MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 2 File information Comments

SHA256 hash:	6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311
SHA3-384 hash:	91c8b4d0138401e86aa14edb1d5b91b76c196bc9fb0a6aa41c69fc499ab974f6b2325859f0de35d41ea3cff88543937e
SHA1 hash:	519d65503d586d0442ea411d03e790d52b564eee
MD5 hash:	4bb69f9fad0620ecb64971676b9f2cbc
humanhash:	river-wolfram-black-echo
File name:	4bb69f9fad0620ecb64971676b9f2cbc.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	376'832 bytes
First seen:	2024-10-20 07:35:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	734589f5246b662a5747f60ad9c50ca5 (3 x Stealc)
ssdeep	6144:gQLgu6NlN0niBcbNynh3oDisWPHVz0Ws1gbBqkNj8f:gQ5690icodkifKWs2BqkN
TLSH	T1B084F12239D0C072D5A756304835D7A42A3FBD325A61C55F37583B6F2E332D2AA3636B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	9292eebeb6be9680 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://45.88.76.205/30f6901d21ae0dd7.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.88.76.205/30f6901d21ae0dd7.php	https://threatfox.abuse.ch/ioc/1338225/

Intelligence

File Origin

# of uploads :

# of downloads :

428

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4bb69f9fad0620ecb64971676b9f2cbc.exe

Verdict:

Malicious activity

Analysis date:

2024-10-20 07:38:14 UTC

Tags:

loader smokeloader

Link:

https://app.any.run/tasks/b4dd52e4-36f6-4ba8-8449-84e0e395bb7f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6714b2ec9e67c24682026d10

Tags:

Phishing Azorult

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/6714b2e2718466003852855e/reports/c4a4806f-e788-4cc3-96f1-ec47fa687116/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2298438f-3cc1-4577-b4ee-494956f9d9aa

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1538071

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nttkanrfyoq6fol5jebwhi7mlpqxa3weeret27pczhfnezcmgmiq._file

Verdict:

malicious

Label(s):

shellcode_loader_002

Similar samples:

error

Stealc

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub2 backdoor discovery trojan

Link:

https://tria.ge/reports/241020-je8hbawfrg/

Behaviour

Checks SCSI registry key(s)

Program crash

System Location Discovery: System Language Discovery

SmokeLoader

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c7315327-05a1-48fe-b770-9fe319560836

Unpacked files

SH256 hash:

d44952d1d1b03d23f8425d0b723b75b70c5a2d60d950d3210e3afbc4ff476b11

MD5 hash:

79cef9305013b2a3addf14245fcccb52

SHA1 hash:

7670838db9ff4f7aa091ed084b54985a5a3a4cc0

Detections:

SmokeLoaderStage2

win_smokeloader_a2

Link:

https://www.unpac.me/results/c0d3d60c-f9da-4f73-8588-eba17682e710/

Parent samples :

6579e58065815c12c11fc1f16160d5300e7e6c7eefad7df0342c6e7f3e7c3fdb
c2647db7431c0ad5d159b8630e17a5f97a3ed537671d61e1a55634d10b59fb9c
e73e80fb1603b44dddfa19c5534a0bf4ab297b86f230d465ad0ef47a5b502996
cdc147abb465b0c0feeecc4b762006d55c11892b91f2d62dcee13a74f41eecbb
11f02de3d29b2b99c806437d10cc4bc1232cc64fba65521d53e47c44426ba219
5e76223b4ec53240790dbdb1a2937774f48094711ee0cf2a5906ffd8e727e519
c5cf196dc4edeab9ef3dac2d7d3d463972fa26cfa8cba26e9367fb87bcdc143d
4dcf43767f4fd901ef13a37da7499a54c61cf045a045186151a8bbefc251ee6b
6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311
ce9bb3da96d717596d3e192b9d1f3155e6160cc6c267c22eb3aff198a2591295

SH256 hash:

6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311

MD5 hash:

4bb69f9fad0620ecb64971676b9f2cbc

SHA1 hash:

519d65503d586d0442ea411d03e790d52b564eee

Link:

https://www.unpac.me/results/c0d3d60c-f9da-4f73-8588-eba17682e710/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6ce6a03625c3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3231936/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetDiskFreeSpaceExA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleInputA KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasExesA KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::GetFileAttributesW KERNEL32.dll::GetTempFileNameA KERNEL32.dll::SetVolumeMountPointA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample