MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80de2633a99c32d2153c688a919441c977b0897358c45875b4c9834f7868e333. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	80de2633a99c32d2153c688a919441c977b0897358c45875b4c9834f7868e333
SHA3-384 hash:	8e2740e487d750071d910bc1ed293e9ab0784097e90532861ddadbc11b3fd4cfd6f901953c3ccec1ad4f8ff586e582b3
SHA1 hash:	3b39b949657bfb809105e0e3440c39c4fb9404ce
MD5 hash:	05cac23ad10f4a717a7787f6f73dcbcd
humanhash:	north-fish-mirror-kilo
File name:	05cac23ad10f4a717a7787f6f73dcbcd.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	2'560'096 bytes
First seen:	2023-07-20 23:00:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	49152:6zrUlEJ23sUU8Q+A67wrpwrpicpycpgRe+mQRIWk:6zrU2JQ9A67w6g9bm
Threatray	261 similar samples on MalwareBazaar
TLSH	T1ECC5B7B2D285ECBDE02740BD8D65D261291BFF588068953D345AFA1525F3383A0EBE1F
TrID	46.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 19.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 6.6% (.EXE) Win64 Executable (generic) (10523/12/4) 4.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	fce4c0d0d0c4f4f0 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://91.212.166.50/812472d22955f523.php

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

05cac23ad10f4a717a7787f6f73dcbcd.exe

Verdict:

Malicious activity

Analysis date:

2023-07-20 23:01:09 UTC

Tags:

stealc stealer loader

Link:

https://app.any.run/tasks/a5722618-8607-4c34-81d8-ada7ff2acd31

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/427239/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.95229.7693.4313.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug explorer lolbin msbuild obfuscated overlay packed stealer

Link:

https://www.filescan.io/uploads/64b9bcae3a9a868a3c4fd330/reports/0e008d95-3a87-43fd-88e1-1c4171df925d/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/80de2633a99c32d2153c688a919441c977b0897358c45875b4c9834f7868e333

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/54a49346-1e1d-4ff8-819c-0a4fa1956071

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1277109

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80de2633a99c32d2153c688a919441c977b0897358c45875b4c9834f7868e333/

Threat name:

Win32.Spyware.Stealc

Status:

Malicious

First seen:

2023-07-16 02:16:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

161

AV detection:

19 of 25 (76.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qdpcmm5jtqznefj4ncfjdfcbzf33bcltldcfq5nuzgbu66di4mzq._file

Verdict:

malicious

Stealc

86d03db5bc38058981a38f02f81530fd8fabb10d2911377ecdee221cc525c63a

Stealc

8933096a3a5c51c79403a2dd9bb1db722ec059cb135b203ec1393c0ea3bd15de

Stealc

8a2cf17eb94a6e38695b90efc25180fe632979ecad0e84954bde357c97d3695b

Stealc

a1a47aa6139e363e0c8aaf7e5fe00ba1f5df02b660fd158deec23c3f4c910cfa

Stealc

c4b6bb4bd33e3ef107781a21eb0dedb82dbe90c4e9d6f0b19620c8940e18fa6b

Stealc

d87502f99648aac5100598129fd31648afb3dce99bfaf4274dce3997c1bfa6d7

Stealc

f244a694cb0f831e3fd68edf484444700378106be5fe03cc5b3dfd6125331871

Stealc

+ 251 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware

Link:

https://tria.ge/reports/230720-2zh29sbe9y/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Downloads MZ/PE file

Unpacked files

SH256 hash:

bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808

MD5 hash:

7a7927bac28be846b2fd2a5d10ba0676

SHA1 hash:

67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d

Link:

https://www.unpac.me/results/73117085-03b5-4a83-a508-9f2d06f3670b/

Parent samples :

fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f

SH256 hash:

c7a00603dfaeddc8d9ec3501727b60e31f995995a566b73e3ff2393d5e8c6d20

MD5 hash:

f04155d0c96246210686a44440874164

SHA1 hash:

3ab5aa00ad33f6de7038e416ee54619768a8e5b0

Link:

https://www.unpac.me/results/73117085-03b5-4a83-a508-9f2d06f3670b/

SH256 hash:

80de2633a99c32d2153c688a919441c977b0897358c45875b4c9834f7868e333

MD5 hash:

05cac23ad10f4a717a7787f6f73dcbcd

SHA1 hash:

3b39b949657bfb809105e0e3440c39c4fb9404ce

Link:

https://www.unpac.me/results/73117085-03b5-4a83-a508-9f2d06f3670b/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/80de2633a99c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/80de2633a99c32d2153c688a919441c977b0897358c45875b4c9834f7868e333

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/427239/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample