MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b462389499beba4fd091196ff1d353fa741dcb889001e5abc301d20f50bb71b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b462389499beba4fd091196ff1d353fa741dcb889001e5abc301d20f50bb71b
SHA3-384 hash: e2f3738f9007cbc997c9323ed422b51ce14629f61dc931814d4808418527077af6eddfffaa8fd7ca8c68a1773a640d83
SHA1 hash: 489d59f151cb25a9a79ab0e2d1877681bb2394ce
MD5 hash: bd4060f5fb08c5f2ced344a3fa9e02f9
humanhash: bravo-nine-freddie-twenty
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:276'480 bytes
First seen:2023-12-05 11:50:18 UTC
Last seen:2023-12-05 13:25:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2a86f67338210064828993e7f36870 (3 x Smoke Loader, 2 x RiseProStealer, 1 x Stealc)
ssdeep 3072:BJRlt8jeEJZZ176Ev+om0KyhGgyx9wChQEuzQw1DvgB9z4:rRX4NZ6E2oP57ynkDo7
TLSH T18644AD1272A1F032E19216798E76C7F91B2AFCB14F5566DF63562B2F1E302E1CA71306
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000200222302800 (1 x Stealc)
Reporter andretavare5
Tags:exe Stealc


Avatar
andretavare5
Sample downloaded from http://5.42.64.35/timeSync.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
331
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://rodhigital.com/ambalwarsa/file_ver_9.rar
Verdict:
Malicious activity
Analysis date:
2023-12-05 11:18:50 UTC
Tags:
privateloader evasion loader risepro stealer redline stealc smoke smokeloader sinkhole ransomware stop purecrypter pureloader purelogs amadey botnet socks5systemz miner g0njxa
Link:
https://app.any.run/tasks/81db276c-9139-4ad8-b737-3c733c1e6457

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462613/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.13211.2883.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin packed xpack
Link:
https://www.filescan.io/uploads/656f0eabda3178d99cd859e1/reports/b7bb0d40-1134-4c45-b910-6cd71f99892a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6b462389499beba4fd091196ff1d353fa741dcb889001e5abc301d20f50bb71b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d16cfeee-8615-41b1-8036-135db0f6734a
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353895
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6b462389499beba4fd091196ff1d353fa741dcb889001e5abc301d20f50bb71b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b462389499beba4fd091196ff1d353fa741dcb889001e5abc301d20f50bb71b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-05 11:51:08 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nndchckjtpv2j7ijcglp6hjvh6tudxfyreab4wv4gaosb5ilw4nq._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/231205-nz5z5sbb86/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://5.42.64.41
Unpacked files
SH256 hash:
416c2c4517791e4b434cb4ef287e4a698ba91094c111508ae89259017d93106b
MD5 hash:
86a1f4ecc4b1801831db2513adc2e3bd
SHA1 hash:
df136c844df56f7232b4714ab271c7977ab837b3
Detections:
stealc
Create hunting rule
win_stealc_a0
Create hunting rule
win_stealc_bytecodes_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/bb00d18a-7e1d-4bfd-a943-f0ffed3b9494/
Parent samples :
d1787b2fadb9f9da05c64aa00a75aa54b771af2110eb72045f4cac7097c739ab
55b59e8d99c3df97556a24b0253f5eff7ac9d95445e98f355383fea6ac8b9bb0
08b760595650c62b640231c966528ab832fa9ad0baf71ed0ecd77f81aab089c7
a107761e07285211f678a660bd7dc514340bdd837d5ea762bb2409f237da1437
150eaa882322cf36548ab0996af895cbb9f928fa84a72c011dc4a0154700ee5a
2e35ba32d792edb3ee4a25f588da1b16fc7d8ecdc1d5c748012f8e76c7133aa4
86ca0b4b5b3f2288701cb2f88645c166914d872091feb4f4b027564a76bd99ae
8ebf00851051741263cdc8af30a2a4ed456a21c5d82eb2f34f761e296020042e
b642f7f81b370505d48ffbacbbbe75e81069c621098165b0b76f3ead2ffa308a
990ac6aef9ecd19b78b658e68523dd0ff04e44e9abf897840676d9095afbd4ea
0563e1d721c5c681720d66d71afe67d0b3db51a5837a81feab52eef1aaca27b4
7feb43b21e76fa15ffde58a8bf076f2a3885ffd2c81b5fd1bb608332406fd17a
398a100e685d73c356d73619da5190d0ca35d8b855ecd3e2438850119a53a72a
0cdec6aa2a559db4795ff299e8b4b322caf92e6042c9463b828243c97fb7748d
fe51a9deb7a5465e8bfd3aaa8352e036613f1c9f257c2dce810b5e01bab5bace
f9c03024ff6ba93d2fae1baf61bbf4d764cad9364bd02706988115a804004c84
a6fcfd2c37ffc70d67edb0a80394e87f3bbd7d2f282c5ff56ac1116b24065e79
5fd8f3daa1f9592e8627de8ed84a011eb533850075cd7fa4596e8f6f51e01ef8
0d088538a7451c17f7abf2da9ae23aa0a6832cda8f62fb13d226dbe08519eb57
6b462389499beba4fd091196ff1d353fa741dcb889001e5abc301d20f50bb71b
9e50ebda71a858637fa3ea9ae5a1d9efcceba645ae1f3bb1c14bec6c8c82bd1b
d0e79da1255bc0c75a742ac8a4109c1648c5c7cde680cdbfaddc5312e2a28b40
9248fedcc648c5ad59694ee8b93b217c7a973237fcc61929e50f8dc564a0f0cf
23e1eaafe1b4bff491af3bf1be1b9ce8d9477b1bfe9530d826dc434d558981b1
1e3cd60fbd0a3e135bcefdebd1eacf718ba2954c04dcea60488fcd14ca44e05b
ed079bac4aab4ab6caf72ba930450daf7d46c56eef112edfca4b62f2ac023f05
7ab254553846eb935a9766ca8ce0966fea633566d1756ea48ad7d88a2e9c821c
21c1f5112278e2b1825bfc4306de91f14291b5352cbbe927a6971853c16b46ce
09cba352d694a41cd4ec2e7ff64b76110fa513faa6a9fb7ebaedec967d4aa902
6f3dde414799cfb801da4f52b091b75b9befafdb9557df785d2133af144da96a
cb0f35a80c97def3f27a1258d9d7179c1e1e4c056993e032745f69818a743eaf
c7b92b2ad09f7ae19af6fe6a1f07e366e01bdf967cb9ef54b8251d6092716e4d
8b7fdfa17565298be30838493f64fdc1234347aad3f079fe52e493fd8390f131
0ee216cd724e09d917910f42e59784ec4008e29f71ffa77436d78ed489ef128d
8eb13198580f2a1f26a2e942de0865b9691fb5c4e367b3ed824170db90fc118e
3fbbfcc205a823ff2580d03799a6a936dccca1f9f109ee50f8ab0706b27462d3
29f8bbebd055a31d9e67782785ef8d69882bf766d9648935364873e1368ac460
aec1e6e5c3d2f77eebacdc0e1934133c10ee06cb633dfcc15ac03c53fc7e9121
54717dc90cdfee8d336278a9628f75d1d965264920621a76523e4861fee77a86
7abbdb0c2c7f1377d11bfab68b94136ec9921e8bfe993a25f7c892f1306302c7
670616fd3a93f842a4181613046e58af7031317ae6a0e5e3a653ede90f93d4e0
4b37fefe23ca01589124d88bb22b599b9237bb90776a59a992e0ffc25af5bf87
f3970a62299d7673ec5c59848a960b6e36af76d762df4eff45e8be379c6c62b2
4907f024512fd3fe1c35e40a89e8dd2c9b91d3b34cc699599b92bfbabb2842c4
3fdef097cfd3daf63511e73befbc8b38d53c7c09ec5217c93f3249783683ace2
9871bc990cd3d368e050d9a9fb6822088683f571a4d374d0415bf4f61e3d9d2b
53f95d143c4d574290620476de25bedbdd1e5d5aa29d68e5ccdac0c6501a2931
06b7da19cf97b14dc91273fd1539f8d2d25f299363498ebcbca49d3fd8e1bbbe
bb7e1dd8f61c078d832b5749944a1d7067ded1809582301da68e1f5b2154c8b5
b9cd89a910a658491324ffa031385fd27a537b2f1209da40bc14981c132264cd
12b92dfa4a7ee62f7de3d3404367b750d28fb0211874220648a9bccf7c229350
fea3847b19bb601465ba0e806802bf00f64e770471400235950e36a0fd57320b
dc4018a4d6fbf42eabc0c65896c688b96e48d3b72179c5f958f39d19e89282ac
fb6ee54405ad282ae3af4479fefa7437834cab4cb44d861b2800a031afb8d843
f2ce7cffb9af5808d3067f80691e0851ccd5b7e84ed44626d53a5abc3be71b33
2383c716fbbbbf50eb7578c77554ee99a3b2a35dcf57d3d748910c6f81dcaf0b
e9cf3637a34e88eca9abf48a211f7082577193dae79f97362f4f52417e3f5988
4800da4ac8238040c90ba232e032be1238405640595b5c5db849c72b3c002f94
bfa92a36a21f67b5217e2801cca65440fbe4f45e8b56afb3fd16b6ce41bf73aa
0a1578863739b57fe23f97a23d8b103a7bf4145364db1d931ebc6d3236e44a98
cb45a92e68601f3462d46b71e567f6928f6d2d920777163da585b78066903a5b
c7a3321ab0ce0899d3382ad956da7aaea3c1fb31c3060723ef7218e734a00898
7c90b14e5b34a35ab19b63b694948229afadedb88e231e8bb3ebaa2741944d6c
b564653e78f267dbc45b127c5016077c7d1099d8291a7c5c2b290f61a144734b
61f577e17623ed07cf709165e91763b5fb44a1ec87ae8ac6cee01eb2a0179cdc
be9a9510e3379097511053f5c0374bc4b5e0ff177037f1d6ea0b8de2079ef2ca
f000b6582ad6eef30537ce5d2e80b5859756f5e6c854bac0d20345e33d089b07
7b4b354533d5ef30f144bc61d88f65d3deadec08888e0f4bca6029c3629f9ce9
ebe96e738de64020f6188371fb24cc282ce7c7907388b87853de0df0ddce508b
13fe8074d3190bcf597d8db6555ab7b9c941e282cf22e5b658bb0e055806fe1e
0c50ad7e475393d12daf08fedc18a139edc337b82d512d2c52cdeb7ebd00779f
e728821d768fe1c5999aebd1231d3e9fb4e6a1b0c916215a8d0a055a247185ff
4bfe3ac7d0659a4c07d3866d2c26b6efaca0eb296b27a0c7672e4eb0eb0987d6
c56054ea9722cafa3efba8b48aa2d4ee1d2ce2836df71a4842a45c210cfa080a
57b539af805cc65c44f3223ddb9ea12a5b1c7eb7e4e393f4f42ad5fd39db8967
f52c69675774b8e8a65deef45d40eb62b87831e02d242d965ed7e4a44964e104
f9862e56630da59dabe58c4890007deec570cbd21727ae16b279e4af38855589
b6b0dd136f2ab8d9ae56b961ddc420ee85f4d20f37099551079d95831088deae
3d773165469c51d2ae4efc9dece1dd21f7cf302ae7feb36f6dc4989ee5aa375d
6213c117d8ca7434d7a4c81be291eb48934a72420546e968ab55fcce6512c0fd
178614fe5ac67c5d8816ba90fc95256c7a9ae8a954bd1cebed47c54352b25470
131a1cc3e59baf38caa71ed20e76572fcc145c83ece0e3027b210ae8fc0a28a6
1055566687f22e367640ed224e9aa2b725a1735a59235d64f2bc9a319d786c9e
f7eb3b9d18892edf5f5b8bc00d1191ccef49535754fe7ee79fef4f89a0af4eba
d1456d20c9d41754453411d79f94e20d54ced41ee3ad646763cc0b607824d640
c64583adcf7b4161e6d5274e787c3793e18093c55f11d318191e7db2bf270e84
99cf1c63c5045f26e115884088bc374feb78cb0ca59997a456e72a876e5e979d
bbb43de4e95855c07601774c4eb9c0574a5c8df5e4c29f2b056802a5a2e83138
56775938e7818aadb762f5feeb7b07b41353188085098dd9a58bdb9783b600e1
61c1efbb041d6cefefe85794eb34c54e9190f95a9bb5797e638108639ddce80a
280e4c0a57f65fd0e5421c98d16dc6c0aa1700e8c415ebf7416e9dc1846f39b5
7dd2033841358a627aa83aff22c40a19f50c500ea9c163b7a58839fdfe574fd8
4887da8b043331a43f0b0a3d9881abae2289cfaa8655bf34aec7b7474190822e
SH256 hash:
6b462389499beba4fd091196ff1d353fa741dcb889001e5abc301d20f50bb71b
MD5 hash:
bd4060f5fb08c5f2ced344a3fa9e02f9
SHA1 hash:
489d59f151cb25a9a79ab0e2d1877681bb2394ce
Link:
https://www.unpac.me/results/bb00d18a-7e1d-4bfd-a943-f0ffed3b9494/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b462389499b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b462389499beba4fd091196ff1d353fa741dcb889001e5abc301d20f50bb71b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:yarahub_win_stealc_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2735175/
Cape
Cape
https://www.capesandbox.com/analysis/462613/

Comments