MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 621533611563869b9418b2b7672c49e40e8087447ac58a72666df78cfd03acbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 621533611563869b9418b2b7672c49e40e8087447ac58a72666df78cfd03acbb
SHA3-384 hash: 28bdc63f050c0a75898e7de9717dac4c618ccfa2abbcc91dff1f4466fb35f1570f4bac7d5a465ed30d246ebea5fc43e1
SHA1 hash: 9bc4e5402027dd78e74378e4e2e0565765fbb2c1
MD5 hash: ae9d1a7fda26b4af1dd0cbe643195a42
humanhash: foxtrot-kansas-artist-network
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'800'192 bytes
First seen:2024-11-24 16:01:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:jQSUFSZwcbVBaRmjHsHZbMdVEQIPSTEfjlIVUj63TbzWNd:jbvaRHHRMdVDIKOCAwTwd
TLSH T19B8533D18DB19446F51582B7996274A32099CD3C9DB378C1A09B7AEC7FFB38C284E835
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-24 16:04:51 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/c9db007f-3a92-4691-9cff-1142c92fc6b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.258.27341.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67434e00b31374f098340d7a
Tags:
autorun autoit spam lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67434e005798a7dfe82b7dae/reports/fac79d99-079b-43c4-ae98-dd3e34a7b1f3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/621533611563869b9418b2b7672c49e40e8087447ac58a72666df78cfd03acbb
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a7cd85bc-48d3-48df-b0cf-26d1949581bf
Result
Threat name:
PureCrypter, Amadey, Credential Flusher,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1561893
Signature
Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561893 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 110 youtube.com 2->110 112 shed.dual-low.s-part-0035.t-0009.t-msedge.net 2->112 114 12 other IPs or domains 2->114 148 Suricata IDS alerts for network traffic 2->148 150 Found malware configuration 2->150 152 Antivirus / Scanner detection for submitted sample 2->152 154 13 other signatures 2->154 12 file.exe 37 2->12         started        17 020c4af6a8.exe 2->17         started        19 skotes.exe 2->19         started        21 4 other processes 2->21 signatures3 process4 dnsIp5 122 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 12->122 124 185.215.113.206, 49704, 49726, 49764 WHOLESALECONNECTIONSNL Portugal 12->124 126 3 other IPs or domains 12->126 98 C:\Users\user\DocumentsJECGIIIDAK.exe, PE32 12->98 dropped 100 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->100 dropped 102 C:\Users\user\AppData\Local\...\random[1].exe, PE32 12->102 dropped 104 11 other files (3 malicious) 12->104 dropped 198 Detected unpacking (changes PE section rights) 12->198 200 Attempt to bypass Chrome Application-Bound Encryption 12->200 202 Drops PE files to the document folder of the user 12->202 216 7 other signatures 12->216 23 cmd.exe 12->23         started        25 msedge.exe 2 10 12->25         started        28 chrome.exe 8 12->28         started        204 Query firmware table information (likely to detect VMs) 17->204 206 Tries to harvest and steal ftp login credentials 17->206 208 Tries to harvest and steal browser information (history, passwords, etc) 17->208 210 Hides threads from debuggers 19->210 212 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->212 214 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->214 31 msedge.exe 21->31         started        34 firefox.exe 21->34         started        36 msedge.exe 21->36         started        38 3 other processes 21->38 file6 signatures7 process8 dnsIp9 40 DocumentsJECGIIIDAK.exe 23->40         started        44 conhost.exe 23->44         started        156 Monitors registry run keys for changes 25->156 46 msedge.exe 25->46         started        128 192.168.2.5, 443, 49703, 49704 unknown unknown 28->128 130 239.255.255.250 unknown Reserved 28->130 48 chrome.exe 28->48         started        132 104.208.16.89, 443, 49850 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->132 134 13.107.246.40, 443, 49832, 49833 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->134 138 25 other IPs or domains 31->138 106 C:\Users\user\AppData\Local\...\Cookies, SQLite 31->106 dropped 140 5 other IPs or domains 34->140 51 firefox.exe 34->51         started        53 firefox.exe 34->53         started        136 ntp.msn.com 36->136 file10 signatures11 process12 dnsIp13 88 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->88 dropped 158 Detected unpacking (changes PE section rights) 40->158 160 Tries to evade debugger and weak emulator (self modifying code) 40->160 162 Tries to detect virtualization through RDTSC time measurements 40->162 164 3 other signatures 40->164 55 skotes.exe 40->55         started        108 142.250.181.100, 443, 49708, 49709 GOOGLEUS United States 48->108 file14 signatures15 process16 dnsIp17 116 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 55->116 118 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 55->118 120 2 other IPs or domains 55->120 90 C:\Users\user\AppData\...\7955363287.exe, PE32 55->90 dropped 92 C:\Users\user\AppData\...\8d9d729d82.exe, PE32 55->92 dropped 94 C:\Users\user\AppData\...\442fea56af.exe, PE32 55->94 dropped 96 7 other malicious files 55->96 dropped 166 Detected unpacking (changes PE section rights) 55->166 168 Creates multiple autostart registry keys 55->168 170 Tries to evade debugger and weak emulator (self modifying code) 55->170 172 3 other signatures 55->172 60 7955363287.exe 55->60         started        63 020c4af6a8.exe 55->63         started        66 442fea56af.exe 55->66         started        68 2 other processes 55->68 file18 signatures19 process20 dnsIp21 174 Multi AV Scanner detection for dropped file 60->174 176 Detected unpacking (changes PE section rights) 60->176 178 Tries to detect sandboxes and other dynamic analysis tools (window names) 60->178 196 4 other signatures 60->196 142 property-imper.sbs 172.67.162.84 CLOUDFLARENETUS United States 63->142 180 Query firmware table information (likely to detect VMs) 63->180 182 Tries to evade debugger and weak emulator (self modifying code) 63->182 184 Tries to steal Crypto Currency Wallets 63->184 186 Detected PureCrypter Trojan 63->186 188 Hides threads from debuggers 66->188 190 Tries to detect sandboxes / dynamic malware analysis system (registry check) 66->190 192 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 66->192 144 fvtekk5pn.top 34.116.198.130 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 68->144 146 home.fvtekk5pn.top 68->146 194 Binary is likely a compiled AutoIt script file 68->194 70 taskkill.exe 68->70         started        72 taskkill.exe 68->72         started        74 taskkill.exe 68->74         started        76 3 other processes 68->76 signatures22 process23 process24 78 conhost.exe 70->78         started        80 conhost.exe 72->80         started        82 conhost.exe 74->82         started        84 conhost.exe 76->84         started        86 conhost.exe 76->86         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/621533611563869b9418b2b7672c49e40e8087447ac58a72666df78cfd03acbb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-24 16:02:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=miktgyivmodjxfaywk3wolcj4qhibb2eplcyu4tgnx3yz7idvs5q._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:mars discovery evasion stealer
Link:
https://tria.ge/reports/241124-tgr88axkfv/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2079ff6f-909e-4e4a-8ef2-3f72408bd2ce
Unpacked files
SH256 hash:
f116614ef0c715e816d6d59f042e65b566c4c392606dbfd290adcb51670ee2ef
MD5 hash:
46f457887ab08d17c970bc0e21a3381d
SHA1 hash:
61c63a2b1c4e478741d83dd0cd490e08daabb2c0
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/a8b95eda-0dea-4687-a784-7cfdb88615e8/
SH256 hash:
621533611563869b9418b2b7672c49e40e8087447ac58a72666df78cfd03acbb
MD5 hash:
ae9d1a7fda26b4af1dd0cbe643195a42
SHA1 hash:
9bc4e5402027dd78e74378e4e2e0565765fbb2c1
Link:
https://www.unpac.me/results/a8b95eda-0dea-4687-a784-7cfdb88615e8/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/621533611563/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/621533611563869b9418b2b7672c49e40e8087447ac58a72666df78cfd03acbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 621533611563869b9418b2b7672c49e40e8087447ac58a72666df78cfd03acbb

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3079150/
  
URLhaus
https://urlhaus.abuse.ch/url/3284801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments