MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68afe1c1cef069a7386dd3a8d406d291d0da0ff654a5fc741cce02b7d54a434b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	68afe1c1cef069a7386dd3a8d406d291d0da0ff654a5fc741cce02b7d54a434b
SHA3-384 hash:	00a9972c97ae5b05197735529b78934b34ab5a5cc877e9701bf7c6da68b8ff94ba0a7916c9cdedf026bd3dd4fc8f2cc4
SHA1 hash:	aa48743bfa79c6aca3304d29ce24073ae1f059e5
MD5 hash:	7dcee1865ca8ec2f8b1769774b3d5801
humanhash:	blossom-salami-mike-virginia
File name:	400000.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	103'424 bytes
First seen:	2023-07-25 10:34:43 UTC
Last seen:	2023-07-25 11:40:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cd99bce8ebad6bc5866d19d9d387c282 (3 x Stealc)
ssdeep	1536:++LDkDXWg1IIfbMny0eDEgU5ZOw9mbNFG7x6pt9Dvdp8R+jHb546+qUlE4SJrIOs:zLu1xMy0117esKhpV46+8raOOz4
Threatray	23 similar samples on MalwareBazaar
TLSH	T1CCA3E601D940642EE1A540FFB99E5BEAE81C7AB51304D0C3EBB26D7635E10F664B05BF
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	ResearchBarbie
Tags:	exe MarsStealer Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

Vendor Threat Intelligence

Malware family:

oski

ID:

File name:

400000.exe

Verdict:

Malicious activity

Analysis date:

2023-07-25 10:39:24 UTC

Tags:

stealc stealer lumma oski loader

Link:

https://app.any.run/tasks/88368f08-cb44-4eed-b192-7b1e5974da3c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/432113/

Detection(s):

SecuriteInfo.com.Variant.Lazy.362149.26445.29528.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Gathering data

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/68afe1c1cef069a7386dd3a8d406d291d0da0ff654a5fc741cce02b7d54a434b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/744a86e3-bff6-4b15-94a2-0c2795d42fbf

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1279039

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68afe1c1cef069a7386dd3a8d406d291d0da0ff654a5fc741cce02b7d54a434b/

Threat name:

Win32.Spyware.Stealc

Status:

Malicious

First seen:

2023-07-25 10:35:06 UTC

File Type:

PE (Exe)

AV detection:

19 of 24 (79.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ncx6dqoo6bu2oodn2ounibwsshinud7wkss7y5a4zyblpvkkinfq._file

Verdict:

malicious

Stealc

5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a

Stealc

80854fed8904bb69c71467dae8cfc5d317c1c5e4531791b4811aa2ba089e7f42

Stealc

8933096a3a5c51c79403a2dd9bb1db722ec059cb135b203ec1393c0ea3bd15de

Stealc

8a2cf17eb94a6e38695b90efc25180fe632979ecad0e84954bde357c97d3695b

Stealc

a1a47aa6139e363e0c8aaf7e5fe00ba1f5df02b660fd158deec23c3f4c910cfa

Stealc

c4b6bb4bd33e3ef107781a21eb0dedb82dbe90c4e9d6f0b19620c8940e18fa6b

Stealc

c5067403a8eddbfb4396e7bce5dbb929b841ae0f00622acd7063cbf4a38b9d8d

Stealc

+ 13 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230725-mmndwscg2z/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

68afe1c1cef069a7386dd3a8d406d291d0da0ff654a5fc741cce02b7d54a434b

MD5 hash:

7dcee1865ca8ec2f8b1769774b3d5801

SHA1 hash:

aa48743bfa79c6aca3304d29ce24073ae1f059e5

Link:

https://www.unpac.me/results/2251a716-cb4c-4fa1-834e-42de4d90934f/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/68afe1c1cef0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68afe1c1cef069a7386dd3a8d406d291d0da0ff654a5fc741cce02b7d54a434b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/432113/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample