MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9
SHA3-384 hash: 9ca3aa2473c54ba0c858f0842c8fca8b119d5b9c38b06a81b56fbdca3b9eb2272d944d748bcf2d32ebc57c9acab867d0
SHA1 hash: affbbb62e498264858f37b6b540e952371a17831
MD5 hash: 59d0282fcb01a6735aca82dfaf1098c6
humanhash: east-winter-minnesota-double
File name:59d0282fcb01a6735aca82dfaf1098c6.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:4'487'448 bytes
First seen:2024-05-01 07:45:15 UTC
Last seen:2024-05-01 08:30:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5314f3f670d67e1168d18f314838270f (1 x Stealc, 1 x Arechclient2)
ssdeep 98304:lfgl8Ig4nttHq4oaU/7jigBljWiqSmhJQ62W/ok6f/R4H6:l4KIJtaFBwiqhJSW/le/u6
Threatray 158 similar samples on MalwareBazaar
TLSH T1D726F151B2D240F6D61E2930CC6A76FDA67CAD018F288BF79314FEEA94324919C7631D
TrID 34.2% (.EXE) InstallShield setup (43053/19/16)
24.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
13.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.3% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 00e8c9cc64ccc410 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://193.163.7.88/a69d09b357e06b52.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
414
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9.exe
Verdict:
Malicious activity
Analysis date:
2024-05-01 07:47:54 UTC
Tags:
hijackloader loader
Link:
https://app.any.run/tasks/bc4ea3bc-ec33-4a51-b664-eeea7508c1b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.72527548.29398.13193.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6631f33e0694596be92d4089/reports/5442c62e-2cbb-4ae4-aa10-c9c884c2fe28/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9c0fe7e-9ad3-4f62-b35a-cdb5a5f68c9e
Result
Threat name:
Mars Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1434519
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1434519 Sample: I9IKjqeBAs.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 8 other signatures 2->56 9 I9IKjqeBAs.exe 8 2->9         started        process3 file4 30 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->30 dropped 32 C:\Users\user\AppData\Local\...\ptInst.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\WCLDll.dll, PE32 9->36 dropped 66 Found direct / indirect Syscall (likely to bypass EDR) 9->66 13 ptInst.exe 7 9->13         started        signatures5 process6 file7 38 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->38 dropped 40 C:\Users\user\AppData\Roaming\...\ptInst.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\...\msvcp140.dll, PE32 13->42 dropped 44 C:\Users\user\AppData\Roaming\...\WCLDll.dll, PE32 13->44 dropped 68 Found direct / indirect Syscall (likely to bypass EDR) 13->68 17 ptInst.exe 1 13->17         started        signatures8 process9 signatures10 46 Maps a DLL or memory area into another process 17->46 48 Found direct / indirect Syscall (likely to bypass EDR) 17->48 20 cmd.exe 2 17->20         started        process11 file12 28 C:\Users\user\AppData\Local\Temp\tjl, PE32 20->28 dropped 58 Injects code into the Windows Explorer (explorer.exe) 20->58 60 Deletes itself after installation 20->60 62 Writes to foreign memory regions 20->62 64 Found hidden mapped module (file has been removed from disk) 20->64 24 conhost.exe 20->24         started        26 explorer.exe 20->26         started        signatures13 process14
Score:
57%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-04-25 16:05:08 UTC
File Type:
PE (Exe)
Extracted files:
361
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrhcfxjyucbbprsdelxaddvcspw6kptgbn46qqkbpn4ozcri2duq._file
Verdict:
malicious
Similar samples:
0486a8679b783687782d41a79919cda87cee878f0dd22f4749cde0d74977b2bc
Stealc
0ff09014efe7b589c172f49db19b9db9a711e993b6da0b4e0fde4a73ffb0048d
Stealc
136aff853514ca7aba662cc26bc54cfb92d58e6477752ce3a8948ff9f1117499
Stealc
1cb385eb8f12a6ffe0f5736416c89bda36f347803ca0f0ef690d82eb5c712d62
Stealc
4ec640dd3a34d0bbdf4316ab8bd73294b18f0ebe733ab6fc842882495655d534
Stealc
83666d2c1b78690ce36a82152f3bf8e6d56a2332c6ef88dff06ffbce4c4337ff
Stealc
a48b3bfe1ba8b48b2fe6402c3af345cf9a19104e243e311e9f1aa107bb640912
Stealc
ae4c8518b5ec4a8a63ef639b8a489e6df8ebb5f903f4da7363960b25a1b674df
Stealc
bcff7c4c011b77166deccd8682035bfeef00e432eafb704b4044b74e2202a023
Stealc
ee29e3aad14667b58642d965a332ffe5586ee1a2d8a09b2da7a54520b46d598e
Stealc
+ 148 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:stealc loader stealer
Link:
https://tria.ge/reports/240501-jlyxfsdb62/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Stealc
Malware Config
C2 Extraction:
http://193.163.7.88
Unpacked files
SH256 hash:
844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9
MD5 hash:
59d0282fcb01a6735aca82dfaf1098c6
SHA1 hash:
affbbb62e498264858f37b6b540e952371a17831
Link:
https://www.unpac.me/results/6891e010-a170-4c91-9fa4-0a128f112d41/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaGDI32.dll::StretchDIBits
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetFileSecurityW
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetVolumeInformationW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileMappingA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW

Comments