-4bf8-a1cf-ad88dbf722ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451622/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6514412032ffdb7a7a163a54/reports/1d21138f-35e8-47d5-97c5-8d51217edec6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/61d96a5e2801bd758c772791ad37a990c2c1952598dc3074a51ddf0048744995
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c799deea-f17d-4cd2-a4d6-96fd5daa6047
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315342
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61d96a5e2801bd758c772791ad37a990c2c1952598dc3074a51ddf0048744995/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 14:50:11 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhmwuxriag6xlddxe6i22n5jsdbmdfjftdoda5ffdxpqasdujgkq._file
Verdict:
malicious
Similar samples:
09d0c1b8d3b4e342f35326bc754e7a05ac3b31fed0c60a86477a4336554059f4
MarsStealer
576ae20ecf51decbf1e8a5a934975b451f8a11e03766928535a49e70c368175b
MarsStealer
6f4d3d35e9fe47b1bd6bb03386aeab883f4f32c0a9fc4eac5f850b7cdd6e2046
MarsStealer
774a5633a5cf948de71702480044e7466daaaea595d4149c2414cb995b7c3378
MarsStealer
926bb9311b6d628c34e16f770695418656be7158d16b412c5954faa74ff57fbe
MarsStealer
b2aa1408b77d5272d0e9f7250e196124fd2cc5d86f8ef90abe0ec37ea27b41af
MarsStealer
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/230927-r7k7gscg55/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Unpacked files
SH256 hash:
74ff68245745b9d4cec9ef3c539d8da15295bdc70caa6fdb0632acdd9be4130a
MD5 hash:
fc6b79db693ab6a6ae50cef6da6fa8c4
SHA1 hash:
bec0cf443bd539fe5ed28430e025704f06aed3ee
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/92711a87-b191-4885-95b1-2f6445f8a86d/
Parent samples :
61d96a5e2801bd758c772791ad37a990c2c1952598dc3074a51ddf0048744995
a7ef527f14859669fbebd43ad4c7e11657718f7133fa96bed7928fa6269856de
ba3bd2527dadafee2033200de16019a5840eddbe64e09043652d665edb845480
210f3a67334a82f57a0bc0a074743d76149ce725bb620e496f928604f3572d23
d06304855a1c7ed29c6da4463e738de3d25ab988bd0dce1c14a0f9b08d1178c3
282aa1b81b2c4cbe70b8a71d3c0095902e248c4940456b82f36f078765fc395a
f73d58c494ea7c24b2e625f21b443acc6c40e786e0361cfad4e05ec680e10ef6
6ec6a964cd265c41ad549bb7368af02e763f600f3dc1378bc09ab0c8d9377991
1cfcc5202ffc710a29f76e1f3a61323507e462c0cf7638914342f5bb1b712db4
e420e4f3f4b3f84d95a805f403a8f13d78b20eadfc2bc05e6aa541467eeba4d1
4c438431148954d452f09cc48ba251d105a899d6211dd76d9173c4dea3e9e6b4
78e923c5b1d7bf57df9d512dc21c43546986f9a1537ebd2e6ecc2b49ba080a61
43844da8f4da61f7fe42fa03ed3ff4a7db86300d228d02ba6ede9c6ec34a1f1c
526b89f054032eed966bdcbf4787a162cc2431401c6271125155a5ce4fc350dd
d34c118b34282a2b0aa7f4f9af6870f68da8f9200912ded0617829862dfef0be
4af0042985b8bbc60007268c0ae6f929df7fc1415cc059e400acd6dde22f2e02
dbbce2e0a97721f542dcc8f4acf48e867a9896e47ab1e8fa5ad9ede1caab739a
9becc2796d428b8cf2e834d83093afb6bd897d1fbf6817ddc371e0c1c05ec192
6349697e85a6be18e181d169e03777ec0c39d4da866a049fc5607cb7d536fcaf
421f7e7128482d501fc4c7d44748061d9572f8a1b053bd07cb5fe16e9dcc4428
b33e145fbed8a2aa63bf595a8bdd2c06166ea57a7added593c598ab2c63014a6
b84dca43f767fdbd21c84088690a3027be608c56ae00568e79ce12225a96d28c
c3daecc6cd3ad22110bd6c4126f78b893c1588324530f539877bd5547e102fc9
d383b7317144968474ca5318340e6d0e5c47bb2ed95a0ffeb8228d28b3538ca8
5819adb0b26a73052400d156ad5d93408b4950bfbd353e8b0b40f37d32a4282c
97d844ff52da40be55f368ee5db3ff2fb0e925f2df6a877e56b8269326aeab53
57688af73943e8a11d4e4ebc1fcb3c36391e974d4c8cd1effae9b86dc336eefd
5c04d928dd1c81553faa6aa2302d0ff7a4c777c2ef34d37f48259a6ebe45d4ce
300ef41bc4b1cf667ae43ddb45653060532aa42fac01d510f94a344e4b6f30e2
c3845df0b004780912e12c0cb235b685c47006e67787100326c5f787d4772baf
1b2b3496c6e31461d090506740fe450dce8a8607a3c6dd5a6c6f2488be453564
e943e9d84569b840c891f13825f328f5b7a61df83d5ce464c56b3f8881a40bb1
aee50d82b5d6c5a831a657c80fcd337e4288fc7f1de662b841ec53499d57b625
ff0bbfd33c3d090959b03d01a89022338d9cde31fee401b531a59d95ebfe931b
28b0604f50d81f4ff2a9aa4e7601d84a295624eeabc234993cfcff5ab668280f
be84338d783291ea55b73e6e631666bcfdaf9313b680d90f25e52eb3038a3314
64270e557c83856508c910892d6079b45aa2d2f6a2bde4b7e6d6180d174d90bc
48aa1d4be25d9800400fa2ab7209e5a5593799524b5794cb8d028b02c62ae6ed
547aa3afffb1c692c296484c1d1225abc67a95baa4f5e46da81c5939b6d137e6
f36c198674bf407f576632eec261c78ceacde3532efaba78567e4c8a2850c499
472937fd638157d20a88c109ec4abe4e1dae0a6e5727821fad8515c3aff05656
ab3c710d9fc4e1bbf83b6a6958a90205968c6bfa51d6dd415ede8ff1df0d3ec9
40fcf3ae64c9605131be25fd22e5412e3ce7c45fbf38aa9fb442c414074d3c50
7cdde4d499e3fb8560558be03daef16feb69be0ebfaf717750e91c5c2083e121
108912996290f472cc2f1a1ed14e8ce0ea80b5472253265e330477fc4d5f044d
0d5083d6262b8f5e492b6be274d978415a00457069ae6cf044fc694fa6698515
7cce5c884df446388d64b75b5de17ca1b18034119f5c06f2d0be50cee66d104d
2c0548637fe64d795c9534a51f1a3e192f2d40a4d1b5b9291bb8e4fb82cd42c4
5d5b4d8c173feecb01a31739dcd26dac3a22dc26a0a4922a8e379cd35b7171a1
32df544202aec1a088304f43fa4fa862bc824e896f9e3fc9b078b95b33b2ba2c
f74b703389c8e3cab555593c5c6ce5af160e53d5a3d047c8835c100f6b8c8d89
3102bba137f72b152994850183b472b718017c991a370b663ddb7b51e91afbb9
8d7d234e6c9b34cde0a919971638b860ccdf4aa5fe3c2be7e90754b3c5c9005c
edb2278969b5d26ffe68e461aa7c9873bfcb86823f928a9700a50ef420b92d49
09d8461f2d7a58c2c46dd22ff5027f3a21721c5bd3ed4b10c4c6ba88759cfa80
c97245effb055a3b948c2fb7120a47b944285982e5b46ce927f581df143fc594
4c2c29a4b42e587960cde9634fd11df2273262cc4be06e81dec7afe3695bdeb0
5a0f70593f14df6acea40f144b83b296e91b89e41f8f0037edfa091b51d1ba99
ff7547b91600bb68726a31813f5455bbd2ef232843fab4788d70e0791a3a0968
a0b7af1f1ccfed123c9b3d12f32f077de6c47a42a8662a85a7963b91479e2d41
f87bf84d827a8c598954639c1207c5e721ab5cc6b7a62e5a3c0a57b5a355cfd3
144d095e75069c2f771b0a37583ab6877c58a53199b4b88e22696f2fb08c0254
SH256 hash:
61d96a5e2801bd758c772791ad37a990c2c1952598dc3074a51ddf0048744995
MD5 hash:
6df35d93a39288ecdb77c9b7aeeb480f
SHA1 hash:
cd773c7d3cd9434dc5c6fd3dc771947052687568
Link:
https://www.unpac.me/results/92711a87-b191-4885-95b1-2f6445f8a86d/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61d96a5e2801/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61d96a5e2801bd758c772791ad37a990c2c1952598dc3074a51ddf0048744995

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/451622/
  
URLhaus
https://urlhaus.abuse.ch/url/2712591/
  
URLhaus
https://urlhaus.abuse.ch/url/2712461/

Comments