MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081
SHA3-384 hash:	196e1f8e8a88a0956e697a2f18496d9cf03ec7b80a37ac6fd687ada98d5bea7e2d0a145dd2e5a53b58bdb51b7f2218d9
SHA1 hash:	b71dd27f74daddb00afe800d04f87d0fcf14dde8
MD5 hash:	225fb3075cf11e0f27075326203f21a7
humanhash:	ceiling-violet-connecticut-uniform
File name:	file
Download:	download sample
Signature	Stealc Create hunting rule
File size:	252'416 bytes
First seen:	2023-11-17 17:30:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3af1886f786e2122c71384398144c402 (2 x Smoke Loader, 1 x Stealc, 1 x Tofsee)
ssdeep	3072:+4I3c4rCbgOSbCX9nl7IbfHCLKTJBTNQz91AIMQBrRMqCJcY09/p4CC:x0jmbgtSnJBEWznfjoqCJsh
TLSH	T1AB347D2362E07C69D92B47728F7FAAEC771EF5504F59676E12084E5F49B02B2E623301
TrID	45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.4% (.EXE) Win64 Executable (generic) (10523/12/4) 9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00000c48c4488808 (1 x Stealc)
Reporter	andretavare5
Tags:	exe Stealc

andretavare5

Sample downloaded from http://194.49.94.48/timeSync.exe

Intelligence

File Origin

# of uploads :

# of downloads :

357

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/458984/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Launching the default Windows debugger (dwwin.exe)

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6557a3583f56544041fb6b74/reports/b55efeef-443d-4641-adc3-52bee346762b/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/37740896-c69a-4499-b668-9bf04b1456c0

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1344283

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-11-17 17:31:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5dqatrt4hhempae57zmsgihdvxxyanz3zvea44bsi5fym5aqcaq._file

Verdict:

malicious

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/231117-v3pkwscg9w/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://bernardofata.icu

Unpacked files

SH256 hash:

7e5af8f5fdb81a1a7e01db2cd2a136d9bbb98f9419dac76985db3903c6ef29ad

MD5 hash:

41f8cc8825eec70b1a59b5a8391ff9f5

SHA1 hash:

fb9dc9610a2b97b296bd35dd25a8330925376978

Detections:

stealc

detect_Mars_Stealer

win_stealc_bytecodes_oct_2023

Link:

https://www.unpac.me/results/456f78a1-5e0c-4bda-a282-7b0251318e84/

Parent samples :

d98972d3ac1090f030d18a15eb6f08edec2b76f45f883cfe317c77be20e1c000
702a59059d11f6194881998bec8cb3124967952654c71351d749d3e26b6fbe7d
86138fcb7a53e15c4ce40d5c60bab85645226be9f119cbf4c60c80dd4c791cb8
d77cb87bc0dccc16883d87ca240ab6457bcf4040636e2954681ceeaefcef77ab
9989f3ee35fbd082a9e8b0117afcc5d53bc637ad51d07989a8a160021022ac8a
0a4d3c5d2e69c9b149f35e9ef629fa36bc9baaf00a8e552c6a36c1d5c940b6aa
5579c693bd0129ae7350d599239695cfe4a578965ae2889b74fe3cea19d7e3da
c9ea3ac3016093a34f864a52b854e01d655be9f1848fc6de098c79a3d560fc19
78380c9b3b9036cb8d3fdbacd2438971115405bcb828bb9812e4abb488408590
60e9383ff5038ed988a1b988b66091bac7bf93a6d070763f45479dccdfd9d147
a79f593a22f2698e351aee60ab23afdaa239ef545297e495df30ecedb99fe222
0552f23284ed52e84060cdc66d242f9258bbe0555eab899355b9d848bbf70605
349f4ed12f7b4cd5d2cecc282f03ca70a28518094973e66749086920ec47fea4
18db81d906e97ea89314ddaa87811b43e349e08a2af276dcfe21f3031131e69f
487ca2266b9ddac43dde09ad484b1b73ca38071698bfda25d419dcf6c5ed3a22
6f40d5c35c41245183c6866fb0a4f8a60c5a70079213b1c76792c269f174364f
fe87527ba3585e4e2437669ad1d4922dca958a78ed2416ed8426a8abf0ee2f6b
588f49a1ba2f244d08911daaf351bc36ac8bffa5802eefe73a0ef1b7c4fc2a7e
ee36161c6b3635240df4c30f370420483174cc1a4999a386952d452d0de03c40
02d956d1f2c9ecdc43ebcbfef06dc160cdd9e5e31f50c692bde9ed1dd9797040
9526a4e0b40f262bc5cd1e07a8b80f465e052c18b3698e496ba0e2dd6549127a
70b2fbdbe34e05f0c3a84f5c9068e7f4970d7fa25452fa561357ca7d2e2be2ef
a56d61de6a7f641f555d4bcf3935f3cb1c22d58e21edc76ad03d32a1a8dd436e
a499710f67a78322f78a493b0a672095a7a636c87ff984c7754526f30d36459d
9d180b3b8219292c40814afbc36db5d36771022b39429b41ec0e7485433da81a
b61e2f809951583a432ac8096b49b2a97506511109ec5c673831a28759cd44bb
00d943709baa0d034312f4d6ee584ac89e9e0546007c91bc187d2b0209e39e25
1c93b99d8e1968867508692feb30aa67c0a48a2a623704f982d1dd9754125ace
7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081
95cc300618cf5a0abb4b36427d838ee00bc37e515bf527ecf24725d70610c993
ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef

SH256 hash:

7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081

MD5 hash:

225fb3075cf11e0f27075326203f21a7

SHA1 hash:

b71dd27f74daddb00afe800d04f87d0fcf14dde8

Link:

https://www.unpac.me/results/456f78a1-5e0c-4bda-a282-7b0251318e84/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7747004e33e1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2728025/

Cape

https://www.capesandbox.com/analysis/458984/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample