MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89a5243cac0104e257ede052b495cf346c995df99c306f344650b8b88e89f42d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89a5243cac0104e257ede052b495cf346c995df99c306f344650b8b88e89f42d
SHA3-384 hash: 36bbe76e50c95b77ae46e90bd3fe8c74bcbee6b014719b124c5f94ae1990eb3f9b5aa8137cce29b2488384120339e50a
SHA1 hash: e736d88f15b5e2cacce3299150a9007bed23c7f2
MD5 hash: 58784ef19a6b7b3639154c291a77d0ef
humanhash: magazine-spring-oranges-six
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:776'928 bytes
First seen:2023-12-22 16:11:43 UTC
Last seen:2023-12-22 17:14:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:63UmTtHwhPBREIwCFr8InJHY5Q2nakmep4VZLzH/n0xDhmuWJQu:6EHhPBRFwIpY5QNkmeuRUD7u
Threatray 6 similar samples on MalwareBazaar
TLSH T1FAF4586930D9C097D74B86B36794EDF00D2A5E3A2E05E71220CDFA4B77B258BC6029DD
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-22T04:12:55Z
Valid to:2024-12-22T04:12:55Z
Serial number: 5dbfee36a79f29ae3a2c93098664b13d
Thumbprint Algorithm:SHA256
Thumbprint: 04a85a4109f7211558ea325f9b931cd24609f0ca1cc11297aa40d1cda37b37bf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://15.204.49.148/files/Rby1.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
351
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469059/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.PSW.9951.166.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive overlay packed
Link:
https://www.filescan.io/uploads/6585b553b855eb3693edf32e/reports/2616ea75-82f7-4acf-9177-3340db39ff77/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/89a5243cac0104e257ede052b495cf346c995df99c306f344650b8b88e89f42d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d16a37a7-2744-4549-8d9b-b39dbeacbff8
Result
Threat name:
Glupteba, Petite Virus, SmokeLoader, Soc
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366315
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Petite Virus
Yara detected SmokeLoader
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366315 Sample: file.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 142 pastebin.com 2->142 144 stoon.hitsturbo.com 2->144 146 17 other IPs or domains 2->146 166 Snort IDS alert for network traffic 2->166 168 Found malware configuration 2->168 170 Malicious sample detected (through community Yara rule) 2->170 174 16 other signatures 2->174 11 file.exe 2 4 2->11         started        14 chrome.exe 2->14         started        17 svchost.exe 2->17         started        19 4 other processes 2->19 signatures3 172 Connects to a pastebin service (likely for C&C) 142->172 process4 dnsIp5 222 Writes to foreign memory regions 11->222 224 Allocates memory in foreign processes 11->224 226 Adds extensions / path to Windows Defender exclusion list (Registry) 11->226 228 3 other signatures 11->228 21 InstallUtil.exe 15 51 11->21         started        26 powershell.exe 21 11->26         started        158 192.168.2.4, 443, 49731, 49732 unknown unknown 14->158 160 192.168.2.1 unknown unknown 14->160 162 239.255.255.250 unknown Reserved 14->162 28 chrome.exe 14->28         started        30 WerFault.exe 17->30         started        32 WerFault.exe 17->32         started        34 WerFault.exe 17->34         started        36 WerFault.exe 17->36         started        38 WerFault.exe 19->38         started        signatures6 process7 dnsIp8 152 stoon.hitsturbo.com 172.67.168.30, 49738, 49751, 80 CLOUDFLARENETUS United States 21->152 154 5.42.64.35, 49734, 49754, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 21->154 156 13 other IPs or domains 21->156 102 C:\Users\...\yiijZbEo585IipcKN2qpyeJw.exe, PE32 21->102 dropped 104 C:\Users\...\gNycdtDd0Z6mJt8NbQpo4Xw7.exe, PE32 21->104 dropped 106 C:\Users\...\KoloEDbrIXfYQnRj0GgEE4Kn.exe, PE32 21->106 dropped 108 29 other files (18 malicious) 21->108 dropped 196 Drops script or batch files to the startup folder 21->196 198 Creates HTML files with .exe extension (expired dropper behavior) 21->198 40 yiijZbEo585IipcKN2qpyeJw.exe 21->40         started        43 KoloEDbrIXfYQnRj0GgEE4Kn.exe 21->43         started        46 JYcgMwK4bxg9Bd1WDnxltC4T.exe 2 21->46         started        50 5 other processes 21->50 48 conhost.exe 26->48         started        file9 signatures10 process11 dnsIp12 200 Detected unpacking (changes PE section rights) 40->200 202 Contains functionality to inject code into remote processes 40->202 204 Injects a PE file into a foreign processes 40->204 53 yiijZbEo585IipcKN2qpyeJw.exe 40->53         started        116 C:\Users\user\AppData\Local\...\wfplwfs.exe, PE32 43->116 dropped 206 Detected unpacking (overwrites its own PE header) 43->206 208 Found evasive API chain (may stop execution after checking mutex) 43->208 56 wfplwfs.exe 43->56         started        58 cmd.exe 43->58         started        60 WerFault.exe 43->60         started        118 C:\Users\...\JYcgMwK4bxg9Bd1WDnxltC4T.tmp, PE32 46->118 dropped 62 JYcgMwK4bxg9Bd1WDnxltC4T.tmp 46->62         started        148 api4.ipify.org 104.237.62.212 WEBNXUS United States 50->148 150 91.92.254.7 THEZONEBG Bulgaria 50->150 120 C:\Users\user\AppData\Local\...\INetC.dll, PE32 50->120 dropped 122 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 50->122 dropped 124 C:\Users\user\AppData\Local\...\Checker.dll, PE32 50->124 dropped 126 6 other files (none is malicious) 50->126 dropped 210 Query firmware table information (likely to detect VMs) 50->210 212 Creates an undocumented autostart registry key 50->212 214 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->214 216 2 other signatures 50->216 65 aY1jZgXn5xYokJ6O3yp5veTp.exe 50->65         started        67 aY1jZgXn5xYokJ6O3yp5veTp.exe 50->67         started        69 aY1jZgXn5xYokJ6O3yp5veTp.exe 50->69         started        71 4 other processes 50->71 file13 signatures14 process15 file16 176 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 53->176 178 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->178 180 Maps a DLL or memory area into another process 53->180 192 2 other signatures 53->192 73 explorer.exe 53->73 injected 182 Detected unpacking (changes PE section rights) 56->182 184 Detected unpacking (overwrites its own PE header) 56->184 186 Writes to foreign memory regions 56->186 194 2 other signatures 56->194 77 rundll32.exe 56->77         started        188 Uses ping.exe to sleep 58->188 190 Uses ping.exe to check the status of other devices and networks 58->190 79 PING.EXE 58->79         started        82 conhost.exe 58->82         started        128 C:\Program Files (x86)\...\vectorstd.exe, PE32 62->128 dropped 130 C:\Program Files (x86)\...\is-TE1ET.tmp, PE32 62->130 dropped 132 C:\Program Files (x86)\...\is-RIU3J.tmp, PE32 62->132 dropped 140 99 other files (none is malicious) 62->140 dropped 84 vectorstd.exe 62->84         started        86 net.exe 62->86         started        88 vectorstd.exe 62->88         started        134 Opera_installer_2312221613078179124.dll, PE32 65->134 dropped 90 aY1jZgXn5xYokJ6O3yp5veTp.exe 65->90         started        136 Opera_installer_2312221612569368140.dll, PE32 67->136 dropped 138 Opera_installer_2312221613023687176.dll, PE32 69->138 dropped 92 2 other processes 71->92 signatures17 process18 dnsIp19 110 C:\Users\user\AppData\Roaming\sfgutag, PE32 73->110 dropped 218 Benign windows process drops PE files 73->218 220 Hides that the sample has been downloaded from the Internet (zone.identifier) 73->220 164 127.0.0.1 unknown unknown 79->164 112 C:\ProgramData\PDiskSnap77\PDiskSnap77.exe, PE32 84->112 dropped 94 WerFault.exe 84->94         started        96 WerFault.exe 84->96         started        98 conhost.exe 86->98         started        100 net1.exe 86->100         started        114 Opera_installer_2312221613083653264.dll, PE32 90->114 dropped file20 signatures21 process22
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/89a5243cac0104e257ede052b495cf346c995df99c306f344650b8b88e89f42d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89a5243cac0104e257ede052b495cf346c995df99c306f344650b8b88e89f42d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-22 16:12:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgssipfmaecoev7n4bjljfopgrwjsxpztqyg6ncgkc4lrduj6qwq._file
Verdict:
malicious
Similar samples:
6cd6c7e615f5d4992222e908247be025287d7ca769fad30c8f4b439d5113221f
Stealc
8179af8afcc38a79d4c907a8f79b8402ad65310a3d6a136d99c6d1e66f086c76
Stealc
90a3094c222cdadd6986b4d18e2c6ee5172484316ebd18a05167e2f458e17270
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:stealc botnet:pub1 backdoor evasion stealer trojan upx
Link:
https://tria.ge/reports/231222-tng2tsedhm/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Runs net.exe
Runs ping.exe
Suspicious use of WriteProcessMemory
System policy modification
NSIS installer
Enumerates physical storage devices
Program crash
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Modifies boot configuration data using bcdedit
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
SmokeLoader
Stealc
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
http://77.91.76.36
Unpacked files
SH256 hash:
89a5243cac0104e257ede052b495cf346c995df99c306f344650b8b88e89f42d
MD5 hash:
58784ef19a6b7b3639154c291a77d0ef
SHA1 hash:
e736d88f15b5e2cacce3299150a9007bed23c7f2
Link:
https://www.unpac.me/results/af1ebf98-b94c-4f4a-b3da-fe07b6d4bb84/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/89a5243cac01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/89a5243cac0104e257ede052b495cf346c995df99c306f344650b8b88e89f42d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2743765/
Cape
Cape
https://www.capesandbox.com/analysis/469059/

Comments