MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 686a9348e5412fe8d386b0e44723d8b7b538399e001741a628babf64d15d6a62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 686a9348e5412fe8d386b0e44723d8b7b538399e001741a628babf64d15d6a62
SHA3-384 hash: fda3b3a5e519ff2de131f58ebbb6ecfe1fce3c3b787d9cc6b80f4589aad0e7a079017e79e3bc9bd0d39c62d9a83e9186
SHA1 hash: 57fcfc58dd8202bfb003452b2f1486379ed849bd
MD5 hash: 6cce6f314812fbba52834b1084341c3e
humanhash: robert-artist-ten-sodium
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:2'294'136 bytes
First seen:2023-12-06 18:27:14 UTC
Last seen:2023-12-06 23:50:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:0sjjg/C31pD//TM+j4uFEWnDEYTC77KommOtWdSXt8Gjq:bEm1pD//IcbF/nDLTCHKomXyOFe
TLSH T1D3B5123C05AEC622EFAB427598B141CDBBD428515510DDFFA891F2AF4B327C97942CCA
TrID 27.3% (.SCR) Windows screen saver (13097/50/3)
22.0% (.EXE) Win64 Executable (generic) (10523/12/4)
13.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Installrox inc
Issuer:Installrox inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-06T17:44:32Z
Valid to:2024-12-06T17:44:32Z
Serial number: dfee7e7ba8a40e1bc3ed4012e7fce0c6
Thumbprint Algorithm:SHA256
Thumbprint: 5b84efeb6f75f52198cae39c9c509fa0a9715f4064a25a8c48438a7801ef118a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://15.204.49.148/files/Installsetup2.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
363
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462989/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.541.2609.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Blocking the User Account Control
Forced shutdown of a system process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer lolbin overlay packed
Link:
https://www.filescan.io/uploads/6570bd36bb9490c89cca4973/reports/d122db4e-11bd-4aeb-89ca-2c7df7862797/overview
Verdict:
Malicious
Labled as:
MSIL.Abuja.Generic
Link:
https://www.hybrid-analysis.com/sample/686a9348e5412fe8d386b0e44723d8b7b538399e001741a628babf64d15d6a62
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0702afb-5f9c-4e96-9935-16df97d09a24
Result
Threat name:
Glupteba, RHADAMANTHYS, Stealc
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354861
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected RHADAMANTHYS Stealer
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1354861 Sample: file.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 171 Found malware configuration 2->171 173 Malicious sample detected (through community Yara rule) 2->173 175 Antivirus detection for URL or domain 2->175 177 17 other signatures 2->177 12 file.exe 2 4 2->12         started        process3 signatures4 187 Writes to foreign memory regions 12->187 189 Allocates memory in foreign processes 12->189 191 Adds extensions / path to Windows Defender exclusion list (Registry) 12->191 193 3 other signatures 12->193 15 CasPol.exe 15 191 12->15         started        20 dialer.exe 12->20         started        22 powershell.exe 22 12->22         started        24 2 other processes 12->24 process5 dnsIp6 155 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 15->155 157 5.42.65.57 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 15->157 161 12 other IPs or domains 15->161 91 C:\Users\...\zU8Y2qwNPnsVZGYlPRk4VVy1.exe, PE32 15->91 dropped 93 C:\Users\...\zNu0eP11RwJpOyqQskRNYnIZ.exe, PE32 15->93 dropped 95 C:\Users\...\wgFDptajexs3jFcXEwUPv80Y.exe, PE32 15->95 dropped 97 141 other malicious files 15->97 dropped 163 Drops script or batch files to the startup folder 15->163 165 Creates HTML files with .exe extension (expired dropper behavior) 15->165 167 Writes many files with high entropy 15->167 26 t8bMFW1oE6RuIRtBL3NrqtDh.exe 50 15->26         started        31 adkpgSnXJhnYlxmkMzyWgeyz.exe 15->31         started        33 IOQuSgrwMbMfsQAwTjp3cv9b.exe 15->33         started        37 6 other processes 15->37 159 193.233.132.5 FREE-NET-ASFREEnetEU Russian Federation 20->159 169 Adds extensions / path to Windows Defender exclusion list 20->169 35 conhost.exe 22->35         started        file7 signatures8 process9 dnsIp10 141 107.167.110.216 OPERASOFTWAREUS United States 26->141 143 107.167.110.218 OPERASOFTWAREUS United States 26->143 151 6 other IPs or domains 26->151 127 7 other malicious files 26->127 dropped 195 Writes many files with high entropy 26->195 39 t8bMFW1oE6RuIRtBL3NrqtDh.exe 26->39         started        42 t8bMFW1oE6RuIRtBL3NrqtDh.exe 26->42         started        44 t8bMFW1oE6RuIRtBL3NrqtDh.exe 26->44         started        145 104.237.62.212 WEBNXUS United States 31->145 147 91.92.254.7 THEZONEBG Bulgaria 31->147 149 5.42.64.35 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->149 117 C:\Users\user\AppData\Local\...\INetC.dll, PE32 31->117 dropped 119 C:\Users\user\AppData\...\nsfD37E.tmp.exe, PE32 31->119 dropped 129 2 other malicious files 31->129 dropped 46 nsfD37E.tmp.exe 31->46         started        50 Broom.exe 31->50         started        131 2 other malicious files 33->131 dropped 52 Install.exe 33->52         started        121 C:\Users\user\AppData\Local\...\INetC.dll, PE32 37->121 dropped 123 C:\Users\user\AppData\...\nsgFBB7.tmp.exe, PE32 37->123 dropped 125 Opera_installer_2312061829185758132.dll, PE32 37->125 dropped 133 4 other malicious files 37->133 dropped 197 Detected unpacking (changes PE section rights) 37->197 199 Detected unpacking (overwrites its own PE header) 37->199 201 Found Tor onion address 37->201 203 5 other signatures 37->203 54 powershell.exe 37->54         started        56 AppLaunch.exe 37->56         started        58 3 other processes 37->58 file11 signatures12 process13 dnsIp14 99 Opera_installer_2312061829083942172.dll, PE32 39->99 dropped 101 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 39->101 dropped 103 C:\Users\user\...\win10_share_handler.dll, PE32+ 39->103 dropped 113 21 other malicious files 39->113 dropped 60 t8bMFW1oE6RuIRtBL3NrqtDh.exe 39->60         started        105 Opera_installer_2312061829071221224.dll, PE32 42->105 dropped 107 Opera_installer_2312061829077264424.dll, PE32 44->107 dropped 153 77.91.76.36 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 46->153 109 C:\Users\user\AppData\...\softokn3[1].dll, PE32 46->109 dropped 115 11 other files (7 malicious) 46->115 dropped 205 Detected unpacking (changes PE section rights) 46->205 207 Detected unpacking (overwrites its own PE header) 46->207 209 Tries to steal Mail credentials (via file / registry access) 46->209 213 2 other signatures 46->213 211 Multi AV Scanner detection for dropped file 50->211 111 C:\Users\user\AppData\Local\...\Install.exe, PE32 52->111 dropped 63 Install.exe 52->63         started        66 conhost.exe 54->66         started        file15 signatures16 process17 file18 135 Opera_installer_2312061829087657192.dll, PE32 60->135 dropped 137 C:\Users\user\AppData\Local\...\oclLsOl.exe, PE32 63->137 dropped 139 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 63->139 dropped 215 Uses cmd line tools excessively to alter registry or file data 63->215 217 Modifies Windows Defender protection settings 63->217 219 Adds extensions / path to Windows Defender exclusion list 63->219 221 Modifies Group Policy settings 63->221 68 forfiles.exe 63->68         started        71 forfiles.exe 63->71         started        signatures19 process20 signatures21 181 Modifies Windows Defender protection settings 68->181 183 Adds extensions / path to Windows Defender exclusion list 68->183 73 cmd.exe 68->73         started        76 conhost.exe 68->76         started        78 cmd.exe 71->78         started        80 conhost.exe 71->80         started        process22 signatures23 185 Uses cmd line tools excessively to alter registry or file data 73->185 82 reg.exe 73->82         started        85 reg.exe 73->85         started        87 reg.exe 78->87         started        89 reg.exe 78->89         started        process24 signatures25 179 Adds extensions / path to Windows Defender exclusion list (Registry) 82->179
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/686a9348e5412fe8d386b0e44723d8b7b538399e001741a628babf64d15d6a62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/686a9348e5412fe8d386b0e44723d8b7b538399e001741a628babf64d15d6a62/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 18:28:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbvjgshfiex6ru4gwdseoi6yw62tqom6aaludjrixk7wjuk5njra._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:rhadamanthys family:stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231206-w4babsbe83/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.76.36
Unpacked files
SH256 hash:
686a9348e5412fe8d386b0e44723d8b7b538399e001741a628babf64d15d6a62
MD5 hash:
6cce6f314812fbba52834b1084341c3e
SHA1 hash:
57fcfc58dd8202bfb003452b2f1486379ed849bd
Link:
https://www.unpac.me/results/aaa7d7f4-459f-45ff-a3d7-9511907646bd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/686a9348e541/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/686a9348e5412fe8d386b0e44723d8b7b538399e001741a628babf64d15d6a62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/462989/
  
URLhaus
https://urlhaus.abuse.ch/url/2738073/

Comments