MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d
SHA3-384 hash: f760dea62b1fa6b7522263a2f70a1bde5e6b8a12678f6bdb6d2251993c20c359e4b376414c62faedfd5a633e1d95e934
SHA1 hash: 4790b36cdbbededed079473ff1c5c34637f2a2f6
MD5 hash: 4c99ba8c0fcf994162c991b2b6601509
humanhash: blossom-cola-monkey-ten
File name:verification.b-cdn.net.ps1
Download: download sample
Signature Stealc
Create hunting rule
File size:139 bytes
First seen:2024-08-10 17:08:55 UTC
Last seen:2024-08-19 16:05:54 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:VSJJLNyAmarBO/tmt55akqizkVkoTMRk8nbPROkJ+Eg9qYn:snyuk854kqizkVkiQfOkUE2
TLSH T174C02B085038684D03DAE53008385D4F2103CB39D7381339EC4100C80D10184F31130C
Reporter aachum
Tags:ps1 Stealc


Avatar
iamaachum
https://verification.b-cdn.net/verify-captcha-v1.html

Asked to paste PowerShell script and run it through Win+R.

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b79eafaa5b40be0a9ff60b
Tags:
Encryption Execution Generic Infostealer Network Stealth Trojan
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin lolbin masquerade mshta powershell shell32
Link:
https://www.filescan.io/uploads/66b79eb28c27a84b6bb5ea0e/reports/755735fb-7b53-4884-a00b-c59cffd62f8d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Go Injector, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1491044
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Yara detected Go Injector
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1491044 Sample: verification.b-cdn.net.ps1 Startdate: 10/08/2024 Architecture: WINDOWS Score: 100 48 bidvertiser.b-cdn.net 2->48 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 9 other signatures 2->62 11 powershell.exe 11 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 68 Encrypted powershell cmdline option found 11->68 70 Powershell drops PE file 11->70 17 powershell.exe 7 11->17         started        19 conhost.exe 11->19         started        54 127.0.0.1 unknown unknown 14->54 signatures6 process7 process8 21 mshta.exe 17 17->21         started        dnsIp9 52 bidvertiser.b-cdn.net 185.93.1.250, 443, 49730, 49734 CDN77GB Czech Republic 21->52 38 C:\Users\user\AppData\Local\...\smart1[1], PE32 21->38 dropped 64 Suspicious powershell command line found 21->64 66 Very long command line found 21->66 26 powershell.exe 14 34 21->26         started        file10 signatures11 process12 file13 40 C:\Users\user\AppData\Roaming\VBoxVMM.dll, PE32+ 26->40 dropped 42 C:\Users\user\AppData\...\VBoxSupLib.dll, PE32+ 26->42 dropped 44 C:\Users\user\...\VBoxSharedFolders.dll, PE32+ 26->44 dropped 46 4 other malicious files 26->46 dropped 72 Loading BitLocker PowerShell Module 26->72 30 0SmartAssem.exe 2 26->30         started        33 conhost.exe 26->33         started        signatures14 process15 signatures16 74 Multi AV Scanner detection for dropped file 30->74 76 Writes to foreign memory regions 30->76 78 Allocates memory in foreign processes 30->78 80 Injects a PE file into a foreign processes 30->80 35 BitLockerToGo.exe 14 30->35         started        process17 dnsIp18 50 193.176.153.234, 49743, 80 AGROSVITUA unknown 35->50
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwaolr6qplxx2rlf6to4mhj7ywazuxvgr4wvfaxgvy7f4f6wby6q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/240810-vn4fhatapa/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
https://bidvertiser.b-cdn.net/smart1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

PowerShell (PS) ps1 8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d

(this sample)

Stealc

Executable exe 97d308c2b061ca49a8834dfd527a1485442aab95060ad69e54bf034e8a043c67

Stealc

zip 038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49

Stealc

Executable exe 760b5e6a856d503c20d46f910a2405f51944afef16479ebc0174eb213c2c0132

  
Link
https://tria.ge/240810-vf595asfmf
  
Dropping
Stealc
  
Delivery method
Distributed via web download
  
Dropping
SHA256 760b5e6a856d503c20d46f910a2405f51944afef16479ebc0174eb213c2c0132
  
Dropping
MD5 d1fe96463bb2db299645b3c39176d006
  
Dropping
SHA256 aaa862c14154374b00e16f2440dabfcb9c8b7ca6655942530c83a6c96c065438
  
Dropping
MD5 e779ad7fcdc079af0012414407e2e892

Comments