MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 15

Intelligence 15 IOCs YARA 11 File information Comments 1

SHA256 hash:	6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2
SHA3-384 hash:	dde59622d955d0c0b16b497f6f91b444753ac831c4722849574ab955df7f8874cb9c3f875ef42e73dc7e02376efccb10
SHA1 hash:	bc225eeddc864e254469a59b0dba3e71832ae573
MD5 hash:	009c441c45b9592d9d4f2ac316f44c8f
humanhash:	uranus-muppet-alanine-arkansas
File name:	009c441c45b9592d9d4f2ac316f44c8f
Download:	download sample
Signature	Stealc Create hunting rule
File size:	2'009'600 bytes
First seen:	2024-05-18 21:15:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c8c586524a23d4cd74a160dfb541091f (5 x Stealc)
ssdeep	24576:qH7t22yv9gVw64w1v8QWgW2pNX0fqk27NoFo3t4aO78KLHidAp:q4jv91cV8QC2jiqkumct498KLHi
TLSH	T18C95D023A0A378B2C076CE7988565E9885297D733D14DC492AE41FD8CF7A3D13B26397
TrID	68.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.SCR) Windows screen saver (13097/50/3) 0.4% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	3c64ccfcecf8e8ec (17 x Stealc, 3 x Vidar, 1 x ArkeiStealer)
Reporter	zbetcheckin
Tags:	32 exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

499

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2.exe

Verdict:

Malicious activity

Analysis date:

2024-05-18 21:16:29 UTC

Tags:

telegram stealer vidar stealc

Link:

https://app.any.run/tasks/de17bab9-04a4-4aff-a517-adde0af093f7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.37249.23280.10097.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Behavior that indicates a threat

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint keylogger

Link:

https://www.filescan.io/uploads/66491a98bc04dffa921ffc44/reports/175cc4ff-7375-4f03-a180-50737c7c9bc0/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/02a116d9-ff8b-47c6-ae11-a447a6c37404

Result

Threat name:

CryptOne, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1443870

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected CryptOne packer

Yara detected Powershell download and execute

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2/

Threat name:

Win32.Trojan.StealC

Status:

Malicious

First seen:

2024-05-18 21:16:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m2lhfaaihgpek32gtith5zs5yxs3u2fcxbfbo4veldzo47ul33ba._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:stealc family:vidar discovery spyware stealer

Link:

https://tria.ge/reports/240518-z4e53age35/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Detect Vidar Stealer

Stealc

Vidar

Unpacked files

SH256 hash:

9c3b8a8bbc153d92ba32e42ebad2efa844b57486460c68f07e82a33ad75cb14b

MD5 hash:

af178a6212b690cc865875d381080595

SHA1 hash:

7dd9d07992dcf102f8412c31145a7fcd896365f2

Detections:

VidarStealer

win_stealc_a0

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Link:

https://www.unpac.me/results/fb4c5005-c2cb-484a-ac70-9d25d696a8ad/

SH256 hash:

6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2

MD5 hash:

009c441c45b9592d9d4f2ac316f44c8f

SHA1 hash:

bc225eeddc864e254469a59b0dba3e71832ae573

Link:

https://www.unpac.me/results/fb4c5005-c2cb-484a-ac70-9d25d696a8ad/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	Check_Dlls Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Generic_Threat_c374cd85 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 6696728008399e456f469a267ee65dc5e5ba68a2b84a1772a458f2ee7e8bdec2

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2854733/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-05-18 21:15:09 UTC

url : hxxp://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe