MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9001d11fb0f26a947bac4426a9ae47d56d296056ae2f91c4d864f6ceeb95a951. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Stealc
Vendor detections: 16
| SHA256 hash: | 9001d11fb0f26a947bac4426a9ae47d56d296056ae2f91c4d864f6ceeb95a951 |
|---|---|
| SHA3-384 hash: | 0a38bf22fcfdb2508b26cb23a97f3db7993cd36ab262dd6bcba243e0427f351e64d86ca6a8f50b4f8e511e59f43a5a29 |
| SHA1 hash: | 3feedb498e66903c94795fd71caed08aeb0c2aec |
| MD5 hash: | 89b2d4abb9dafc28cfe36c80e8b1f3ef |
| humanhash: | twenty-cardinal-oranges-alanine |
| File name: | 89b2d4abb9dafc28cfe36c80e8b1f3ef.exe |
| Download: | download sample |
| Signature | Stealc |
| File size: | 8'573'720 bytes |
| First seen: | 2024-10-29 21:30:20 UTC |
| Last seen: | 2024-11-07 14:24:04 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 141b56704f715ec5b6813dc68fb5a4da (2 x Stealc) |
| ssdeep | 98304:MR0hUgxKIzS9ahfNrTX9S9cYYDi9DixDihDizDiFDidCya:79NrTt4cY4c |
| TLSH | T110866B036245942ECC2BFA764E2AC54458367E533D218CBEDBE82C285E3574E79ED732 |
| TrID | 84.9% (.EXE) Inno Setup installer (107240/4/30) 8.3% (.EXE) Win64 Executable (generic) (10522/11/4) 3.5% (.EXE) Win32 Executable (generic) (4504/4/1) 1.5% (.EXE) Generic Win/DOS Executable (2002/3) 1.5% (.EXE) DOS Executable Generic (2000/1) |
| Magika | pebin |
| File icon (PE): |  |
| dhash icon | 70cc9e96968ecc70 (2 x Stealc) |
| Reporter |  abuse_ch |
| Tags: | exe Stealc |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://65.108.249.83/3392f30dc348fa7b.php | https://threatfox.abuse.ch/ioc/1340027/ |
Intelligence
File Origin
# of uploads :
2
# of downloads :
447
Origin country :
NLVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
89b2d4abb9dafc28cfe36c80e8b1f3ef.exe
Verdict:
Malicious activity
Analysis date:
2024-10-29 21:35:13 UTC
Tags:
stealer stealc loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
Powershell Emotet Cobalt Lien
Result
Verdict:
Suspicious
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Labled as:
Trojan.Lumma
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Verdict:
Malicious
Result
Threat name:
Stealc, Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Score:
80%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Spyware.Stealc
Status:
Malicious
First seen:
2024-10-29 21:31:07 UTC
File Type:
PE (Exe)
Extracted files:
88
AV detection:
14 of 24 (58.33%)
Threat level:
2/5
Detection(s):
Suspicious file
Result
Malware family:
stealc
Score:
10/10
Tags:
family:stealc botnet:default credential_access discovery spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Stealc
Stealc family
Malware Config
C2 Extraction:
http://65.108.249.83
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Unpacked files
SH256 hash:
4f77f8bed3a7c024d27fa56745e053085730d858ae1a97ecaad9029f371c36ca
MD5 hash:
41a647416edf3bdb3b9360febc7b86b0
SHA1 hash:
f3f97e068b8c8c3c4ae2e0907402b75e46a35a53
Detections:
stealc
win_stealc_w0
win_stealc_a0
detect_Mars_Stealer
SH256 hash:
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
MD5 hash:
eda18948a989176f4eebb175ce806255
SHA1 hash:
ff22a3d5f5fb705137f233c36622c79eab995897
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
SH256 hash:
9001d11fb0f26a947bac4426a9ae47d56d296056ae2f91c4d864f6ceeb95a951
MD5 hash:
89b2d4abb9dafc28cfe36c80e8b1f3ef
SHA1 hash:
3feedb498e66903c94795fd71caed08aeb0c2aec
Malware family:
Stealc
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Borland |
|---|---|
| Author: | malware-lu |
| Rule name: | DebuggerException__SetConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | PE_Potentially_Signed_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | advapi32.dll::AllocateAndInitializeSid advapi32.dll::EqualSid advapi32.dll::FreeSid advapi32.dll::InitializeSecurityDescriptor |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoFreeUnusedLibraries |
| MULTIMEDIA_API | Can Play Multimedia | gdi32.dll::StretchDIBits winmm.dll::timeGetTime |
| SECURITY_BASE_API | Uses Security Base API | advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation advapi32.dll::SetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | shell32.dll::ShellExecuteW shell32.dll::ShellExecuteExW shell32.dll::SHGetFileInfoW |
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken kernel32.dll::OpenProcess advapi32.dll::OpenThreadToken kernel32.dll::VirtualAllocEx kernel32.dll::WriteProcessMemory |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::TerminateProcess kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetSystemInfo |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CopyFileW kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::MoveFileW kernel32.dll::MoveFileExW |
| WIN_BASE_USER_API | Retrieves Account Information | kernel32.dll::GetComputerNameW advapi32.dll::GetUserNameW advapi32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | mpr.dll::WNetEnumResourceW mpr.dll::WNetGetUniversalNameW mpr.dll::WNetOpenEnumW |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegCreateKeyExW advapi32.dll::RegDeleteKeyW advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryInfoKeyW advapi32.dll::RegQueryValueExW advapi32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | user32.dll::ActivateKeyboardLayout user32.dll::AppendMenuW user32.dll::CreateMenu user32.dll::EmptyClipboard user32.dll::FindWindowExW user32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.