MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708
SHA3-384 hash: c400cd4e0460e6b6d4a6124f696bbdc8f497de0d9c6af82d504ecb9d53ae2d571b56db9ed4993582a8c888e560a054f1
SHA1 hash: 8d4c24359d577fcbc818158fc79554169690273b
MD5 hash: c524f231dbe4c55a328876f06e2a82d1
humanhash: bakerloo-oklahoma-spaghetti-carolina
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'789'440 bytes
First seen:2024-11-22 19:33:37 UTC
Last seen:2024-11-22 19:57:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:EWDzR3kVKyvwxbdJ60Lsv33hf+EsV7i7EO7Hf:EA+rkhJ60YJcV69b
TLSH T15B85334D4F818775E04784338C591BBDAB2190A6CAD096EBEFE1F4FE96A6F511BED000
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
519
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-22 19:35:21 UTC
Tags:
stealer stealc loader amadey botnet
Link:
https://app.any.run/tasks/e4094ba7-dea2-453b-97b5-68ce8a187fdf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.20260.9728.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6740ddc0d0583382434a89e4
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6740dcac3bd79b18427acd35/reports/9b385e1d-79ee-41dc-aa2c-802bea2649a3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16c54bc2-4d28-40cf-8133-8c4b1ad9679c
Result
Threat name:
Amadey, Credential Flusher, Cryptbot, Lu
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1561158
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561158 Sample: file.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 97 youtube.com 2->97 99 youtube-ui.l.google.com 2->99 101 30 other IPs or domains 2->101 131 Suricata IDS alerts for network traffic 2->131 133 Found malware configuration 2->133 135 Antivirus detection for URL or domain 2->135 137 17 other signatures 2->137 9 skotes.exe 4 29 2->9         started        14 file.exe 36 2->14         started        16 0718eb7837.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 115 185.215.113.43, 49782, 49789, 80 WHOLESALECONNECTIONSNL Portugal 9->115 117 31.41.244.11, 49794, 80 AEROEXPRESS-ASRU Russian Federation 9->117 79 C:\Users\user\AppData\...\2aff342b40.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\2922d7c574.exe, PE32 9->81 dropped 83 C:\Users\user\AppData\...\aedbd2e320.exe, PE32 9->83 dropped 91 6 other malicious files 9->91 dropped 173 Creates multiple autostart registry keys 9->173 175 Hides threads from debuggers 9->175 177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->177 20 0718eb7837.exe 9->20         started        24 2aff342b40.exe 9->24         started        26 aedbd2e320.exe 9->26         started        36 2 other processes 9->36 119 185.215.113.206, 49730, 49750, 49760 WHOLESALECONNECTIONSNL Portugal 14->119 121 185.215.113.16, 49759, 80 WHOLESALECONNECTIONSNL Portugal 14->121 123 127.0.0.1 unknown unknown 14->123 85 C:\Users\user\DocumentsKECFIDGCBF.exe, PE32 14->85 dropped 87 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->87 dropped 89 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->89 dropped 93 12 other files (8 malicious) 14->93 dropped 179 Detected unpacking (changes PE section rights) 14->179 181 Attempt to bypass Chrome Application-Bound Encryption 14->181 183 Drops PE files to the document folder of the user 14->183 195 6 other signatures 14->195 28 cmd.exe 1 14->28         started        30 chrome.exe 14->30         started        185 Tries to harvest and steal ftp login credentials 16->185 187 Tries to harvest and steal browser information (history, passwords, etc) 16->187 189 Tries to steal Crypto Currency Wallets 16->189 191 Binary is likely a compiled AutoIt script file 18->191 193 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->193 32 firefox.exe 18->32         started        34 taskkill.exe 18->34         started        38 5 other processes 18->38 file6 signatures7 process8 dnsIp9 103 property-imper.sbs 172.67.162.84 CLOUDFLARENETUS United States 20->103 139 Antivirus detection for dropped file 20->139 141 Multi AV Scanner detection for dropped file 20->141 143 Detected unpacking (changes PE section rights) 20->143 161 2 other signatures 20->161 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->145 147 Machine Learning detection for dropped file 24->147 149 Disables Windows Defender Tamper protection 24->149 163 2 other signatures 24->163 151 Tries to evade debugger and weak emulator (self modifying code) 26->151 153 Hides threads from debuggers 26->153 155 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->155 40 DocumentsKECFIDGCBF.exe 4 28->40         started        44 conhost.exe 28->44         started        105 192.168.2.4, 443, 49723, 49724 unknown unknown 30->105 107 239.255.255.250 unknown Reserved 30->107 46 chrome.exe 30->46         started        109 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 GOOGLEUS United States 32->109 55 2 other processes 32->55 49 conhost.exe 34->49         started        111 fvtekk5pn.top 34.116.198.130 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 36->111 113 home.fvtekk5pn.top 36->113 157 Binary is likely a compiled AutoIt script file 36->157 159 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 36->159 51 chrome.exe 36->51         started        53 taskkill.exe 36->53         started        57 5 other processes 36->57 59 5 other processes 38->59 signatures10 process11 dnsIp12 77 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->77 dropped 165 Detected unpacking (changes PE section rights) 40->165 167 Tries to evade debugger and weak emulator (self modifying code) 40->167 169 Tries to detect virtualization through RDTSC time measurements 40->169 171 3 other signatures 40->171 61 skotes.exe 40->61         started        125 www.google.com 142.250.181.100, 443, 49734, 49735 GOOGLEUS United States 46->125 127 plus.l.google.com 172.217.17.78, 443, 49754 GOOGLEUS United States 46->127 129 apis.google.com 46->129 64 chrome.exe 51->64         started        67 conhost.exe 53->67         started        69 conhost.exe 57->69         started        71 conhost.exe 57->71         started        73 conhost.exe 57->73         started        75 conhost.exe 57->75         started        file13 signatures14 process15 dnsIp16 197 Antivirus detection for dropped file 61->197 199 Detected unpacking (changes PE section rights) 61->199 201 Machine Learning detection for dropped file 61->201 203 4 other signatures 61->203 95 www.google.com 64->95 signatures17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-22 19:34:13 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=svq7fymwclzydx56kof2lh2pn5go7zoq2dzg6c37uh6nbfnz64ea._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cryptbot family:stealc botnet:9c9aa5 botnet:mars credential_access discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/241122-x93r7ssrem/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
CryptBot
Cryptbot family
Detects CryptBot payload
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
http://185.215.113.43
Verdict:
Suspicious
Tags:
Stealc Stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/0e448ca6-8dd0-45c9-8a20-2d1a10e5b47d
Unpacked files
SH256 hash:
7870ee6b084b333419955a1057785afdbce9e0b3aa5e2a2fed94980b0af562f3
MD5 hash:
f4e8aab1ec1accb52c19da41f2a60bd1
SHA1 hash:
42abb1f1a536a299bf61a8d94f4033b9ad5ea18e
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/af81068a-046a-4a28-b074-70950e295340/
SH256 hash:
9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708
MD5 hash:
c524f231dbe4c55a328876f06e2a82d1
SHA1 hash:
8d4c24359d577fcbc818158fc79554169690273b
Link:
https://www.unpac.me/results/af81068a-046a-4a28-b074-70950e295340/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9561f2e19612/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279845/
  
URLhaus
https://urlhaus.abuse.ch/url/3273391/
  
URLhaus
https://urlhaus.abuse.ch/url/3284801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments