MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92f0f57250f76ec5486dc7ef617f0145e4de09a1d5d95a4fe42cb5393678b7bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92f0f57250f76ec5486dc7ef617f0145e4de09a1d5d95a4fe42cb5393678b7bd
SHA3-384 hash: 0db250b2f265c6e0758873bbebda08d677b314a0b58c5a472f3a8484191973790aa68d566e2aab43b9c7bd763cc98ae7
SHA1 hash: 4e2feec63c0b5806f317dca14ea73dec070b465c
MD5 hash: 80cd3c3c9f857655a2d0944246063de9
humanhash: utah-grey-minnesota-ack
File name:SecuriteInfo.com.Win32.Evo-gen.20497.11436
Download: download sample
Signature Stealc
Create hunting rule
File size:368'640 bytes
First seen:2023-03-22 16:29:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cd10f4930e443428517f91868d83e9a6 (4 x Smoke Loader, 1 x Gozi, 1 x AuroraStealer)
ssdeep 3072:8L9jSPDtGeA/uBnDYISJsSt23ZivfSQ7IGSwZKBoqJJ:BTkJI0YJiv/PG
Threatray 119 similar samples on MalwareBazaar
TLSH T17D746C0293D37C60EF1246328E1EC6F46A1EBC619D5B7BAA234DFA2F0D741B1D162716
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 14d2c2c4c864d260 (1 x Stealc)
Reporter SecuriteInfoCom
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.Evo-gen.20497.11436
Verdict:
Malicious activity
Analysis date:
2023-03-22 16:32:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e82460f9-d88f-44c7-b942-2218745da420

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376558/
Detection(s):
Sanesecurity.Malware.29057.BadIN.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.Evo-gen.20497.11436.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit manuscrypt packed smokeloader
Link:
https://www.filescan.io/uploads/641b2d0dda1bbe29caf988f3/reports/4da6cd61-1770-419d-a4d0-0f3537e68235/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/92f0f57250f76ec5486dc7ef617f0145e4de09a1d5d95a4fe42cb5393678b7bd
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a17cfc6-4f73-49b8-af58-c79fafad285f
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1199612
Signature
C2 URLs / IPs found in malware configuration
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92f0f57250f76ec5486dc7ef617f0145e4de09a1d5d95a4fe42cb5393678b7bd/
Threat name:
Win32.Trojan.Smokeloadder
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 16:31:14 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=slypk4sq65xmksdny7xwc7ybixsn4cnb2xmvut7efs2tsntyw66q._file
Verdict:
malicious
Similar samples:
07a3bc87d6480a495505c6efe903bb1009c39f79fe7229631e1f1bd65c6ceebe
Stealc
0cfc62e9e3fb70c9319f2b5785dba4a7632b137daf8e0268a557ba9f70e403b3
Stealc
1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20
Stealc
4decda3f59361e62bca26d6c7406c5e8217fd25249fb03843ec78ba0c09416c8
Stealc
8384eb97c0fd7d916cdb454b2212794a8eafa37fe6c7165644d02e8d9bfe5237
Stealc
979afbc8137f3cb684125b0f15be3c34d8539425366c3a067b98a97e181eb142
Stealc
b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a
Stealc
be17c8aac5b1f95da13702092d5d3c37c98f12d0ff7704f163f43a2ab890bcc6
Stealc
ea3c4e9cc6e8b8b5fb61c4ef5afaa0575a895b1ca9377e22e1236057494923e3
Stealc
efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9
Stealc
+ 109 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery stealer
Link:
https://tria.ge/reports/230322-tzs88sbh5t/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Program crash
Checks installed software on the system
Detects Stealc stealer
Stealc
Malware Config
C2 Extraction:
http://jerrysmith.online
Unpacked files
SH256 hash:
a5109e8b5c44385fe336d3478df6ee1e689092e9177b6cc0f61c731161085065
MD5 hash:
36c70a349a039e41bdff1ed167d62259
SHA1 hash:
f8f6fe2472e02a031806e9740b572961f98109f3
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/9a02c0e4-5a9e-4139-a264-0f91345e6b8a/
Parent samples :
07a3bc87d6480a495505c6efe903bb1009c39f79fe7229631e1f1bd65c6ceebe
b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a
4decda3f59361e62bca26d6c7406c5e8217fd25249fb03843ec78ba0c09416c8
92f0f57250f76ec5486dc7ef617f0145e4de09a1d5d95a4fe42cb5393678b7bd
SH256 hash:
92f0f57250f76ec5486dc7ef617f0145e4de09a1d5d95a4fe42cb5393678b7bd
MD5 hash:
80cd3c3c9f857655a2d0944246063de9
SHA1 hash:
4e2feec63c0b5806f317dca14ea73dec070b465c
Link:
https://www.unpac.me/results/9a02c0e4-5a9e-4139-a264-0f91345e6b8a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376558/

Comments