MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments 1

SHA256 hash:	64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17
SHA3-384 hash:	3d83b4d2ae1de61ec17e232c2cc49d6a69c69dcc0e5c893655afca2fa5cd7424c9742ebe27dfe5d70aa031507b02c23f
SHA1 hash:	0b7dfbb9266942356dfecdd0c76c5eb4bb5c0422
MD5 hash:	93b9f5bf918b7e5de262a85214aa8fea
humanhash:	iowa-connecticut-failed-seven
File name:	93b9f5bf918b7e5de262a85214aa8fea
Download:	download sample
Signature	Stealc Create hunting rule
File size:	2'420'096 bytes
First seen:	2023-03-25 00:16:34 UTC
Last seen:	2023-03-25 02:27:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	85a54fad2bd6b77afdc3a0e3e1364550 (1 x LaplasClipper, 1 x Stealc)
ssdeep	24576:6122eyR3deGLPN5MaifsiDeMlJvtaBZ8X45FlkhkaSQ8I7IC+jLq38OHD:0h0GLPN5Ma3ebMZ8X45FO6Q8S+jLq3j
Threatray	2 similar samples on MalwareBazaar
TLSH	T1B3B5813E79D66C5AF77BA87F56BEC434A6230A6C5003383359CAA923664F7C02D4F509
TrID	43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e8ce736171308ce8 (1 x Stealc)
Reporter	zbetcheckin
Tags:	32 exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

93b9f5bf918b7e5de262a85214aa8fea

Verdict:

Malicious activity

Analysis date:

2023-03-25 00:18:42 UTC

Tags:

loader

Link:

https://app.any.run/tasks/8b30bcf9-9fa3-4cd6-9625-c1e4c2fff771

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/377217/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65947860.12064.15982.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/74681/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm greyware hacktool installer overlay packed

Link:

https://www.filescan.io/uploads/641e3d7e8f3f4544f6cbe067/reports/c13b07f7-6cf7-420d-a1bb-2029c4de1723/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/614c70b9-9ef8-454f-88ac-53bc3ee80237

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1201644

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (creates a PE file in dynamic memory)

Found many strings related to Crypto-Wallets (likely being stolen)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17/

Threat name:

Win32.Spyware.Stealc

Status:

Malicious

First seen:

2023-03-20 02:56:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 37 (48.65%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=msynj7yb3qjvok3urqgkugoxs6vgqqmzjkiokzb5epovy2jmb4lq._file

Verdict:

malicious

Stealc

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230325-ak16raab64/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

0cdc207b2a9b28f8b7cbb48f3185afe080a53b5a9bd415887ac1022b39df8324

MD5 hash:

6b516709dd9e922aef15b7064985d68b

SHA1 hash:

3a15d0da09dc3bd4f337e4f8e2bc057a7a5c9133

Detections:

stealc

Link:

https://www.unpac.me/results/949afdba-a7a0-4844-891f-00e079127913/

Parent samples :

64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17
d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669

SH256 hash:

64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17

MD5 hash:

93b9f5bf918b7e5de262a85214aa8fea

SHA1 hash:

0b7dfbb9266942356dfecdd0c76c5eb4bb5c0422

Link:

https://www.unpac.me/results/949afdba-a7a0-4844-891f-00e079127913/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/64b0d4ff01dc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/