MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 874104244563da90256793fe3b8514d95436b8ede291f92622670dcd20215e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	874104244563da90256793fe3b8514d95436b8ede291f92622670dcd20215e55
SHA3-384 hash:	7323a80870c2c0c07d12b496707f032b08e9d51064955aa9bd195aea0d4b13b1b1dae50ffa74947793340b8913f5913d
SHA1 hash:	1735a3c38f95e3c8d94371d9b677c4f1aa6fbf8e
MD5 hash:	3ccf859820482f16beb468b3bde7cde4
humanhash:	mike-helium-nine-mobile
File name:	3ccf859820482f16beb468b3bde7cde4.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	181'760 bytes
First seen:	2024-02-20 18:55:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a37a56386d50d63537592aa5b62333a6 (3 x Stealc, 1 x Smoke Loader)
ssdeep	3072:Zlcy5ZoeTxpLgk0C+KprzDs0JucFQtPjpIZ5oRt5B0rdpHR1/P2ui65mn7F:Zbvoy/0kp/RBFQ5jOoRp0rnR1/P3i15
Threatray	87 similar samples on MalwareBazaar
TLSH	T1CF04E12173D0C032C9AB263044F8C7B62A7F7D222775599F6BA41B3E9F643D06A39719
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	d2f0e4c4c4f9c6f8 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://185.172.128.145/3cd2b41cbde8fc9c.php

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

Vendor Threat Intelligence

Malware family:

phorpiex

ID:

File name:

bomb.exe

Verdict:

Malicious activity

Analysis date:

2024-02-20 19:21:15 UTC

Tags:

opendir loader phorpiex trojan kelihos stealer stealc nanocore rat remote risepro evasion agenttesla

Link:

https://app.any.run/tasks/99f8cef9-7e0e-4542-b65f-73be2df4e84b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Stealc

Link:

https://www.capesandbox.com/analysis/477123/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Connecting to a non-recommended domain

Connection attempt

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint packed

Link:

https://www.filescan.io/uploads/65d4f5ccc5e1a083fbf32998/reports/d1e9398c-9f4a-4050-ac0a-e3e4a2993792/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/874104244563da90256793fe3b8514d95436b8ede291f92622670dcd20215e55

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/06465f2a-2328-43c4-8244-27c084e2a805

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1395587

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/874104244563da90256793fe3b8514d95436b8ede291f92622670dcd20215e55

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/874104244563da90256793fe3b8514d95436b8ede291f92622670dcd20215e55/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2024-02-20 18:56:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q5aqijcfmpnjajlhsp7dxbiu3fkdnohn4ki7sjrcm4g42ibblzkq._file

Verdict:

malicious

Stealc

874104244563da90256793fe3b8514d95436b8ede291f92622670dcd20215e55

Stealc

8a12a7cfb07d4ea86f212911775850f6187eea3d7a9c070ae2d68e0b318266e5

Stealc

9eda80b21be4608e90d5f90cf721412e929894ce6d077f8bb45365c0f5d1d613

Stealc

9f263f90eaaae77714ef74eab8b799376160bb8bdb3f58c3d987d9e236ebcda8

Stealc

a022daaa10f66f7870e535d0cb76290e5d3d6bba6e73708673c528bdb1417215

Stealc

ba01502b5a5c02dbdddf6a85c50670204b9e47e693cbf37fe58f55b9bbf1f2d0

Stealc

+ 77 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/240220-xlbzksdd31/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://185.172.128.145

Unpacked files

SH256 hash:

63e3e1a6dd318e363b09498519d3ff29701b7b7833d9d9fc3c0b8ecdd3c6866f

MD5 hash:

ce77f0c43f51bc5313a0a87091d519ee

SHA1 hash:

0f4715c466cb611a3a879e67eebef3fd3f29a229

Link:

https://www.unpac.me/results/d69e017b-f476-421b-9609-2aa2de96f7f7/

SH256 hash:

874104244563da90256793fe3b8514d95436b8ede291f92622670dcd20215e55

MD5 hash:

3ccf859820482f16beb468b3bde7cde4

SHA1 hash:

1735a3c38f95e3c8d94371d9b677c4f1aa6fbf8e

Link:

https://www.unpac.me/results/d69e017b-f476-421b-9609-2aa2de96f7f7/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/874104244563/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_Stealc_str Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	Stealc infostealer

Rule name:	Stealc Create hunting rule
Author:	kevoreilly
Description:	Stealc Payload

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/