MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb
SHA3-384 hash: 47fa5143ff8082fc07832d103a79a8e44a57c513830862593bc535b302bdad3beaea9c19bc12b0494903b559960a16df
SHA1 hash: 4081f7d0211614df482969ba5af1f29e5ab2bee7
MD5 hash: d8d52a95b809c586afe1bbf5373edfc4
humanhash: johnny-bacon-skylark-fifteen
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:4'598'272 bytes
First seen:2024-01-05 12:36:03 UTC
Last seen:2024-02-19 17:06:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 78c55915f8ede852a41ddcfd991a23b4 (1 x Stealc, 1 x Tofsee)
ssdeep 98304:0krpkIVlEVn3yUHYqLc4WAzBDCmzMVVCW8RaU5R089E8z:5dTiCIYqLc4WABetVVrER0Alz
Threatray 168 similar samples on MalwareBazaar
TLSH T14426230721BB66F4C08705BC58668C986C51EDB585DD5A04AEC62C0FE2BEB94538F3FE
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter andretavare5
Tags:exe Stealc


Avatar
andretavare5
Sample downloaded from https://vk.com/doc418490229_670361266?hash=izczlDBz4V0vCHs3XV9nOGwpZPwoQOgnYo1BNPzQwOk&dl=LvVodHBllz3eVHNF8uj7EGyw8udqXtKQhTLgDvwl6IT&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
12
# of downloads :
304
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469606/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Modifying a system file
DNS request
Replacing files
Sending a custom TCP request
Launching a service
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Running batch commands
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed packed privateloader redcap shell32 vmprotect
Link:
https://www.filescan.io/uploads/6597f7efb290743934f4984f/reports/ac74398d-658c-4957-b895-ddc7cd77939c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ff720ba5-8799-414c-abb9-253c8d00ef3f
Result
Threat name:
Glupteba, SmokeLoader, Stealc, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370332
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found evasive API chain (may stop execution after checking locale)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Stops critical windows services
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Glupteba
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1370332 Sample: file.exe Startdate: 05/01/2024 Architecture: WINDOWS Score: 100 139 host-host-file8.com 2->139 141 host-file-host6.com 2->141 143 7 other IPs or domains 2->143 163 Snort IDS alert for network traffic 2->163 165 Multi AV Scanner detection for domain / URL 2->165 167 Found malware configuration 2->167 169 19 other signatures 2->169 12 file.exe 10 22 2->12         started        17 updater.exe 2->17         started        19 cmd.exe 2->19         started        21 9 other processes 2->21 signatures3 process4 dnsIp5 157 45.15.156.229, 49729, 49738, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 12->157 159 vk.com 87.240.137.164, 443, 49733, 49734 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 12->159 161 4 other IPs or domains 12->161 127 C:\Users\...\nrc5ofTjdVPAqdW9xLk9MXn8.exe, PE32+ 12->127 dropped 129 C:\Users\...\hbbiVgAGhrrE2QoaVJ8fsu_G.exe, PE32 12->129 dropped 131 C:\Users\user\AppData\...\latestbuild[1].exe, PE32 12->131 dropped 133 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 12->133 dropped 213 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->213 215 Drops PE files to the document folder of the user 12->215 217 Disables Windows Defender (deletes autostart) 12->217 231 4 other signatures 12->231 23 hbbiVgAGhrrE2QoaVJ8fsu_G.exe 5 12->23         started        26 nrc5ofTjdVPAqdW9xLk9MXn8.exe 1 12->26         started        135 C:\Windows\Temp\xtxzguxrhhna.tmp, PE32+ 17->135 dropped 137 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 17->137 dropped 219 Suspicious powershell command line found 17->219 221 Protects its processes via BreakOnTermination flag 17->221 223 Injects code into the Windows Explorer (explorer.exe) 17->223 233 5 other signatures 17->233 225 Uses powercfg.exe to modify the power settings 19->225 227 Stops critical windows services 19->227 229 Modifies power options to not sleep / hibernate 19->229 29 conhost.exe 19->29         started        31 sc.exe 19->31         started        33 sc.exe 19->33         started        39 3 other processes 19->39 35 conhost.exe 21->35         started        37 conhost.exe 21->37         started        41 6 other processes 21->41 file6 signatures7 process8 file9 111 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 23->111 dropped 113 C:\...\e0cbefcb1af40c7d4aff4aca26621a98.exe, PE32 23->113 dropped 115 C:\Users\user\AppData\...\InstallSetup8.exe, PE32 23->115 dropped 43 InstallSetup8.exe 1 37 23->43         started        48 toolspub2.exe 23->48         started        50 e0cbefcb1af40c7d4aff4aca26621a98.exe 23->50         started        117 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 26->117 dropped 195 Multi AV Scanner detection for dropped file 26->195 197 Suspicious powershell command line found 26->197 199 Adds a directory exclusion to Windows Defender 26->199 signatures10 process11 dnsIp12 151 api4.ipify.org 104.237.62.212, 49739, 80 WEBNXUS United States 43->151 153 91.92.254.7, 49740, 80 THEZONEBG Bulgaria 43->153 155 2 other IPs or domains 43->155 119 C:\Users\user\AppData\Local\...\nsv1DCE.tmp, PE32 43->119 dropped 121 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 43->121 dropped 123 C:\Users\user\AppData\Local\...\INetC.dll, PE32 43->123 dropped 125 2 other malicious files 43->125 dropped 203 Multi AV Scanner detection for dropped file 43->203 52 nsv1DCE.tmp 43->52         started        57 BroomSetup.exe 2 6 43->57         started        205 Detected unpacking (changes PE section rights) 48->205 207 Contains functionality to inject code into remote processes 48->207 209 Injects a PE file into a foreign processes 48->209 59 toolspub2.exe 48->59         started        211 Detected unpacking (overwrites its own PE header) 50->211 61 powershell.exe 50->61         started        63 e0cbefcb1af40c7d4aff4aca26621a98.exe 50->63         started        65 WerFault.exe 50->65         started        file13 signatures14 process15 dnsIp16 149 185.172.128.79, 49748, 80 NADYMSS-ASRU Russian Federation 52->149 103 C:\Users\user\AppData\...\softokn3[1].dll, PE32 52->103 dropped 105 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 52->105 dropped 107 C:\Users\user\AppData\...\mozglue[1].dll, PE32 52->107 dropped 109 9 other files (5 malicious) 52->109 dropped 179 Multi AV Scanner detection for dropped file 52->179 181 Detected unpacking (changes PE section rights) 52->181 183 Detected unpacking (overwrites its own PE header) 52->183 193 5 other signatures 52->193 185 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 59->185 187 Maps a DLL or memory area into another process 59->187 189 Checks if the current machine is a virtual machine (disk enumeration) 59->189 191 Creates a thread in another existing process (thread injection) 59->191 67 explorer.exe 59->67 injected 72 conhost.exe 61->72         started        file17 signatures18 process19 dnsIp20 145 host-host-file8.com 158.160.130.138 DNIC-ASBLK-00721-00726US Venezuela 67->145 147 host-file-host6.com 172.67.172.189 CLOUDFLARENETUS United States 67->147 101 C:\Users\user\AppData\Roaming\rratare, PE32 67->101 dropped 171 System process connects to network (likely due to code injection or exploit) 67->171 173 Benign windows process drops PE files 67->173 175 Suspicious powershell command line found 67->175 177 3 other signatures 67->177 74 cmd.exe 67->74         started        77 cmd.exe 67->77         started        79 schtasks.exe 67->79         started        81 2 other processes 67->81 file21 signatures22 process23 signatures24 201 Modifies power options to not sleep / hibernate 74->201 83 conhost.exe 74->83         started        97 2 other processes 74->97 85 conhost.exe 77->85         started        87 sc.exe 77->87         started        89 sc.exe 77->89         started        99 3 other processes 77->99 91 conhost.exe 79->91         started        93 conhost.exe 81->93         started        95 conhost.exe 81->95         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb/
Threat name:
Win64.Downloader.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-04 22:13:47 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
17 of 23 (73.91%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkpagf2h5ffwn6c7qnyrim5bypiijlakk754ywhzoc7ajxrnjdfq._file
Verdict:
malicious
Similar samples:
0889831e4c97e94979a7cbafe87f3dcd3106f0be34e85487055bd47df1ca0a57
Stealc
0d56a6315fa87dedf33b91c34e70ace7cf2913fc4f30976dc9b34a974d30ca31
Stealc
3fb42de7bef728db9db776ce892a5893f84b24c433253988d849c514a4008b67
Stealc
4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
Stealc
60861a072ffc6b404ae640f7270e6d36afd5f4b0911866598be0800da4c16ab8
Stealc
8c887835f3b1861776b4d88a9c47dbe945dcadfd881b4ae9909488c022924cf6
Stealc
+ 158 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:stealc botnet:up3 backdoor evasion spyware stealer trojan
Link:
https://tria.ge/reports/240105-ptf99scadn/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
http://185.172.128.79
Unpacked files
SH256 hash:
629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb
MD5 hash:
d8d52a95b809c586afe1bbf5373edfc4
SHA1 hash:
4081f7d0211614df482969ba5af1f29e5ab2bee7
Link:
https://www.unpac.me/results/2bf63700-b946-4f14-b9da-82867fd707ab/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/629e031747e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/469606/

Comments