MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e
SHA3-384 hash: 952d6a5d8ae4c6758b88e5a8939692f1fb1c4ca4091e37ed86e92804baac2f6abd5fce2d3982fab1f7ee9f79dbdf3f9e
SHA1 hash: 1c94e583b7058d01dad42d56ef5ddf17b64b5778
MD5 hash: dfe244414c8461175241ce54707eb6b6
humanhash: lactose-high-music-five
File name:dfe244414c8461175241ce54707eb6b6
Download: download sample
Signature Stealc
Create hunting rule
File size:415'216 bytes
First seen:2024-04-20 09:52:05 UTC
Last seen:2024-04-20 10:25:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:eN6XS66ZeKgLaIGVkwpU0uNqFrNNkpICQzlG:26CNe0IGVl+qHul
Threatray 7 similar samples on MalwareBazaar
TLSH T1E794235277EC5732E89A2BB8596879D21E7CF1E23AB7CB2E3D40894C1EC7B150412376
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-04-20T04:47:31Z
Valid to:2025-04-20T04:47:31Z
Serial number: bab6f490acc5aa3c446bdd722fd1f047
Thumbprint Algorithm:SHA256
Thumbprint: 89ce6955c5d77c9fc25c91d4170480b60104dc76f807ee3094536955129c4cbb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e.exe
Verdict:
Malicious activity
Analysis date:
2024-04-20 09:54:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77c04106-3e87-442e-aa33-705781192640

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Blocking the User Account Control
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b4108a4f-6626-4f65-a510-55d0021ac48f
Result
Threat name:
Glupteba, Mars Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1429049
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429049 Sample: jNeaezBuo8.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 155 Malicious sample detected (through community Yara rule) 2->155 157 Multi AV Scanner detection for dropped file 2->157 159 Multi AV Scanner detection for submitted file 2->159 161 15 other signatures 2->161 9 jNeaezBuo8.exe 1 3 2->9         started        12 cmd.exe 2->12         started        14 svchost.exe 2->14         started        16 4 other processes 2->16 process3 dnsIp4 193 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->193 195 Writes to foreign memory regions 9->195 197 Allocates memory in foreign processes 9->197 199 4 other signatures 9->199 19 jsc.exe 15 387 9->19         started        24 powershell.exe 23 9->24         started        26 WerFault.exe 9->26         started        28 jsc.exe 9->28         started        30 conhost.exe 12->30         started        32 ZUXB5CkDapzE7efrdUFhJ892.exe 12->32         started        34 WerFault.exe 14->34         started        125 40.126.28.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->125 127 40.126.29.11 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->127 129 2 other IPs or domains 16->129 signatures5 process6 dnsIp7 131 107.167.110.211 OPERASOFTWAREUS United States 19->131 133 107.167.110.216 OPERASOFTWAREUS United States 19->133 137 13 other IPs or domains 19->137 97 C:\Users\...\ySPTaGUdAgM6iUd6OElZjJ8a.exe, PE32 19->97 dropped 99 C:\Users\...\wZzYmE8Nz9QCUHZqOt6rEm24.exe, PE32 19->99 dropped 101 C:\Users\...\w1LOX3XeHuEGT87oLxL6t3id.exe, PE32 19->101 dropped 103 220 other malicious files 19->103 dropped 163 Drops script or batch files to the startup folder 19->163 165 Creates HTML files with .exe extension (expired dropper behavior) 19->165 167 Writes many files with high entropy 19->167 36 DAzvKQG6Ksqk3AfqsZxaFtPP.exe 19->36         started        41 09JXLFzEJOC5kWQEY7XIw75i.exe 19->41         started        43 KB7dlYN3AfN1oeAtjoqEId5Q.exe 19->43         started        49 13 other processes 19->49 169 Loading BitLocker PowerShell Module 24->169 45 conhost.exe 24->45         started        47 WmiPrvSE.exe 24->47         started        135 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->135 file8 signatures9 process10 dnsIp11 139 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 36->139 141 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 36->141 147 19 other IPs or domains 36->147 105 C:\Users\...\tP5pTf0jS1kLhyjqmBv_VrrP.exe, PE32 36->105 dropped 107 C:\Users\...\rxKdbi1mxdhb3gQnRtcL21w6.exe, PE32 36->107 dropped 109 C:\Users\...\kh9bXd0Y6gx6bLu88nVllBRp.exe, PE32 36->109 dropped 115 27 other malicious files 36->115 dropped 171 Query firmware table information (likely to detect VMs) 36->171 173 Drops PE files to the document folder of the user 36->173 175 Creates HTML files with .exe extension (expired dropper behavior) 36->175 191 11 other signatures 36->191 143 104.76.210.217 SEABONE-NETTELECOMITALIASPARKLESpAIT United States 41->143 145 107.167.110.217 OPERASOFTWAREUS United States 41->145 149 6 other IPs or domains 41->149 117 9 other malicious files 41->117 dropped 177 Found many strings related to Crypto-Wallets (likely being stolen) 41->177 179 Writes many files with high entropy 41->179 51 09JXLFzEJOC5kWQEY7XIw75i.exe 41->51         started        54 09JXLFzEJOC5kWQEY7XIw75i.exe 41->54         started        56 09JXLFzEJOC5kWQEY7XIw75i.exe 41->56         started        151 3 other IPs or domains 43->151 119 2 other malicious files 43->119 dropped 181 Detected unpacking (changes PE section rights) 43->181 183 Detected unpacking (overwrites its own PE header) 43->183 58 u4n8.0.exe 43->58         started        111 C:\Users\user\AppData\Local\Temp\u5vc.1.exe, PE32 49->111 dropped 113 C:\Users\user\AppData\Local\Temp\u5vc.0.exe, PE32 49->113 dropped 121 13 other malicious files 49->121 dropped 185 Tries to detect sandboxes and other dynamic analysis tools (window names) 49->185 187 Found Tor onion address 49->187 189 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->189 62 Qg_Appv5.exe 49->62         started        64 powershell.exe 49->64         started        66 u5vc.0.exe 49->66         started        68 5 other processes 49->68 file12 signatures13 process14 dnsIp15 91 24 other malicious files 51->91 dropped 70 09JXLFzEJOC5kWQEY7XIw75i.exe 51->70         started        79 Opera_installer_2404200954004632668.dll, PE32 54->79 dropped 81 Opera_installer_2404200954011947204.dll, PE32 56->81 dropped 153 185.172.128.209 NADYMSS-ASRU Russian Federation 58->153 93 12 other files (4 malicious) 58->93 dropped 201 Detected unpacking (changes PE section rights) 58->201 203 Detected unpacking (overwrites its own PE header) 58->203 205 Tries to steal Mail credentials (via file / registry access) 58->205 215 6 other signatures 58->215 83 C:\Users\user\AppData\Local\...\relay.dll, PE32 62->83 dropped 85 C:\Users\user\...\UniversalInstaller.exe, PE32 62->85 dropped 87 C:\Users\user\AppData\...\UIxMarketPlugin.dll, PE32 62->87 dropped 89 C:\Users\user\AppData\Local\Temp\d73a64c2, PNG 62->89 dropped 207 Writes many files with high entropy 62->207 209 Found direct / indirect Syscall (likely to bypass EDR) 62->209 211 Installs new ROOT certificates 64->211 213 Loading BitLocker PowerShell Module 64->213 73 conhost.exe 64->73         started        95 2 other malicious files 68->95 dropped 75 conhost.exe 68->75         started        77 conhost.exe 68->77         started        file16 signatures17 process18 file19 123 Opera_installer_2404200954036647596.dll, PE32 70->123 dropped
Score:
67%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e/
Threat name:
ByteCode-MSIL.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-04-20 07:15:59 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nn52uhnq2lwvyew7xdzisretqt7yeeiq7g2jan44l7gzdeajb5ha._file
Verdict:
malicious
Similar samples:
56768dc2486a0eadfb82e3df6436434d1b6502d542fe6c41e2b52aae948b140f
Stealc
b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331
Stealc
d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04
Stealc
d562b3b44859f761645676e0c0e7daad1226c5b90f53b4fe5e5395bf77454ec7
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence rootkit spyware stealer themida trojan upx
Link:
https://tria.ge/reports/240420-lwmchsed9w/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Glupteba
Glupteba payload
Modifies firewall policy service
Stealc
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://185.172.128.209
Unpacked files
SH256 hash:
6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e
MD5 hash:
dfe244414c8461175241ce54707eb6b6
SHA1 hash:
1c94e583b7058d01dad42d56ef5ddf17b64b5778
Link:
https://www.unpac.me/results/cb39e4b1-c063-4b71-aff8-55e0cae2bcec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b7baa1db0d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Generic_2993e5a5
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2812590/
  
URLhaus
https://urlhaus.abuse.ch/url/2819427/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-04-20 09:52:17 UTC

url : hxxp://193.233.132.234/files/Uni400uni.exe