MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 785c32a65738f3aff0a7dcf1e12f0f852a7e517672e8c18172d6e59bcb2ce0ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 785c32a65738f3aff0a7dcf1e12f0f852a7e517672e8c18172d6e59bcb2ce0ef
SHA3-384 hash: 8b97b33ca1eac0ab0ccd82c39ec1cad5e9f1eddb77ea54c73079751b31ed3794f34c4c9a54f367967f4d513f1da4de9a
SHA1 hash: eecbeee26a05d0db9058f2509a5e1aa275a00dc9
MD5 hash: db9948099f3d8d9b1d660b54407ded0b
humanhash: march-emma-oven-delta
File name:db9948099f3d8d9b1d660b54407ded0b.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:7'079'936 bytes
First seen:2025-03-18 21:30:15 UTC
Last seen:2025-03-18 22:27:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c029866402cd0e87160c4e37f17636e (3 x LummaStealer, 1 x Stealc)
ssdeep 196608:4egzDlFOWIrSz8ak0dhnlKdX6MKIL7/VHe:4PSWOSFgFKIPN
Threatray 158 similar samples on MalwareBazaar
TLSH T13E661220338541D7E94CBEB6A01BF37A06CBF566C266CC4A89CF0FAB46C7F59442C656
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon b2ae96aa9a968eb2 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://45.93.20.64/96d56f5c90701384.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
492
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
db9948099f3d8d9b1d660b54407ded0b.exe
Verdict:
Malicious activity
Analysis date:
2025-03-18 21:32:20 UTC
Tags:
stealer stealc loader
Link:
https://app.any.run/tasks/20f85e78-d786-46ae-84fa-01cd3e00ce73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d9f569194f23322a70e914
Tags:
bitcoin dropper lien sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context crypto packed packed packer_detected
Link:
https://www.filescan.io/uploads/67d9e622dab9a7b6c595de54/reports/ca010266-a761-45b3-99b7-2fdcea696f9a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/785c32a65738f3aff0a7dcf1e12f0f852a7e517672e8c18172d6e59bcb2ce0ef
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51d4e45c-afbf-4b69-a9f0-389c69bedf3c
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1642158
Signature
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1642158 Sample: De5T3PrGUQ.exe Startdate: 18/03/2025 Architecture: WINDOWS Score: 100 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 7 other signatures 2->53 7 De5T3PrGUQ.exe 35 2->7         started        process3 dnsIp4 41 45.93.20.64, 49714, 49741, 80 COGENT-174US Netherlands 7->41 43 127.0.0.1 unknown unknown 7->43 23 C:\ProgramData\nss3.dll, PE32 7->23 dropped 25 C:\Users\user\AppData\...\places.sqlite-shm, data 7->25 dropped 27 C:\Users\user\AppData\...\cookies.sqlite-shm, data 7->27 dropped 29 11 other files (none is malicious) 7->29 dropped 55 Attempt to bypass Chrome Application-Bound Encryption 7->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 7->57 59 Tries to harvest and steal ftp login credentials 7->59 61 4 other signatures 7->61 12 chrome.exe 7->12         started        15 WerFault.exe 21 16 7->15         started        18 WerFault.exe 16 7->18         started        file5 signatures6 process7 dnsIp8 45 192.168.2.4, 138, 443, 49471 unknown unknown 12->45 20 chrome.exe 12->20         started        31 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->33 dropped file9 process10 dnsIp11 35 play.google.com 142.250.185.110, 443, 49742 GOOGLEUS United States 20->35 37 www.google.com 142.250.186.68, 443, 49720, 49721 GOOGLEUS United States 20->37 39 2 other IPs or domains 20->39
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/785c32a65738f3aff0a7dcf1e12f0f852a7e517672e8c18172d6e59bcb2ce0ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/785c32a65738f3aff0a7dcf1e12f0f852a7e517672e8c18172d6e59bcb2ce0ef/
Threat name:
Win32.Trojan.SpywareX
Create hunting rule
Status:
Malicious
First seen:
2025-03-18 21:31:12 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbodfjsxhdz274fh3ty6clypquvh4ulwolumdals23szxszm4dxq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
1891f566c018182f1b5826b5fe2a05d6927aff15638d28c7cbe77ab11a366e12
Stealc
1a9111e7f2fd546d2f48ee55ad07661be7e161f5a168751d2d0f105e167454e8
Stealc
41c2c33823d372f8389b978fdaef60eb6d02aea21bf20b1aad7a11bde5f5dca8
Stealc
5469715d8802cb542bc8878b3954311b58273dda5553f808b7c7c9a4c7227805
Stealc
60af68dc8e940dae29691baa206ab9638bcff227b814c6cc33420edc0b3ac80b
Stealc
84b4eda5d456a2c49d117a0b99bc2ed03044eaa144eb5f6c28a248e673e406db
Stealc
e41990e00d72a4f9b5331fab7e2c59393333aa30c42bf4ebf80eed1d45bc2e45
Stealc
error
Stealc
fe7c9c900df7c51f53243053dcf41ee781d284206742952aea704735d8d4a198
Stealc
+ 148 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:default credential_access discovery spyware stealer
Link:
https://tria.ge/reports/250318-1c3mqaxzas/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Stealc
Stealc family
Verdict:
Suspicious
Tags:
stealer stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/8e06a45a-2f19-437d-9e8f-de48a66ae76e
Unpacked files
SH256 hash:
785c32a65738f3aff0a7dcf1e12f0f852a7e517672e8c18172d6e59bcb2ce0ef
MD5 hash:
db9948099f3d8d9b1d660b54407ded0b
SHA1 hash:
eecbeee26a05d0db9058f2509a5e1aa275a00dc9
Link:
https://www.unpac.me/results/8f653476-530c-45a4-a683-a9fc71f0e72f/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/785c32a65738/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/785c32a65738f3aff0a7dcf1e12f0f852a7e517672e8c18172d6e59bcb2ce0ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:malware_Stealc_str
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:Stealc infostealer
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Stealc
Create hunting rule
Author:kevoreilly
Description:Stealc Payload
Rule name:Stealer_Stealc
Create hunting rule
Author:Still
Description:attempts to match instructions/strings found in Stealc
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_2bba6bae
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_generic
Create hunting rule
Author:dubfib
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 785c32a65738f3aff0a7dcf1e12f0f852a7e517672e8c18172d6e59bcb2ce0ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3423144/
  
Delivery method
Distributed via web download

Comments