MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51
SHA3-384 hash: b64fa053ef1533c3aaa01c42a437b6fb4a913ba0407627a2e17e45d0a68bda972ee2dcac7761f031391cedee9b9de247
SHA1 hash: 0c5eef0eec3e9f7a03708f71c70a1d591b38712f
MD5 hash: fcdc969dbc2996ce6a0c91c3ae526258
humanhash: lamp-tennessee-mike-yankee
File name:fcdc969dbc2996ce6a0c91c3ae526258
Download: download sample
Signature Stealc
Create hunting rule
File size:2'578'944 bytes
First seen:2024-07-31 17:45:58 UTC
Last seen:2024-07-31 18:20:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 31228b35d765756d4d3dd4ed5d786b22 (4 x Stealc, 1 x MarsStealer)
ssdeep 49152:lfH0JaAOHXUHvzyRGwf6WwvQ3ZL/K2bHCu8r/ubEsZOwcWm2ikY:RAM3EvGf6WWQpL/fcvsZ5Y
TLSH T1E9C53341417C3285E1198D3B65B2EE8B2E3EAD37DB290B2B16533ACF17BF1A5C811647
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4504/4/1)
11.6% (.ICL) Windows Icons Library (generic) (2059/9)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 1a72c2da98585c2c (9 x Stealc, 4 x Smoke Loader, 3 x Tofsee)
Reporter zbetcheckin
Tags:32 exe Stealc

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fcdc969dbc2996ce6a0c91c3ae526258
Verdict:
Malicious activity
Analysis date:
2024-07-31 17:49:06 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/a3adcbb1-7eb4-41bf-82d5-82a8e1146e6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66aa7860037b02d0daeccb1c
Tags:
Execution Generic Infostealer Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma lolbin microsoft_visual_cc packed packed shell32
Link:
https://www.filescan.io/uploads/66aa786b78d5c73fb1ca198c/reports/fb64023c-9538-461b-8e59-169fc7b3f3ff/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6f41b61d-f0cd-4f0a-9e34-d12e7acc2d40
Result
Threat name:
Amadey, Babadeda, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1485536
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1485536 Sample: Smoygs2mHT.exe Startdate: 31/07/2024 Architecture: WINDOWS Score: 100 117 www.youtube.com 2->117 119 www.wikipedia.org 2->119 121 33 other IPs or domains 2->121 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 Antivirus detection for URL or domain 2->139 141 17 other signatures 2->141 10 Smoygs2mHT.exe 37 2->10         started        15 explorti.exe 2 20 2->15         started        17 explorti.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 123 85.28.47.31, 49710, 80 GES-ASRU Russian Federation 10->123 125 185.215.113.16, 49714, 52766, 52768 WHOLESALECONNECTIONSNL Portugal 10->125 91 C:\Users\user\AppData\RoamingHJJJECFIEC.exe, PE32 10->91 dropped 93 C:\Users\user\AppData\...\softokn3[1].dll, PE32 10->93 dropped 95 C:\Users\user\AppData\Local\...\random[1].exe, PE32 10->95 dropped 97 11 other files (1 malicious) 10->97 dropped 157 Detected unpacking (changes PE section rights) 10->157 159 Detected unpacking (overwrites its own PE header) 10->159 161 Tries to steal Mail credentials (via file / registry access) 10->161 179 7 other signatures 10->179 21 cmd.exe 1 10->21         started        23 WerFault.exe 22 16 10->23         started        127 185.215.113.19, 52765, 52767, 80 WHOLESALECONNECTIONSNL Portugal 15->127 163 Creates multiple autostart registry keys 15->163 165 Hides threads from debuggers 15->165 167 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->167 169 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->169 26 7430c0fea1.exe 15->26         started        29 8dfc72a1e0.exe 15->29         started        31 explorti.exe 15->31         started        171 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->171 173 Tries to evade debugger and weak emulator (self modifying code) 17->173 175 Tries to detect virtualization through RDTSC time measurements 17->175 177 Maps a DLL or memory area into another process 19->177 33 firefox.exe 19->33         started        36 msedge.exe 19->36         started        38 cmd.exe 19->38         started        40 4 other processes 19->40 file6 signatures7 process8 dnsIp9 42 RoamingHJJJECFIEC.exe 4 21->42         started        46 conhost.exe 21->46         started        83 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->83 dropped 143 Detected unpacking (changes PE section rights) 26->143 145 Detected unpacking (overwrites its own PE header) 26->145 147 Hides threads from debuggers 26->147 48 WerFault.exe 26->48         started        50 cmd.exe 29->50         started        99 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 33->99 101 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 33->101 107 8 other IPs or domains 33->107 85 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 33->85 dropped 87 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 33->87 dropped 52 firefox.exe 33->52         started        54 firefox.exe 33->54         started        103 www.youtube.com 36->103 105 shavar.services.mozilla.com 36->105 109 22 other IPs or domains 36->109 56 chrome.exe 38->56         started        58 firefox.exe 38->58         started        60 2 other processes 38->60 file10 signatures11 process12 file13 89 C:\Users\user\AppData\Local\...\explorti.exe, PE32 42->89 dropped 149 Detected unpacking (changes PE section rights) 42->149 151 Tries to evade debugger and weak emulator (self modifying code) 42->151 153 Tries to detect virtualization through RDTSC time measurements 42->153 155 3 other signatures 42->155 62 explorti.exe 42->62         started        65 chrome.exe 50->65         started        68 msedge.exe 50->68         started        70 conhost.exe 50->70         started        72 firefox.exe 50->72         started        74 chrome.exe 56->74         started        76 firefox.exe 58->76         started        signatures14 process15 dnsIp16 181 Hides threads from debuggers 62->181 183 Tries to detect sandboxes / dynamic malware analysis system (registry check) 62->183 185 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 62->185 111 192.168.2.13 unknown unknown 65->111 113 192.168.2.22 unknown unknown 65->113 115 3 other IPs or domains 65->115 78 chrome.exe 65->78         started        81 msedge.exe 68->81         started        signatures17 process18 dnsIp19 129 www.youtube.com 78->129 131 accounts.youtube.com 78->131 133 4 other IPs or domains 78->133
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2024-07-31 17:46:07 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oroi6ohczweu63hhlhrqsyztwozbtis334kemvmmvrfjfugljziq._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:dana discovery stealer
Link:
https://tria.ge/reports/240731-wcajqazhqa/
Behaviour
Suspicious use of SetWindowsHookEx
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Stealc
Malware Config
C2 Extraction:
http://85.28.47.31
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0f124b25-29ca-45b9-969a-70c97ba181b7
Unpacked files
SH256 hash:
144b0da90e8a3721a58d22b460b017854a11c308578ad7f5e3825361fa1cfa5c
MD5 hash:
efedc80482b249d448d8939f4347dd04
SHA1 hash:
b7abc85ad9cc52c264473493b28df8aad2eb0be8
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/04f8ee2c-0f15-4fa2-8d40-b678c7c1be0d/
Parent samples :
2683b5120c1f81caa318c093ddd9160fcec3a10f3ad35ccd459655bb08a8b0e7
e26d7dabcf5095750d11407a9341af6c898034b75f9fff158cc4c4757ec9f51a
ca248fc7d8d93e7ea0260391cec1402b03619fb6475402a847952837ca4ae4e9
b3f54c2bfe8d4056bdd9e6ff8d9114bf38b6c9ee11b3355e108c233a197fb145
745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51
48d6fa1f938ce3fa2d54e27373ad93fe13936362d187881a9ba63e9da5946e42
SH256 hash:
745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51
MD5 hash:
fcdc969dbc2996ce6a0c91c3ae526258
SHA1 hash:
0c5eef0eec3e9f7a03708f71c70a1d591b38712f
Link:
https://www.unpac.me/results/04f8ee2c-0f15-4fa2-8d40-b678c7c1be0d/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/745c8f38e2cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Stealc
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 745c8f38e2cd894f6ce759e3096333b3b219a25bdf1446558cac4a92d0cb4e51

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3079215/
  
URLhaus
https://urlhaus.abuse.ch/url/3079150/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments


Avatar
zbet commented on 2024-07-31 17:45:59 UTC

url : hxxp://185.215.113.13/steam/random.exe