MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634
SHA3-384 hash:	e042a8a3c9fa07735df3b0534daf0846e5915f8ca9e5a1f498129e5859bd3b39321e0299f75ddd73f67917fd3bd5c4bd
SHA1 hash:	d7ee9bb2bedc1ed613659ce91d4265e38d2af46e
MD5 hash:	6f8538fe93e6761ce8b120f2a6069183
humanhash:	lima-victor-enemy-wolfram
File name:	6f8538fe93e6761ce8b120f2a6069183
Download:	download sample
Signature	Stealc Alert Create hunting rule
File size:	300'544 bytes
First seen:	2023-12-15 03:04:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	25a2cb644b3524e5439412cd0304802e (1 x Stealc)
ssdeep	3072:koLTa8r983LVIgZ7tf+VwJ0WiWpAXBA5iWZv5TsQ:koLmaG76gZ7tQJ0v5T
TLSH	T1BB545D7353E13EC2E9664B72AE1EC6F83A5EF15A4F49376A12189E1F08B40B2D173711
TrID	34.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.8% (.EXE) InstallShield setup (43053/19/16) 18.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 6.3% (.EXE) Win64 Executable (generic) (10523/12/4) 3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	0030c09030181800 (2 x Smoke Loader, 1 x Tofsee, 1 x CoinMiner)
Reporter	zbetcheckin
Tags:	32 exe Stealc

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

354

Origin country :

FR

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467516/

ClamAV Detected

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Sending an HTTP GET request to an infection source

Dragonfly

Gathering data

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

packed xpack

Link:

https://www.filescan.io/uploads/657bc25f7d4bdb7f8bf456b5/reports/13b2c4d1-fdde-4536-8ef4-fb3c3b6a3eda/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7da5f9c-0430-4f39-a9e2-c7f2c7c296ca

Joe Sandbox Stealc, Vidar

Result

Threat name:

Stealc, Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1362502

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634

CERT.PL MWDB stealc

Detection:

stealc

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634/

ReversingLabs TitaniumCloud Win32.Trojan.Smokeloader

Threat name:

Win32.Trojan.Smokeloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-15 03:05:07 UTC

File Type:

PE (Exe)

Extracted files:

58

AV detection:

16 of 23 (69.57%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=r23khi52gfxkjxb7mcn57slxssjmmsmip7ee6us3yti77yhkoy2a._file

Threatray malicious

Verdict:

malicious

Hatching Triage stealc

Result

Malware family:

stealc

Alert

Create hunting rule

Score:

  10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/231215-dk6m1sabbl/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://5.42.64.41

UnpacMe stealc win_stealc_auto win_stealc_a0 win_stealc_bytecodes_oct_2023

Unpacked files

SH256 hash:

f497b17558b14f41de55ff3c4f7484d9f34ec945ab0bf6a63bf79e5de3b2235a

MD5 hash:

83fb2705650233c29b7176237bb8e482

SHA1 hash:

247e688e8a711463b0c22cb14f1d924ab70dbbb4

Detections:

stealc

Alert

Create hunting rule

win_stealc_auto

Alert

Create hunting rule

win_stealc_a0

Alert

Create hunting rule

win_stealc_bytecodes_oct_2023

Alert

Create hunting rule

Link:

https://www.unpac.me/results/068d0497-167d-4a3e-9af7-848550a5cb11/

Parent samples :

8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634
d6f5188b68cde8c80052a42e5a593d42c26cd7688c898c4dcb2d47e24dba844a

SH256 hash:

8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634

MD5 hash:

6f8538fe93e6761ce8b120f2a6069183

SHA1 hash:

d7ee9bb2bedc1ed613659ce91d4265e38d2af46e

Link:

https://www.unpac.me/results/068d0497-167d-4a3e-9af7-848550a5cb11/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 8eb6a3a3ba316ea4dc3f609bdfc9779492c649887fc84f525bc4d1ffe0ea7634

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/467516/

  

URLhaus

https://urlhaus.abuse.ch/url/2735175/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-15 03:04:50 UTC

url : hxxp://5.42.64.35/timeSync.exe