MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87
SHA3-384 hash: 6d0735ef0ca869b0fd989323ffae9fd874dfc53aa0ce16126e45086d28be767a495711abf178ea94d8dd28d02ddd4fe1
SHA1 hash: 60c61650311944accdaf8fb78bca663d8cdde241
MD5 hash: 9753b8ad3204443226a2b298da8242be
humanhash: march-steak-texas-sweet
File name:9753b8ad3204443226a2b298da8242be.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:421'376 bytes
First seen:2024-09-02 00:15:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 68ea79aa2f3fa0077d4466d6e381bfbe (2 x Stealc)
ssdeep 6144:KsL00ZALltugI4avTmF1Y58qg3h58A9rFo:KORZALltIm28d3hOAw
Threatray 2'306 similar samples on MalwareBazaar
TLSH T12994AF12E2E1FC64E5624A31DDEEC6E4672EB9514F3526BB32287F2F18703A1C56231D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 1a72c2db98585c0c (9 x Stealc, 6 x Tofsee, 5 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://91.202.233.158/e96ea2db21fa9a1b.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.202.233.158/e96ea2db21fa9a1b.php https://threatfox.abuse.ch/ioc/1319349/

Intelligence

File Origin
# of uploads :
1
# of downloads :
451
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9753b8ad3204443226a2b298da8242be.exe
Verdict:
Malicious activity
Analysis date:
2024-09-02 00:16:39 UTC
Tags:
loader smokeloader
Link:
https://app.any.run/tasks/658b8fa4-f773-4587-b920-bf4fb7b8aa77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d503c4a0c486d2f793f6bf
Tags:
Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66d503c28fe48c66f3bc42a9/reports/bfc48c62-c01b-4923-b9e4-2b28d9bf65f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11923581-f26f-42cd-a231-5206c6351b7e
Result
Threat name:
CryptOne, SmokeLoader, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1502576
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found malware configuration
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected CryptOne packer
Yara detected Powershell download and execute
Yara detected SmokeLoader
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502576 Sample: V6n3oygctH.exe Startdate: 02/09/2024 Architecture: WINDOWS Score: 100 77 nicetolosv.xyz 2->77 79 ycMmBvpGeMcYHBMfFqkIrUsoh.ycMmBvpGeMcYHBMfFqkIrUsoh 2->79 81 5 other IPs or domains 2->81 93 Multi AV Scanner detection for domain / URL 2->93 95 Suricata IDS alerts for network traffic 2->95 97 Found malware configuration 2->97 101 14 other signatures 2->101 10 V6n3oygctH.exe 2->10         started        13 ecitguv 2->13         started        15 ecitguv 2->15         started        17 wscript.exe 2->17         started        signatures3 99 Performs DNS queries to domains with low reputation 77->99 process4 signatures5 129 Detected unpacking (changes PE section rights) 10->129 131 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->131 133 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->133 141 3 other signatures 10->141 19 explorer.exe 73 12 10->19 injected 135 Multi AV Scanner detection for dropped file 13->135 137 Machine Learning detection for dropped file 13->137 139 Maps a DLL or memory area into another process 13->139 process6 dnsIp7 83 94.228.169.44, 49755, 80 SSERVICE-ASRU Russian Federation 19->83 85 free.cdn.hstgr.net 84.32.84.249, 443, 49764 NTT-LT-ASLT Lithuania 19->85 87 epohe.ru 211.181.24.132, 49737, 49738, 49739 LGDACOMLGDACOMCorporationKR Korea Republic of 19->87 65 C:\Users\user\AppData\Roaming\ecitguv, PE32 19->65 dropped 67 C:\Users\user\AppData\Local\Temp\9EFF.exe, PE32 19->67 dropped 69 C:\Users\user\AppData\Local\Temp\5316.exe, PE32 19->69 dropped 71 C:\Users\user\...\ecitguv:Zone.Identifier, ASCII 19->71 dropped 107 System process connects to network (likely due to code injection or exploit) 19->107 109 Benign windows process drops PE files 19->109 111 Deletes itself after installation 19->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->113 24 9EFF.exe 23 19->24         started        27 5316.exe 1 19->27         started        30 wscript.exe 19->30         started        32 2 other processes 19->32 file8 signatures9 process10 file11 115 Machine Learning detection for dropped file 24->115 117 Found stalling execution ending in API Sleep call 24->117 34 cmd.exe 2 24->34         started        73 C:\Users\user\AppData\...\svchost015.exe, PE32 27->73 dropped 119 Multi AV Scanner detection for dropped file 27->119 121 Contains functionality to inject code into remote processes 27->121 123 Writes to foreign memory regions 27->123 127 3 other signatures 27->127 38 svchost015.exe 13 27->38         started        125 Windows Scripting host queries suspicious COM object (likely to drop second stage) 30->125 41 SwiftServe.scr 30->41         started        75 C:\Users\user\AppData\...\SwiftServe.url, MS 32->75 dropped 43 conhost.exe 32->43         started        45 schtasks.exe 32->45         started        47 conhost.exe 32->47         started        signatures12 process13 dnsIp14 63 C:\Users\user\AppData\Local\Temp\...\Burn.pif, PE32 34->63 dropped 103 Drops PE files with a suspicious file extension 34->103 105 Uses schtasks.exe or at.exe to add and modify task schedules 34->105 49 Burn.pif 34->49         started        53 conhost.exe 34->53         started        55 tasklist.exe 1 34->55         started        57 7 other processes 34->57 89 91.202.233.158, 49766, 80 M247GB Russian Federation 38->89 file15 signatures16 process17 file18 59 C:\Users\user\AppData\...\SwiftServe.scr, PE32 49->59 dropped 61 C:\Users\user\AppData\Local\...\SwiftServe.js, ASCII 49->61 dropped 91 Drops PE files with a suspicious file extension 49->91 signatures19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87/
Threat name:
Win32.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-09-02 00:16:11 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qiwuudoah6qdjd6iuewd4db4ccwugov36nhylc3eibv6v6danwdq._file
Verdict:
malicious
Similar samples:
0599250511b7b3ec63303fa14e98edef3092d61614e07106cf274bd6d43b2451
Stealc
2a47c2d84f330efa04265b34e7dc1fd149954c5f1110c6896414f313b7ce17a2
Stealc
35ba91ddf0d41590d0de137bc1d6e5524d8a84ecfabdae793e6b3a499f2c67d4
Stealc
4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd
Stealc
6f015d2ecc877fdc3d3afec3e0172b3d1c01f5a0a723c7c66780bb2ce6ef5290
Stealc
822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87
Stealc
9435c630c2855fbde8d467080e0b9259a324eebfa4ef2dfeddf9133e9e4bc37e
Stealc
9d314f7bb979238d429d772e28d7a679fd4391db5d3581666a7f4207061be785
Stealc
a0038a7651f4408728f4a8c7a2abe43b237fc9dc6645fa34e5c4d9c212658878
Stealc
+ 2'296 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor discovery trojan
Link:
https://tria.ge/reports/240902-akfvtawhra/
Behaviour
Checks SCSI registry key(s)
Program crash
System Location Discovery: System Language Discovery
SmokeLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e33e21b8-a451-4e08-bbed-a502899b256a
Unpacked files
SH256 hash:
a50f0f6520f575916cf5e95721f4f4465501dfc2e9d3bcf22e99b10b91717c24
MD5 hash:
a53f4ff99fb51fea931a577880ec744e
SHA1 hash:
1355c69a04f9e283dac7d9a234c0f18183432d58
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/bd3719ad-13cb-4f35-b4e3-0f4d5921a1aa/
Parent samples :
0599250511b7b3ec63303fa14e98edef3092d61614e07106cf274bd6d43b2451
822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87
f691d08d4d08a092f52d63eb5a5fce0cbdeeaa042c18282c73ac5ebb627c25d3
9a23e3b2d894fb3af028f7bc2eae2da52c723eb2cc9b76a5d4efc98bdcba92a1
1f527c33a9a07976aee7a744579f7efe6ca704660c4b1d8c86e138cfe9000c45
dfe6226632702de153cf28a07ce5939072365797a8cc358932a62052a0c7f010
SH256 hash:
822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87
MD5 hash:
9753b8ad3204443226a2b298da8242be
SHA1 hash:
60c61650311944accdaf8fb78bca663d8cdde241
Link:
https://www.unpac.me/results/bd3719ad-13cb-4f35-b4e3-0f4d5921a1aa/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/822d4a0dc03f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Nimplant_PE
Create hunting rule
Author:daniyyell
Description:Detects malicious nimplant variant PE malware.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 822d4a0dc03fa0348fc8a12c3e0c3c10ad433abbf34f858b64406beaf8606d87

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3112849/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetDiskFreeSpaceExA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::PeekConsoleInputA
KERNEL32.dll::ReadConsoleInputW
KERNEL32.dll::SetConsoleCP
KERNEL32.dll::GetConsoleAliasExesW
KERNEL32.dll::GetConsoleAliasExesLengthW
KERNEL32.dll::GetConsoleDisplayMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateHardLinkA
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::GetTempPathA
KERNEL32.dll::SetVolumeMountPointA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::QueryDosDeviceW

Comments