MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0
SHA3-384 hash: f218c83b55a99e657897bb3c7d181b8bbc58d80a3fc9ba5fefb0b4fe990a47221b95face082bf311ad89fd9875b0a5ae
SHA1 hash: 255a1c50692cdd4bd995a4f97e35b081dccb4042
MD5 hash: e6baa0a669a44ea6d98585bedee9fc7b
humanhash: victor-earth-potato-batman
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'768'672 bytes
First seen:2023-12-28 16:30:06 UTC
Last seen:2023-12-28 18:17:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:i2L7AOrqaJO4+ARXRBMdkLMucB/a8FeDkiUwvnJb5aHQ1UzRLIkqjVnlqud+/2Pb:jfAaqgz8dkCe4i9JQUackqXfd+/9Ap
TLSH T15085E0265CA12D30FAC68F5FC4BDAD53C32161B26FDEE44E79C461E147312A66F80B68
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter jstrosch
Tags:.NET exe MSIL signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-27T01:57:51Z
Valid to:2024-12-27T01:57:51Z
Serial number: 794720ca1a7cfce33ea123f5d31f1f99
Thumbprint Algorithm:SHA256
Thumbprint: 130cd2851e804d674f79c4842b845fd24d5363736e2d43d799945b625bb562ec
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
US US
Vendor Threat Intelligence
Malware family:
kelihos
Create hunting rule
ID:
1
File name:
3458374593870239485735235.exe
Verdict:
Malicious activity
Analysis date:
2023-12-27 16:47:43 UTC
Tags:
opendir hausbomber loader risepro stealer metasploit evasion kelihos trojan stealc payload lumma nanocore
Link:
https://app.any.run/tasks/99ed58da-9830-48ed-b176-6287c6e3ee3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469528/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4488.13934.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Connecting to a non-recommended domain
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Sending a UDP request
Changing a file
Blocking the User Account Control
Query of malicious DNS domain
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/658da2c8b855eb3693fedb73/reports/c59f51d2-9a9e-400c-ab25-235a9a4bad3d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f9a6f9d-79ae-4764-a13f-5ad135cfc82c
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367742
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found API chain indicative of debugger detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1367742 Sample: file.exe Startdate: 28/12/2023 Architecture: WINDOWS Score: 100 132 Multi AV Scanner detection for domain / URL 2->132 134 Found malware configuration 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 14 other signatures 2->138 8 file.exe 2 4 2->8         started        11 cmd.exe 2->11         started        13 cmd.exe 2->13         started        process3 signatures4 140 Writes to foreign memory regions 8->140 142 Allocates memory in foreign processes 8->142 144 Adds extensions / path to Windows Defender exclusion list (Registry) 8->144 146 3 other signatures 8->146 15 InstallUtil.exe 15 108 8->15         started        20 powershell.exe 22 8->20         started        22 oOalDZ9w9PUNReBLbwz78EEw.exe 11->22         started        24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        28 fB7vjdYvDF3xUbkdmPwjjiou.exe 13->28         started        process5 dnsIp6 100 5.42.64.35 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 15->100 102 107.167.110.211 OPERASOFTWAREUS United States 15->102 104 15 other IPs or domains 15->104 50 C:\Users\...\zZBMgyJjJo23ClZZ34G17UF5.exe, PE32 15->50 dropped 52 C:\Users\...\t3x9wRTCv2tA3znHAluCbIl1.exe, PE32 15->52 dropped 54 C:\Users\...\szFifeVBnFAfMVejTFQa4Alg.exe, PE32 15->54 dropped 56 62 other malicious files 15->56 dropped 124 Drops script or batch files to the startup folder 15->124 126 Creates HTML files with .exe extension (expired dropper behavior) 15->126 128 Writes many files with high entropy 15->128 30 zZBMgyJjJo23ClZZ34G17UF5.exe 15->30         started        35 HvmRP9fB2Rs2h5yU4PNqSocb.exe 15->35         started        37 HpXhrbK2MkWyfpssQzHyiYbA.exe 15->37         started        41 25 other processes 15->41 39 conhost.exe 20->39         started        130 Multi AV Scanner detection for dropped file 22->130 file7 signatures8 process9 dnsIp10 86 104.237.62.212 WEBNXUS United States 30->86 88 91.92.254.7 THEZONEBG Bulgaria 30->88 90 185.172.128.53 NADYMSS-ASRU Russian Federation 30->90 76 5 other malicious files 30->76 dropped 106 Multi AV Scanner detection for dropped file 30->106 43 nsc2B03.tmp 30->43         started        48 BroomSetup.exe 30->48         started        66 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 35->66 dropped 68 C:\Users\user\AppData\Local\...\Checker.dll, PE32 35->68 dropped 78 11 other malicious files 35->78 dropped 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->108 110 Writes many files with high entropy 35->110 96 2 other IPs or domains 37->96 80 3 other malicious files 37->80 dropped 112 Query firmware table information (likely to detect VMs) 37->112 114 Creates an undocumented autostart registry key 37->114 116 Contain functionality to detect virtual machines 37->116 92 107.167.110.217 OPERASOFTWAREUS United States 41->92 94 107.167.125.189 OPERASOFTWAREUS United States 41->94 98 7 other IPs or domains 41->98 70 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 41->70 dropped 72 C:\Users\user\AppData\Local\...\Checker.dll, PE32 41->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 41->74 dropped 82 14 other malicious files 41->82 dropped 118 Found API chain indicative of debugger detection 41->118 120 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->120 122 Contains functionality to detect sleep reduction / modifications 41->122 file11 signatures12 process13 dnsIp14 84 5.42.66.58 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 43->84 58 C:\Users\user\AppData\...\softokn3[1].dll, PE32 43->58 dropped 60 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 43->60 dropped 62 C:\Users\user\AppData\...\mozglue[1].dll, PE32 43->62 dropped 64 9 other files (5 malicious) 43->64 dropped 148 Detected unpacking (changes PE section rights) 43->148 150 Detected unpacking (overwrites its own PE header) 43->150 152 Tries to steal Mail credentials (via file / registry access) 43->152 156 3 other signatures 43->156 154 Multi AV Scanner detection for dropped file 48->154 file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-27 06:11:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 37 (45.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbijfyauocmlhmq36lecf2c3gwi44j5ivqodx2myfh5sor6kalya._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc dropper evasion loader stealer trojan upx
Link:
https://tria.ge/reports/231228-t1c9eahgg9/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
System policy modification
NSIS installer
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
Stealc
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://5.42.66.58
Unpacked files
SH256 hash:
8e53cee38028793baa6e3fc90af21731fb494ee12a8ad647efaf4c84152095ea
MD5 hash:
e8b75da40ac245676bc4ab7821e26dc5
SHA1 hash:
ad2e5606a06ac7918d36097e6077a592f9a60c9b
Link:
https://www.unpac.me/results/e225ef63-2160-4c6f-890e-4ad356e64276/
SH256 hash:
805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0
MD5 hash:
e6baa0a669a44ea6d98585bedee9fc7b
SHA1 hash:
255a1c50692cdd4bd995a4f97e35b081dccb4042
Link:
https://www.unpac.me/results/e225ef63-2160-4c6f-890e-4ad356e64276/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/805092e01470/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2743765/
Cape
Cape
https://www.capesandbox.com/analysis/469528/

Comments