MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9444f34a94d494a78e19e19f4e1615744e500aca97a563ad2a294bf16a076039. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	9444f34a94d494a78e19e19f4e1615744e500aca97a563ad2a294bf16a076039
SHA3-384 hash:	db0a0278003ca616458bcdca2bd80007f9954cd59c1190f8cebd756c2b92a8d7bee6ed194f3cf2ad4e871d74c963de89
SHA1 hash:	d2c26961da5ae57a3af316254c0a575f55b47db4
MD5 hash:	2733f9a6dbe92360ade08304fb7a9b64
humanhash:	bravo-spaghetti-carpet-mississippi
File name:	9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	891'671 bytes
First seen:	2024-06-28 07:50:21 UTC
Last seen:	2024-06-28 08:54:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep	24576:bgYL7U1q0L0xWWTqCHkFn4+c4AVtxumzMTS2:lUAbRTqPx7ixum12
TLSH	T16C152382FA81E036ED85AF341EB145AF0FB2EB9494D4C46B0386CD9E7A14701CF5939E
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	0000020203070606 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://94.156.68.153/a066a53ea1064ac7.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://94.156.68.153/a066a53ea1064ac7.php	https://threatfox.abuse.ch/ioc/1289951/

Intelligence

File Origin

# of uploads :

# of downloads :

388

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.13928.3051.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=667e6b9f17db6c2841b208b2win10vpnfull_triage

Tags:

Discovery Encryption Execution Infostealer Network Static Stealth Trojan Nullmixer

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

Creating a window

DNS request

Connecting to a non-recommended domain

Connection attempt

Sending an HTTP GET request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

installer lolbin microsoft_visual_cc nullmixer overlay packed shell32

Link:

https://www.filescan.io/uploads/667e6b670bf5978c0b131843/reports/3c8b8874-f946-4d75-8082-c2216830fb43/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/9444f34a94d494a78e19e19f4e1615744e500aca97a563ad2a294bf16a076039

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/1a6fb7a3-a9b9-4ea8-b740-805bcffba969

Result

Threat name:

Mars Stealer, Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1464039

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Search for Antivirus process

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

68%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/9444f34a94d494a78e19e19f4e1615744e500aca97a563ad2a294bf16a076039

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9444f34a94d494a78e19e19f4e1615744e500aca97a563ad2a294bf16a076039/

Threat name:

Win32.Trojan.Casdet

Status:

Malicious

First seen:

2024-06-27 19:19:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=srcpgsuu2skkpdqz4gpu4fqvorhfacwks6swhljkfff7c2qhma4q._file

Verdict:

unknown

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/240628-jptf5s1erl/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Unpacked files

SH256 hash:

83424bae44d58db0f16caa7e6ce08d6cbb14938543be8968c039f1816d8f2050

MD5 hash:

2094a83d5001933d1fa5a4700f5c6429

SHA1 hash:

c87622343d30a5f59dc20278331314332e282e95

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/913ea99d-64b3-43e6-86b5-21649bdef2a2/

Parent samples :

aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220
b2506074e22cbbd6c7a54b64c258ca48dd5a06bebf0830cc63596f1034045bfa
ce8ec776eb22c2bf9ec25fe36bd0dfa6617e4926103358b055fd55cdf7912328
19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327
9444f34a94d494a78e19e19f4e1615744e500aca97a563ad2a294bf16a076039
3ef1d040731916fee2fe1317c53a0e363f05fd12f87b84563af86ac5d49f74c2
7632e569071acc40bce87af592e4cc2476d9c088906a1e6651614860b4754bf8

SH256 hash:

9444f34a94d494a78e19e19f4e1615744e500aca97a563ad2a294bf16a076039

MD5 hash:

2733f9a6dbe92360ade08304fb7a9b64

SHA1 hash:

d2c26961da5ae57a3af316254c0a575f55b47db4

Link:

https://www.unpac.me/results/913ea99d-64b3-43e6-86b5-21649bdef2a2/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NSIS_April_2024 Create hunting rule
Author:	NDA0N
Description:	Detects NSIS installers

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample