MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7
SHA3-384 hash:	6c1bce3fba558646b1738fe96dee2fcc00dbfa6181337dc9a5041049e0fcc87dd700171d3c4c2338e52d228f2c6f1d4e
SHA1 hash:	79833dcaff1d678bf29b4ce9f5a77f058efad0a0
MD5 hash:	d6067ce0e193dd31df5e3bff2b4b79a0
humanhash:	red-four-july-comet
File name:	69c49e5fef45e896b891141473eda45f8b83e29cf51fe.exe
Download:	download sample
Signature	Stealc Alert Create hunting rule
File size:	199'680 bytes
First seen:	2023-07-27 23:20:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c89bd32d7beced586fcbabe7e651db83 (1 x Stealc)
ssdeep	3072:OhnnpVp5eQvI9YzvuBfSePa5f0zMYFZMQdnCmMG4xTlhr:OhnnpVneQiYzcfSey5cgwSQlCmM3
Threatray	1'260 similar samples on MalwareBazaar
TLSH	T1E214E121B9FA40B2E4775AB844F122524A3E7DA567B1918B3F88073E9F512C18B71F27
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://185.254.37.234/a68326a8bd26a679.php

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

270

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN amadey

Malware family:

amadey

Alert

Create hunting rule

ID:

1

File name:

38fe36b519c72d03d1981d1188cd697e.exe

Verdict:

Malicious activity

Analysis date:

2023-07-27 20:56:39 UTC

Tags:

amadey trojan kelihos loader stealc stealer

Link:

https://app.any.run/tasks/2b8cbb75-e7c0-4771-a1e2-f9e5411acb2c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/435784/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.3852.20989.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Launching a process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

anti-debug evasive greyware

Link:

https://www.filescan.io/uploads/64c2fbdf5154a489a458f698/reports/557ade14-69b6-4c45-8050-171187edd786/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Oski Stealer

Malware family:

Oski Stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6c66a98c-be02-4b23-9f81-428c0efa4885

Joe Sandbox Stealc, Vidar

Result

Threat name:

Stealc, Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1281538

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7/

ReversingLabs TitaniumCloud Win32.Spyware.Stealc

Threat name:

Win32.Spyware.Stealc

Alert

Create hunting rule

Status:

Suspicious

First seen:

2023-07-27 18:10:14 UTC

File Type:

PE (Exe)

Extracted files:

1

AV detection:

14 of 24 (58.33%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nhcj4x7pixujnoercqkhh3nel6fyhyu46up6aek4bomamgbvfdtq._file

Threatray malicious

Verdict:

malicious

Similar samples:

3cdf268a506536698b15da0e4592751178563f1f2b8e7d4eb1757756761918f5

Stealc

3e9c629c225bf857fc3183cc5f17ae5816e04f20c7d9636d5d6adac849ed2279

Stealc

5c70adfeec8dd32457e92854ef1351eb0d78e0fb43bb90467683f6233ecfcf4a

Stealc

8fbf0b841a18807b33e676c7224f11b4e6aa7725aa410ae66a9dbcea614009a9

Stealc

a06867c5e8f32e4f33fc0455b26a792eb1647178918628765aec756c1a21c382

Stealc

b2531fbdd1d763ac1d257cc43b7806c8cc6b71f65bbc5cc3513a9a11cda2b228

Stealc

b9c544f7eef189e45cd0cb1cf50d9d1e163ce810c2b57d111eaf8cd417be24f7

Stealc

f9c0b902d916f689dcf93a3557640741826483e3c2c3139a02605a5ec0546b29

Stealc

+ 1'250 additional samples on MalwareBazaar

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230727-3bzwjsac22/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

UnpacMe 2

Unpacked files

SH256 hash:

ccd4ccab847e1232c40a15950c2d6265583a7b98e1d2090be961ca1bfcf86390

MD5 hash:

20990d97d8742be5f9defb593d243c56

SHA1 hash:

b3cd40c82085fa612cd3b07c5bb094d18f242df3

Link:

https://www.unpac.me/results/5fde7259-81da-466a-9af6-90ccb7b62241/

SH256 hash:

69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7

MD5 hash:

d6067ce0e193dd31df5e3bff2b4b79a0

SHA1 hash:

79833dcaff1d678bf29b4ce9f5a77f058efad0a0

Link:

https://www.unpac.me/results/5fde7259-81da-466a-9af6-90ccb7b62241/

VMRay Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/69c49e5fef45/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7

(this sample)

Cape

https://www.capesandbox.com/analysis/435784/

  

URLhaus

https://urlhaus.abuse.ch/url/2691492/

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2691510/