MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849
SHA3-384 hash: ab597fe36bbcabcb413c67b6d032b505e1e27cf9ad8b4c7ca592db819a74e519e4c3451487a1f6853485b71d46facf97
SHA1 hash: 7bd747844eab8ff263b75ace7537c8b7d163e20d
MD5 hash: 9d12c4ebf544f59c5778b070defbe130
humanhash: nevada-lemon-comet-montana
File name:9d12c4ebf544f59c5778b070defbe130
Download: download sample
Signature Stealc
Create hunting rule
File size:505'344 bytes
First seen:2024-10-08 06:56:19 UTC
Last seen:2024-10-08 07:57:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d10af643340e1121562abe3e6bd5b0e1 (14 x Stealc, 13 x LummaStealer, 9 x Vidar)
ssdeep 12288:C/l9sitPVq0+PC7yuotJWyCi3vS9J1LHyh8mr5W5Eeo4S:CsitS4FkJWye9J1sJ5W57p
TLSH T1CAB4F106B68080B2D873163246F4DF756E3DB9704A629E9F17980FBF4F30691D721AA7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter zbetcheckin
Tags:32 exe Stealc

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9d12c4ebf544f59c5778b070defbe130
Verdict:
Malicious activity
Analysis date:
2024-10-08 07:02:11 UTC
Tags:
stealer stealc loader
Link:
https://app.any.run/tasks/7a4b9777-0be5-47d5-b84f-79c91b3f597a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader47.43340.20112.31948.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6704d7c1dcb599bb05a4f4a5
Tags:
Stealer
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed stealc
Link:
https://www.filescan.io/uploads/6704d7bf468423dc9d8ecfbe/reports/40a4f71f-bda5-452c-8e5e-d3837791681b/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6eec06f0-68fd-4856-b029-2f8ef5301560
Result
Threat name:
LummaC, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1528677
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528677 Sample: 20fUAMt5dL.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 42 wickedneatr.sbs 2->42 44 nsdm.cumpar-auto-orice-tip.ro 2->44 46 8 other IPs or domains 2->46 54 Multi AV Scanner detection for domain / URL 2->54 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 16 other signatures 2->60 10 20fUAMt5dL.exe 1 2->10         started        signatures3 process4 signatures5 70 Writes to foreign memory regions 10->70 72 Allocates memory in foreign processes 10->72 74 Injects a PE file into a foreign processes 10->74 13 MSBuild.exe 37 10->13         started        18 WerFault.exe 22 16 10->18         started        process6 dnsIp7 50 nsdm.cumpar-auto-orice-tip.ro 147.45.44.104, 49753, 80 FREE-NET-ASFREEnetEU Russian Federation 13->50 52 46.8.231.109, 49710, 80 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 13->52 32 C:\Users\user\AppData\...\softokn3[1].dll, PE32 13->32 dropped 34 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 13->34 dropped 36 C:\Users\user\AppData\...\mozglue[1].dll, PE32 13->36 dropped 40 11 other files (7 malicious) 13->40 dropped 76 Tries to steal Mail credentials (via file / registry access) 13->76 78 Tries to harvest and steal ftp login credentials 13->78 80 Tries to harvest and steal browser information (history, passwords, etc) 13->80 82 4 other signatures 13->82 20 cmd.exe 1 13->20         started        38 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->38 dropped file8 signatures9 process10 process11 22 userIEBFHCAKFB.exe 1 20->22         started        25 conhost.exe 20->25         started        signatures12 62 Antivirus detection for dropped file 22->62 64 Machine Learning detection for dropped file 22->64 66 Writes to foreign memory regions 22->66 68 2 other signatures 22->68 27 MSBuild.exe 22->27         started        30 WerFault.exe 21 16 22->30         started        process13 dnsIp14 48 steamcommunity.com 104.102.49.254, 443, 49770 AKAMAI-ASUS United States 27->48
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849/
Threat name:
Win32.Spyware.Marsstealer
Create hunting rule
Status:
Malicious
First seen:
2024-10-08 06:57:05 UTC
File Type:
PE (Exe)
AV detection:
28 of 38 (73.68%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m354ckghigynrfphept66g6h6kuvhpw2mdf6x5k3r6attetnjbeq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
error
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:stealc botnet:default credential_access discovery spyware stealer
Link:
https://tria.ge/reports/241008-hqyxkstgrn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Lumma Stealer, LummaC
Stealc
Malware Config
C2 Extraction:
http://46.8.231.109
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/c8a9fd8d-39b3-4398-b71e-b1947a293048
Unpacked files
SH256 hash:
29e7e1c1e1a7e5f26f6961d8036cdd04ee4557dec0a7dcadcd8e7651f5e53f43
MD5 hash:
2ec23e83e2f63ab27c25741b1f4d7f49
SHA1 hash:
bb231b274bd66393fa830a44e6d4447d4399eeb9
Link:
https://www.unpac.me/results/ce4f9bdb-1412-4aac-89e8-6136decaf054/
SH256 hash:
06f3daaedaefb6f74a31b3cfaec23e4290c50609c8cdacb33bd363e5fa0834ef
MD5 hash:
400efa3a374f435132c5eb4a7f809a95
SHA1 hash:
f72efa14ace9db4b6b7f77b7c8bac34a112bf521
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/ce4f9bdb-1412-4aac-89e8-6136decaf054/
Parent samples :
2b8bcd9d7d072feb114e0436dc10aa80fda52cdd46a4948ea1ae984f74898375
2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
c5a07fdd3ce7bee393285bef38dd7bc96386c33cba401d06187d0a10d479de6c
fb4298dbc61eb3ace5aa751f29a4b53bb20959fb39bde91095e1d18103149e18
2d63ff4e2c1bde1601315d12ea75a52c90b7e203f8a8e6140ab1da2e0d8a9554
1dc17bd6367dafd965adb0a12819f7efd6d5bc61585feceee69f6a09e4d1fc32
98a63017e0d5084ced9459e819a9586691062b1bbe5f2622069df90112201329
53f74c71c625da6b7ff77c3a61aad3be0ff4a7199ee447c57c0d12dbbfaccf32
20175d2f268bff73e352a5a5b85d987b8a5958311b1032251f7341def5396f4b
48fc88b91467d7f8781721313f69f8299e128ca190a95ff790d6ac23bd9a98d5
7ffc2e99e06f93704ab32bd39627ee66d1f114b89c45463eeb198af72de0613d
33ec381cf58df623bc6b3879a5aea2914034d42b885a2c61aaf10f6c2ab8cae4
3bc752d2803f660c3216bcfa6fcd3cfb03b21b8753d4bec32f4e679af854028a
9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8
33105a1685207694a3de20a03c82524fe8cd7f0f19fa85ba5d88d6b4d8457660
08fc29d1bcd3c1c9145a6cf9087ce892217c2d0312410d916dd8aa748a0479c6
33b0a6c0a93c8739f0a9de40a727c7d5dba9c9a0e6ffe65c7d3173082be2a73f
22595bd9120d6fad0bd0e8caf9700fe6ab5f2805c8903681baddb1bab83819c5
fde872c02c049b7b02d8dfa2d694fba47b8d300001c6cf0ec83f11634a7256dd
0cfea23100355dbb358f9355abe9acc2c93042e29027c9f547fab0c0084d6d63
66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849
ddf3c590d0cd0bf3f871c5baa3a84e14428cecf3a929fd2c40d483e3252d45ff
54c87130b16079039f3b1e1f406a794669ef4f66f3d26ebde713491e03a1ee08
7ad4282eca5f0d0ed47402d9c012b95623f114353cfd5f09aaf0aab343f8a8d7
441fa698045cf117642df2b3cb38a7729e3c96f8d807dcb60a89ee355dbfaffd
SH256 hash:
66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849
MD5 hash:
9d12c4ebf544f59c5778b070defbe130
SHA1 hash:
7bd747844eab8ff263b75ace7537c8b7d163e20d
Link:
https://www.unpac.me/results/ce4f9bdb-1412-4aac-89e8-6136decaf054/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3210252/
  
URLhaus
https://urlhaus.abuse.ch/url/3212523/
  
URLhaus
https://urlhaus.abuse.ch/url/3216297/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments


Avatar
zbet commented on 2024-10-08 06:56:20 UTC

url : hxxp://proxy.amazonscouts.com/ldms/f2e7fcb20146.exe