MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3
SHA3-384 hash: d037e5b9c04711cfc9d0e3932c5935e2171e1a6802c3ec24a9675b13331ec008c2ac2137d3096256c24ce947f04a0e30
SHA1 hash: e21e9ec6bc6234993591cd2034a019af59e98071
MD5 hash: a3d607292f456d782622bdf10ddcaa72
humanhash: william-mockingbird-floor-hotel
File name:a3d607292f456d782622bdf10ddcaa72.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:399'270 bytes
First seen:2024-04-28 09:31:06 UTC
Last seen:2024-04-28 20:49:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:hjuZSWCTeEVTAHT6HPqHr3aUb/memWBFU/iBHZGI3XCjA77lyJkJZVKM:hjtXVTAHyc3f/U6OiJZhXCsdyJ6ZVKM
Threatray 10 similar samples on MalwareBazaar
TLSH T13A841212CAAC52A3C2DB057D8E1102C03637B77717A5EB5EC4455AAEA473FA8B035F27
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://185.172.128.62/902e53a07830e030.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe
Verdict:
Malicious activity
Analysis date:
2024-04-28 09:47:36 UTC
Tags:
opendir gcleaner loader evasion privateloader stealer stealc arechclient2 backdoor discord glupteba adware neoreklami trojan
Link:
https://app.any.run/tasks/079374a0-bfbe-49c1-9d77-75ecadbb59dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Searching for analyzing tools
Modifying a system file
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Replacing files
Creating a window
Launching a service
Connecting to a non-recommended domain
Creating a file in the %AppData% subdirectories
Running batch commands
Launching cmd.exe command interpreter
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/662e1795238e3ee25c5a083a/reports/6ad344c0-f1a5-41f6-bbb2-cce0bdf84fb4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/19ae58d0-c1ca-4e48-b127-050a03ef2ce3
Result
Threat name:
Glupteba, Mars Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1432850
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432850 Sample: Mp7cjtN6To.exe Startdate: 28/04/2024 Architecture: WINDOWS Score: 100 153 Found malware configuration 2->153 155 Malicious sample detected (through community Yara rule) 2->155 157 Antivirus detection for dropped file 2->157 159 18 other signatures 2->159 9 Mp7cjtN6To.exe 3 2->9         started        12 cmd.exe 2->12         started        14 chrome.exe 1 2->14         started        17 3 other processes 2->17 process3 dnsIp4 175 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->175 177 Writes to foreign memory regions 9->177 179 Allocates memory in foreign processes 9->179 181 2 other signatures 9->181 19 MSBuild.exe 15 228 9->19         started        24 WerFault.exe 9->24         started        26 conhost.exe 9->26         started        36 4 other processes 9->36 28 m66vZknCDpiDsrCU5jRTHvbt.exe 12->28         started        38 2 other processes 12->38 145 192.168.2.4 unknown unknown 14->145 147 239.255.255.250 unknown Reserved 14->147 30 chrome.exe 14->30         started        149 23.221.242.90 TISCALI-IT United States 17->149 151 127.0.0.1 unknown unknown 17->151 32 WerFault.exe 17->32         started        34 conhost.exe 17->34         started        signatures5 process6 dnsIp7 115 107.167.110.211 OPERASOFTWAREUS United States 19->115 117 185.172.128.59 NADYMSS-ASRU Russian Federation 19->117 125 8 other IPs or domains 19->125 71 C:\Users\...\zvXXY7c25PCFIYfHLvRaZ7Gw.exe, PE32 19->71 dropped 73 C:\Users\...\zii40jv5We9TJaNtOEKeC8YQ.exe, PE32 19->73 dropped 75 C:\Users\...\z26HerW0a2eHBrU3IdeL5Kws.exe, PE32 19->75 dropped 83 167 other malicious files 19->83 dropped 161 Installs new ROOT certificates 19->161 163 Drops script or batch files to the startup folder 19->163 165 Creates HTML files with .exe extension (expired dropper behavior) 19->165 40 4M7HbWLji4TRhh0e3XlZNznV.exe 19->40         started        45 0X56S0N1fMPYuf08IWPrhkFc.exe 19->45         started        47 HUIzlGqwNdhdul0ykJR2bIM0.exe 19->47         started        51 14 other processes 19->51 119 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->119 77 C:\Users\user\AppData\Local\Temp\...\run.exe, PE32 28->77 dropped 79 C:\Users\user\AppData\Local\...\relay.dll, PE32 28->79 dropped 81 C:\Users\user\AppData\...\UIxMarketPlugin.dll, PE32 28->81 dropped 85 2 other malicious files 28->85 dropped 167 Detected unpacking (overwrites its own PE header) 28->167 169 Writes many files with high entropy 28->169 49 u728.0.exe 28->49         started        121 142.251.16.102 GOOGLEUS United States 30->121 123 142.251.167.94 GOOGLEUS United States 30->123 127 8 other IPs or domains 30->127 file8 signatures9 process10 dnsIp11 131 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 40->131 133 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 40->133 139 19 other IPs or domains 40->139 89 C:\Users\...\hor1BPT04EW1nXbXOAnTDCz3.exe, PE32 40->89 dropped 91 C:\Users\...\hQeCI4kGPWtoN3hWHoIwVDP_.exe, PE32 40->91 dropped 93 C:\Users\...\_qJe29n4LzaY367KfdTG2LEs.exe, PE32 40->93 dropped 99 25 other malicious files 40->99 dropped 183 Query firmware table information (likely to detect VMs) 40->183 185 Drops PE files to the document folder of the user 40->185 187 Creates HTML files with .exe extension (expired dropper behavior) 40->187 203 10 other signatures 40->203 141 3 other IPs or domains 45->141 101 6 other malicious files 45->101 dropped 189 Detected unpacking (overwrites its own PE header) 45->189 191 Writes many files with high entropy 45->191 53 u6dc.0.exe 45->53         started        95 C:\Users\user\AppData\Local\Temp\u6uc.3.exe, PE32 47->95 dropped 97 C:\Users\user\AppData\Local\Temp\...\run.exe, PE32 47->97 dropped 103 4 other malicious files 47->103 dropped 57 u6uc.0.exe 47->57         started        193 Detected unpacking (changes PE section rights) 49->193 135 107.167.110.217 OPERASOFTWAREUS United States 51->135 137 107.167.110.218 OPERASOFTWAREUS United States 51->137 143 6 other IPs or domains 51->143 105 24 other malicious files 51->105 dropped 195 Tries to detect sandboxes and other dynamic analysis tools (window names) 51->195 197 Found Tor onion address 51->197 199 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->199 201 Found direct / indirect Syscall (likely to bypass EDR) 51->201 59 u3sk.0.exe 51->59         started        61 vNhAsO8bT1KRIAML7y1H14rm.exe 51->61         started        64 vNhAsO8bT1KRIAML7y1H14rm.exe 51->64         started        66 3 other processes 51->66 file12 signatures13 process14 dnsIp15 129 185.172.128.62 NADYMSS-ASRU Russian Federation 53->129 171 Detected unpacking (changes PE section rights) 53->171 173 Detected unpacking (overwrites its own PE header) 53->173 107 Opera_installer_2404280949344278996.dll, PE32 61->107 dropped 68 vNhAsO8bT1KRIAML7y1H14rm.exe 61->68         started        109 Opera_installer_2404280949215688500.dll, PE32 64->109 dropped 111 Opera_installer_2404280949411559172.dll, PE32 66->111 dropped 113 Opera_installer_2404280949224908876.dll, PE32 66->113 dropped file16 signatures17 process18 file19 87 Opera_installer_2404280949405471908.dll, PE32 68->87 dropped
Score:
56%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3/
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-04-28 09:32:04 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
12 of 23 (52.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqenz64hkh4xdkyph5hmc2v4kjmgveffa6wi427awarbtgahldzq._file
Verdict:
malicious
Similar samples:
2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0
Stealc
56768dc2486a0eadfb82e3df6436434d1b6502d542fe6c41e2b52aae948b140f
Stealc
5de000c94215943f6ddbb15376ca07f67f9965ab58cbd3335279ae66baf56bb6
Stealc
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
Stealc
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
Stealc
95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e
Stealc
adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
Stealc
c54dec8c6c088c7b13267214dbc9ecb2f1e7aa3883e5bc4abe80accc83d32131
Stealc
d0ef5d7c8fa467cca0626b576f96dc86a58293b859aa5ddd4aa0ff1304427d04
Stealc
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:sectoprat family:stealc family:zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer themida trojan upx
Link:
https://tria.ge/reports/240428-lhl5lach7w/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
Themida packer
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
Detect ZGRat V1
Glupteba
Glupteba payload
Modifies firewall policy service
SectopRAT
SectopRAT payload
Stealc
Windows security bypass
ZGRat
Malware Config
C2 Extraction:
http://185.172.128.62
Unpacked files
SH256 hash:
8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3
MD5 hash:
a3d607292f456d782622bdf10ddcaa72
SHA1 hash:
e21e9ec6bc6234993591cd2034a019af59e98071
Link:
https://www.unpac.me/results/744eec83-6245-417b-a54c-84d9ad259b03/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8408dcfb8751/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Stealc
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Stealc_str
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:Stealc infostealer
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Generic_2993e5a5
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Stealc_b8ab9ab5
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stealc.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2819427/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments