MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80854fed8904bb69c71467dae8cfc5d317c1c5e4531791b4811aa2ba089e7f42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80854fed8904bb69c71467dae8cfc5d317c1c5e4531791b4811aa2ba089e7f42
SHA3-384 hash: 795eed7d2fc0d198979cbbe61f06860f2706c74c8f1a2d00f945eefbb3db1b55e12744e25786674099306c7b0eec5aaf
SHA1 hash: 03c1e1fd44ad19c6c1fbc8ccaed3fc3988405e00
MD5 hash: 51d63afc7f8211d5cc4885e769e4a373
humanhash: wisconsin-hotel-music-cola
File name:51d63afc7f8211d5cc4885e769e4a373.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:1'892'864 bytes
First seen:2023-07-13 11:47:20 UTC
Last seen:2023-07-13 11:53:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2092a58157ecbe133e1b58bcfcce0a3e (1 x Stealc)
ssdeep 24576:H4wUP9WxjtaQau7j80e2l2VrzI1kaBmV2jB:H4pq6YoiI1gBL
Threatray 333 similar samples on MalwareBazaar
TLSH T1CD95C55CB2E0DDE0C6A8817A3785C96AD124FE301E06E966B7D7F75B25300CAD60EB17
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4f4a494acb4b0a4 (6 x Stealc, 2 x MarsStealer, 2 x Formbook)
Reporter obfusor
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
oski
Create hunting rule
ID:
1
File name:
51d63afc7f8211d5cc4885e769e4a373.exe
Verdict:
Malicious activity
Analysis date:
2023-07-13 11:48:12 UTC
Tags:
lumma oski stealc trojan stealer loader
Link:
https://app.any.run/tasks/431856ed-e87b-49ea-b9f0-905cf3b12641

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/417347/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.31240.10776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97434/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug explorer lolbin
Link:
https://www.filescan.io/uploads/64afe4766e9f7019dea02d2f/reports/9343666e-7106-4a07-b408-cf3b44a42023/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/80854fed8904bb69c71467dae8cfc5d317c1c5e4531791b4811aa2ba089e7f42
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/098c20a8-b375-46c1-8e63-0672b1861eac
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1272443
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80854fed8904bb69c71467dae8cfc5d317c1c5e4531791b4811aa2ba089e7f42/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 11:48:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qccu73mjas5wtryum7nort6f2ml4drpekmlzdnebdkrluce6p5ba._file
Verdict:
suspicious
Similar samples:
19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
Stealc
1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1
Stealc
2ac28f2913c6e2d231d0b67b49a3491f4046221a42ca349f586e0532ac257575
Stealc
4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875
Stealc
5069d4603ed9201d98988deb46e1e5627d622f47a498b3decb96ae1b02da3496
Stealc
5edb99afba36f3aa19c0b065b263b65e27d37d588c5441d5f9518e8423480344
Stealc
7c397e8792e6dbc64b6d5fd80a2ed4d82e76c1e0e9d7a262f089e1c1e8c438df
Stealc
99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef
Stealc
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
Stealc
f244a694cb0f831e3fd68edf484444700378106be5fe03cc5b3dfd6125331871
Stealc
+ 323 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230713-nyfc4ahd8w/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
863de9242d4a88aee981ec1afca31f086103b34e076a3f07fefd2f0bde860c0f
MD5 hash:
4112a1cd65fe1e54f4f51eea105a9ec3
SHA1 hash:
79a26ee93e099037f866f5069afd66a298b97356
Link:
https://www.unpac.me/results/809e0438-c431-4f3c-8aaa-92df4b9d299a/
SH256 hash:
80854fed8904bb69c71467dae8cfc5d317c1c5e4531791b4811aa2ba089e7f42
MD5 hash:
51d63afc7f8211d5cc4885e769e4a373
SHA1 hash:
03c1e1fd44ad19c6c1fbc8ccaed3fc3988405e00
Link:
https://www.unpac.me/results/809e0438-c431-4f3c-8aaa-92df4b9d299a/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80854fed8904/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/417347/

Comments