MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96ed9ee02439a8dbf2d342b1c62cf6e457526a20bd46796b32f77c62ddc140e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96ed9ee02439a8dbf2d342b1c62cf6e457526a20bd46796b32f77c62ddc140e1
SHA3-384 hash: c87e5dcbe89089f5b746e963f8c0557bf633b9b61b04582424758e868b4808699bb1ec663b23e21cf8bd30eacedb906f
SHA1 hash: a94c7dc4c4234b22b23b5228a7894ff1632359c6
MD5 hash: 3743e876b9e75065d06b84a03a38763d
humanhash: johnny-colorado-oranges-iowa
File name:CopyrightReport.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:134'952 bytes
First seen:2023-06-11 15:56:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 039032eedb13fb00811bf4343043c31c (3 x Stealc)
ssdeep 1536:jrqvmmmmmuRbSb+xtAzA940ojleuppKDoW1+jwCUG7ixQUG7ixksO:fqfR1IzAW0oj0uppqT+jwCUG7DUG7z
TLSH T1EDD359722E002472EBEECA3624999913413AAD5DE95C31B608F4B6651FF7F7B131780E
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1c80014c4c5e8014 (10 x AgentTesla, 2 x RemcosRAT, 2 x RedLineStealer)
Reporter SquiblydooBlog
Tags:AresLoader exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
CopyrightReport.exe
Verdict:
Malicious activity
Analysis date:
2023-06-11 15:56:26 UTC
Tags:
evasion loader rat redline stealc
Link:
https://app.any.run/tasks/c4022a16-f465-41ef-a4c9-737d97a0939b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397797/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67467961.19963.7880.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90276/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6485eeceaad7e2da5ce00e57/reports/22c4960b-0e67-4755-bd2c-e05276f1261d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/96ed9ee02439a8dbf2d342b1c62cf6e457526a20bd46796b32f77c62ddc140e1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/275adba2-a299-4eed-a5f9-9e7d201cfa38
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1252595
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to determine the online IP of the system
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96ed9ee02439a8dbf2d342b1c62cf6e457526a20bd46796b32f77c62ddc140e1/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-11 00:44:36 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 37 (54.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3wz5ybehgunx4wtiky4mlhw4rlve2raxvdhs2zs656gfxobidqq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:redline family:stealc botnet:arch infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230611-tdxpjaaa71/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detects Stealc stealer
RedLine
Stealc
Malware Config
C2 Extraction:
176.113.115.23:27556
http://80.94.95.137/3cd43889ddd6a80f.php
Unpacked files
SH256 hash:
0cc67cf72c3d6ee8cd5fd129a1a99bea642a9593116615c0a2879d93452a561c
MD5 hash:
95d24021f9091b7b9ec486aed3b18070
SHA1 hash:
800542d2588f74c511e1a11f871f875f77cc3a7a
Detections:
win_aresloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/5c4c3809-333f-4428-8fec-de28f6be86e4/
SH256 hash:
96ed9ee02439a8dbf2d342b1c62cf6e457526a20bd46796b32f77c62ddc140e1
MD5 hash:
3743e876b9e75065d06b84a03a38763d
SHA1 hash:
a94c7dc4c4234b22b23b5228a7894ff1632359c6
Link:
https://www.unpac.me/results/5c4c3809-333f-4428-8fec-de28f6be86e4/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/96ed9ee02439/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/96ed9ee02439a8dbf2d342b1c62cf6e457526a20bd46796b32f77c62ddc140e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/397797/

Comments


Avatar
Squiblydoo commented on 2023-06-11 16:00:56 UTC

Dropped STEALC and REDLINE from C2: 193.233.134.57