MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6
SHA3-384 hash: ed30e153e52fad15c830f3be15a2d69c749a1f2057e2f78f216a0624630c52620932f28636f35722cc65b0157ebba0c1
SHA1 hash: 5dcf904992745d124e65f5b5adefeafed78b7ed9
MD5 hash: 4913fe0e4d17f0a4b18a9acb04c255ac
humanhash: helium-florida-undress-mexico
File name:officeupdate.hta
Download: download sample
Signature Stealc
Create hunting rule
File size:118'502 bytes
First seen:2024-02-04 06:47:01 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/xml
ssdeep 3072:SCmT2J09HCxzDRfzU4g3i9/ptUDKMXC1RuGjFR0A:4TNiztfojujUD21cmx
TLSH T14CC30231E8484CE5FA610B3A151E9C342CB28DD78C47579FC3B964928BC4A6DD27E7CA
TrID 85.9% (.GPX) GPS eXchange format (30500/1/4)
14.0% (.XML) Generic XML (ASCII) (5000/1)
Reporter iamdeadlyz
Tags:194-120-116-120 CVE-2023-27363 hta Stealc


Avatar
Iamdeadlyz
Outfoxing a Malicious PDF: An attacker's attempt to deliver a Stealc infostealer. Exploiting CVE-2023-27363.

Drops officeupdate.hta [persisting via startup folder]
Retrieves: hxxps://brazilanimalshelp[.]com/updating/stale.exe
Stealc C&C: hxxp://194.120.116[.]120/7a957ef6cc168ff6.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
SG SG
Vendor Threat Intelligence
Detection(s):
PUA.Win.Tool.XDPBypass-1
Create hunting rule

PUA.Win.Tool.XDPBypass-4
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65bf32e91a072d565265502b/reports/0c157af6-f1eb-40e1-932b-49cd19ef6ab0/overview
Verdict:
Malicious
Labled as:
BZC.UGZ.Boxter.1
Link:
https://www.hybrid-analysis.com/sample/84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Malicious Scriptlet 1 of 7
Detected a malicious pivot typically seen during the 'file-less' pivot commonly seen in malware carriers.
Malicious Scriptlet 7 of 7
Detected a malicious pivot typically seen during the 'file-less' pivot commonly seen in malware carriers.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.adwa
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386327
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Score:
3%
Verdict:
Benign
File Type:
ASCII
Link:
https://malprob.io/report/84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6/
Threat name:
Win32.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2024-02-04 06:48:04 UTC
File Type:
Text (XML)
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrrgrbdxl3n2ipjhq2nm72mm43t362d3yhlr7jfeha6wtt7j2c3a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240204-n7fp8aahgn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

pdf 3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c

Stealc

HTML Application (hta) hta 84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6

(this sample)

Stealc

Executable exe 85735229bd3b6ae1d0c60d43f3e24a2be5f0d21d87b7f2c01f13373c051c82a5

  
Link
https://iamdeadlyz.gitbook.io/malware-research/february-2024/outfoxing-a-malicious-pdf-an-attackers-attempt-to-deliver-a-stealc-infostealer
  
X
https://twitter.com/oscarxferral/status/1752765232190251037
  
Dropped by
SHA256 3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c
  
Dropping
SHA256 85735229bd3b6ae1d0c60d43f3e24a2be5f0d21d87b7f2c01f13373c051c82a5
  
Delivery method
Distributed via web download
  
Dropping
MD5 a7e899088ee574a2e977080acb00c849
  
Dropping
SHA256 a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7
  
Dropping
MD5 084222b639a1b3f35be40ca5282a6e0a
  
Dropped by
MD5 cfab7a2f5302b8fcdd98159c3c892404

Comments