MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8023c565c8b81a74e3f7a794fd6c97488dcd38c68cbbfbff9aeb09b74002cd1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	8023c565c8b81a74e3f7a794fd6c97488dcd38c68cbbfbff9aeb09b74002cd1a
SHA3-384 hash:	ed71b5c4069f91d0ff05011642e66a21856985d2dc0c43a62d45000520b45e6d05b9e1d8e2fd26f37d88eafc8a931e50
SHA1 hash:	caf3ffbca788ed96005ee0d8c1df12ee27c6e9d6
MD5 hash:	8c2559ac5957034f02dab51b6409e3d4
humanhash:	butter-jersey-mississippi-harry
File name:	updated_installer_for_windows_pcs.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	5'680'296 bytes
First seen:	2023-12-22 19:11:12 UTC
Last seen:	2023-12-22 20:15:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	49152:VsFqlNbIyOWaUui4wp0epYBTfIJ5ZVvPUDxH+Xe9FTb+jfaqunqFW7/BhJlP+7CT:GeNbIli4wUBKnWH3s/GqCHbP6CG65Ufw
Threatray	295 similar samples on MalwareBazaar
TLSH	T1A7467C02BF918E66F15D1437C6CE400893B4E8256792E32B7DBC323D9A52352B867DDE
TrID	47.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f4a0e898988a8089 (1 x Stealc)
Reporter	adm1n_usa32
Tags:	exe signed Stealc

Code Signing Certificate

Organisation:	Nsync Global
Issuer:	Nsync Global
Algorithm:	sha512WithRSAEncryption
Valid from:	2023-12-16T17:41:34Z
Valid to:	2024-10-08T00:00:00Z
Serial number:	07b4945e807f28439c4572b78084dd05
Thumbprint Algorithm:	SHA256
Thumbprint:	91ccb7ca2debf2996c5b47055f1ce24062a121a526b53dca377704e6a6340b55
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/469078/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.938.11771.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin macros-on-open net_reactor obfuscated overlay packed packed regsvcs

Link:

https://www.filescan.io/uploads/6585df836b1c24604601cea0/reports/25ecc1d4-191e-4a2f-bf2e-f4e851117ad3/overview

Verdict:

Malicious

Labled as:

MSIL/Kryptik.AKJX trojan

Link:

https://www.hybrid-analysis.com/sample/8023c565c8b81a74e3f7a794fd6c97488dcd38c68cbbfbff9aeb09b74002cd1a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5f531197-ee5d-4eb0-918d-007c69fabcdc

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1366372

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

DLL side loading technique detected

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8023c565c8b81a74e3f7a794fd6c97488dcd38c68cbbfbff9aeb09b74002cd1a

Detection:

stealc

Link:

https://mwdb.cert.pl/sample/8023c565c8b81a74e3f7a794fd6c97488dcd38c68cbbfbff9aeb09b74002cd1a/

Threat name:

Win32.Spyware.Stealc

Status:

Suspicious

First seen:

2023-12-22 01:32:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

487

AV detection:

12 of 37 (32.43%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qar4kzoixanhjy7xu6kp23exjcg42oggrs57x7425me3oqaczuna._file

Verdict:

malicious

Stealc

4c3d32802b5c9e6ff309644a163e673631bf57f04537bee4bc2180164f2261d4

Stealc

50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73

Stealc

7c811ffac0ffffc572b4cdac99c269f37fb3936a86c566f080214ac8434e28d1

Stealc

8023c565c8b81a74e3f7a794fd6c97488dcd38c68cbbfbff9aeb09b74002cd1a

Stealc

fd927c3c6a733cab18a4f657a605682c6d043728442d0d2fe4dd1d464fb0d7ec

Stealc

+ 285 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc stealer

Link:

https://tria.ge/reports/231222-xwgyksfec7/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://95.216.72.17

Unpacked files

SH256 hash:

940ef395076c51a5948521c6ccc6ba72d58b3b12c446ee2f98b50a75f255b3b5

MD5 hash:

92a848d51fe6641f17dcd57196158ecf

SHA1 hash:

8d5cb5b104877ba3b602a9135045928a21fdda40

Detections:

stealc

win_stealc_auto

win_stealc_a0

win_stealc_bytecodes_oct_2023

Link:

https://www.unpac.me/results/14f511ad-a731-495d-834f-e8c7fd8fc670/

SH256 hash:

8023c565c8b81a74e3f7a794fd6c97488dcd38c68cbbfbff9aeb09b74002cd1a

MD5 hash:

8c2559ac5957034f02dab51b6409e3d4

SHA1 hash:

caf3ffbca788ed96005ee0d8c1df12ee27c6e9d6

Link:

https://www.unpac.me/results/14f511ad-a731-495d-834f-e8c7fd8fc670/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8023c565c8b8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8023c565c8b81a74e3f7a794fd6c97488dcd38c68cbbfbff9aeb09b74002cd1a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/45ce84a1-78a1-4517-987e-ff87cdc15da7

Cape

https://www.capesandbox.com/analysis/469078/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample