MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 19


Intelligence 19 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab
SHA3-384 hash: 20d4b79beea3fc50cf7b6dbca9f1bb64ff9157a1c71041d0109282640cf12d64e2b07c0906f99f664c6e185d3e9695c1
SHA1 hash: e8c7b84ef9ba6956a07f7237085b1846ddcde389
MD5 hash: 32adb87599230b727eccf46c5667e5f2
humanhash: nineteen-bacon-happy-hawaii
File name:7a38bcb9c89732b668e65f34514df019f36e1d5db571b.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:2'383'360 bytes
First seen:2023-12-15 19:30:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:SuOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:4fwnEg4hVvNCm6GpR5Rw
TLSH T1D6B52323A2D8C472E8E4A3757DF40386263738E118B9C66B2761748FD872ED9A531773
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
91.92.249.253:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
22bb8671ed43b6236eb076258477211d.exe
Verdict:
Malicious activity
Analysis date:
2023-12-15 19:21:24 UTC
Tags:
loader smoke smokeloader stealer redline risepro evasion
Link:
https://app.any.run/tasks/889e1677-ef3a-4a0f-8073-8b1632d3d194

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/467753/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed replace rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657ca97ab290743934e5eec0/reports/a09525e1-67e6-4822-9db7-4f231b36b3d2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18dc8d73-3e75-469c-a78b-2c8c34178c12
Result
Threat name:
LummaC Stealer, RedLine, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362992
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362992 Sample: 7a38bcb9c89732b668e65f34514... Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 117 soupinterestoe.fun 2->117 119 reviveincapablewew.pw 2->119 121 13 other IPs or domains 2->121 137 Snort IDS alert for network traffic 2->137 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 18 other signatures 2->143 10 7a38bcb9c89732b668e65f34514df019f36e1d5db571b.exe 1 4 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 1 2->16         started        18 12 other processes 2->18 signatures3 process4 dnsIp5 97 C:\Users\user\AppData\Local\...\5FH4Xn7.exe, PE32 10->97 dropped 99 C:\Users\user\AppData\Local\...\2gF6111.exe, PE32 10->99 dropped 21 5FH4Xn7.exe 10->21         started        24 2gF6111.exe 15 3 10->24         started        173 Changes security center settings (notifications, updates, antivirus, firewall) 13->173 175 Query firmware table information (likely to detect VMs) 16->175 123 127.0.0.1 unknown unknown 18->123 27 conhost.exe 18->27         started        29 conhost.exe 18->29         started        31 WerFault.exe 18->31         started        33 WerFault.exe 18->33         started        file6 signatures7 process8 dnsIp9 145 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->145 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->147 149 Maps a DLL or memory area into another process 21->149 155 2 other signatures 21->155 35 explorer.exe 21->35 injected 135 77.91.124.172, 49703, 80 ECOTEL-ASRU Russian Federation 24->135 151 Machine Learning detection for dropped file 24->151 153 Found many strings related to Crypto-Wallets (likely being stolen) 24->153 40 RegAsm.exe 15 69 24->40         started        42 RegAsm.exe 24->42         started        signatures10 process11 dnsIp12 125 185.215.113.68, 49720, 80 WHOLESALECONNECTIONSNL Portugal 35->125 127 5.42.65.125, 49730, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 35->127 133 2 other IPs or domains 35->133 81 C:\Users\user\AppData\Local\TempF05.exe, PE32 35->81 dropped 83 C:\Users\user\AppData\Local\Temp\DEB9.exe, PE32 35->83 dropped 85 C:\Users\user\AppData\Local\Temp\DB8B.exe, PE32 35->85 dropped 93 4 other malicious files 35->93 dropped 157 System process connects to network (likely due to code injection or exploit) 35->157 159 Benign windows process drops PE files 35->159 44 DB8B.exe 35->44         started        48 D281.exe 35->48         started        51 D550.exe 35->51         started        59 4 other processes 35->59 129 91.92.249.253, 49706, 50500 THEZONEBG Bulgaria 40->129 131 ipinfo.io 34.117.186.192, 443, 49707 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->131 87 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 40->87 dropped 89 C:\...\iT56iP1zDPV3gXF62WEaPH7ASv3eSN1Q.zip, Zip 40->89 dropped 91 C:\Users\user\AppData\...\FANBooster131.exe, PE32 40->91 dropped 95 2 other files (none is malicious) 40->95 dropped 161 Found many strings related to Crypto-Wallets (likely being stolen) 40->161 163 Tries to harvest and steal browser information (history, passwords, etc) 40->163 53 cmd.exe 40->53         started        55 cmd.exe 40->55         started        57 WerFault.exe 40->57         started        165 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->165 167 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 42->167 169 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 42->169 171 Queries memory information (via WMI often done to detect virtual machines) 42->171 file13 signatures14 process15 dnsIp16 101 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 44->101 dropped 103 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 44->103 dropped 177 Machine Learning detection for dropped file 44->177 61 File2.exe 44->61         started        64 File1.exe 44->64         started        67 conhost.exe 44->67         started        105 neighborhoodfeelsa.fun 104.21.87.137, 49724, 80 CLOUDFLARENETUS United States 48->105 107 ratefacilityframw.fun 172.67.161.55, 49727, 80 CLOUDFLARENETUS United States 48->107 113 3 other IPs or domains 48->113 179 Antivirus detection for dropped file 48->179 181 Detected unpacking (changes PE section rights) 48->181 183 Detected unpacking (overwrites its own PE header) 48->183 185 Found evasive API chain (may stop execution after checking computer name) 48->185 69 WerFault.exe 48->69         started        109 176.123.7.190, 32927, 49723, 49732 ALEXHOSTMD Moldova Republic of 51->109 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->187 189 Found many strings related to Crypto-Wallets (likely being stolen) 51->189 191 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 51->191 193 Uses schtasks.exe or at.exe to add and modify task schedules 53->193 71 schtasks.exe 53->71         started        73 conhost.exe 53->73         started        75 conhost.exe 55->75         started        77 schtasks.exe 55->77         started        111 77.105.132.161 PLUSTELECOM-ASRU Russian Federation 59->111 79 3 other processes 59->79 file17 signatures18 process19 dnsIp20 195 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->195 197 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->197 199 Tries to harvest and steal browser information (history, passwords, etc) 61->199 115 176.123.10.211, 47430, 49729 ALEXHOSTMD Moldova Republic of 64->115 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 19:31:06 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pi4lzoois4zlm2hgl42fctpqdhzw4hk5wvy3l5oe4n2sey43pcvq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader botnet:@oleh_ps backdoor collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/231215-x8cjmaghhn/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Lumma Stealer payload V4
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
Unpacked files
SH256 hash:
0532bfebd5ae16d1227a5be21fab1b16b4892d52d03b6e6bdace5cee046b68a4
MD5 hash:
fa5d8ee296c9292a2d68c93049039d33
SHA1 hash:
e3bf174cb3c7dca5c1f694b6ee2a1d87aa5bf001
Link:
https://www.unpac.me/results/1f0727cf-8fb8-43d9-8f44-67a5de30b8fb/
SH256 hash:
b9b6d2494b5060293b5ada80906ade2482f2665271429cb6de7acb9c5cdd03e2
MD5 hash:
290b0ce842ce298f62f54bbde6540288
SHA1 hash:
8376b6b4fcf96908e7ecf48d474c6cd38b0d25d6
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/1f0727cf-8fb8-43d9-8f44-67a5de30b8fb/
Parent samples :
86ff6e63847f8d6f1d7038a00b991f9b89f8754471000e044951a2125c463a9c
7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab
SH256 hash:
7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab
MD5 hash:
32adb87599230b727eccf46c5667e5f2
SHA1 hash:
e8c7b84ef9ba6956a07f7237085b1846ddcde389
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/1f0727cf-8fb8-43d9-8f44-67a5de30b8fb/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a38bcb9c897/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 7a38bcb9c89732b668e65f34514df019f36e1d5db571b5f5c4e37522639b78ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467753/

Comments