MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StealeriumStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa
SHA3-384 hash: 2b8a3dc1ab40248deee7ad79e712537590e87cde506e43398aef324b114f9a666a11d6d8cae23a7d2e6b56569da0e93c
SHA1 hash: 233b3350e9434e74242aa8e8a2874dd24fcdae89
MD5 hash: fc61c0e4432f088d54b37dab8b4863d0
humanhash: west-twenty-lithium-mobile
File name:Ship's Particulars.pdf.bat
Download: download sample
Signature StealeriumStealer
Create hunting rule
File size:7'031'808 bytes
First seen:2025-04-29 02:34:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:JYzF7U32h2Aux4truLYLOeQc6lCysSgopN:JYzFI328r4tiLYLOebIgO
Threatray 9 similar samples on MalwareBazaar
TLSH T1DE6633A84669D307ED686BF53A21E271373C2ECF6911C11A6FCBBCF37A1AB880515147
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 1adc8c8c9a9a82e0 (5 x Formbook, 4 x MassLogger, 2 x AgentTesla)
Reporter threatcat_ch
Tags:exe StealeriumStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
483
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ship's Particulars.pdf.bat
Verdict:
Malicious activity
Analysis date:
2025-04-29 02:35:20 UTC
Tags:
stealerium stealer discord evasion ims-api generic
Link:
https://app.any.run/tasks/01de639f-712a-43f2-a8fb-7a16b18238d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealerium
Create hunting rule
Link:
https://www.capesandbox.com/analysis/4814/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68103db3cc5fb3600cc433d1
Tags:
shell micro sage
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68103aa2218c4a98ade6704e/reports/6675d336-f1d7-4df3-8395-b540471679d8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71a8dac8-f347-41a7-bd26-2cd560b4bd7e
Result
Threat name:
Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1676831
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Drops password protected ZIP file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676831 Sample: Ship's Particulars.pdf.bat.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 92 icanhazip.com 2->92 94 fg.microsoft.map.fastly.net 2->94 96 discordapp.com 2->96 114 Found malware configuration 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for URL or domain 2->118 120 20 other signatures 2->120 9 Ship's Particulars.pdf.bat.exe 7 2->9         started        13 msedge.exe 2->13         started        16 zbeRtplVD.exe 2->16         started        18 msiexec.exe 2->18         started        signatures3 process4 dnsIp5 80 C:\Users\user\AppData\Roaming\zbeRtplVD.exe, PE32 9->80 dropped 82 C:\Users\...\zbeRtplVD.exe:Zone.Identifier, ASCII 9->82 dropped 84 C:\Users\user\AppData\Local\...\tmp715A.tmp, XML 9->84 dropped 86 C:\...\Ship's Particulars.pdf.bat.exe.log, ASCII 9->86 dropped 136 Adds a directory exclusion to Windows Defender 9->136 138 Injects a PE file into a foreign processes 9->138 20 Ship's Particulars.pdf.bat.exe 15 60 9->20         started        25 powershell.exe 23 9->25         started        27 powershell.exe 7 9->27         started        29 schtasks.exe 1 9->29         started        110 192.168.2.4, 138, 443, 49708 unknown unknown 13->110 112 239.255.255.250 unknown Reserved 13->112 88 C:\Users\user\AppData\Local\...\Login Data, SQLite 13->88 dropped 90 C:\Users\user\AppData\Local\...\History, SQLite 13->90 dropped 140 Maps a DLL or memory area into another process 13->140 31 msedge.exe 13->31         started        33 msedge.exe 13->33         started        39 4 other processes 13->39 142 Multi AV Scanner detection for dropped file 16->142 35 schtasks.exe 16->35         started        37 zbeRtplVD.exe 16->37         started        file6 signatures7 process8 dnsIp9 98 icanhazip.com 104.16.184.241, 49716, 49791, 49801 CLOUDFLARENETUS United States 20->98 100 discordapp.com 162.159.129.233, 443, 49714, 49792 CLOUDFLARENETUS United States 20->100 102 127.0.0.1 unknown unknown 20->102 78 C:\Users\user\...\user@PC-XE069_en-CH.zip, Zip 20->78 dropped 122 Tries to steal Mail credentials (via file / registry access) 20->122 124 Found many strings related to Crypto-Wallets (likely being stolen) 20->124 126 Tries to harvest and steal browser information (history, passwords, etc) 20->126 128 Tries to harvest and steal WLAN passwords 20->128 41 cmd.exe 20->41         started        44 cmd.exe 20->44         started        46 cmd.exe 20->46         started        48 msedge.exe 20->48         started        130 Loading BitLocker PowerShell Module 25->130 50 conhost.exe 25->50         started        52 WmiPrvSE.exe 25->52         started        54 conhost.exe 27->54         started        56 conhost.exe 29->56         started        104 c-msn-pme.trafficmanager.net 20.125.62.241, 443, 49742, 49786 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->104 106 20.42.65.85, 443, 49789, 49790 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->106 108 30 other IPs or domains 31->108 58 conhost.exe 35->58         started        file10 signatures11 process12 signatures13 132 Uses netsh to modify the Windows network and firewall settings 41->132 134 Tries to harvest and steal WLAN passwords 41->134 60 conhost.exe 41->60         started        62 chcp.com 41->62         started        64 netsh.exe 41->64         started        66 findstr.exe 41->66         started        76 4 other processes 44->76 68 conhost.exe 46->68         started        70 chcp.com 46->70         started        72 netsh.exe 46->72         started        74 msedge.exe 48->74         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 01:55:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s66amalx7tq3iuvyi5g2cgyzubpmusnvktvzepspvseypphyrsva._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
94b6467cd5aea441330626de9ea2d6be92c349fbd4932766f644e461bacbda24
StealeriumStealer
97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa
StealeriumStealer
c06298e32597bfdf3374174b8f458169df5d561280f5aa11fd25868c67a5de9f
StealeriumStealer
e062f61985db319dc9f4a230770e7cab783cecec8c61994aeef2d75d86942a91
StealeriumStealer
error
StealeriumStealer
Result
Malware family:
stealerium
Create hunting rule
Score:
  10/10
Tags:
family:stealerium collection credential_access discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250429-c2jddaswcz/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Stealerium
Stealerium family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7825817012:AAG1eRI5vA7vM2J_FuEserdWw4ZDRWQ238M/sendMessage?chat_id=
https://discordapp.com/api/webhooks/1366152466495836181/xN3WZA936bMIUbnVm7hcM7qlKDkxihVWiRHvDdgNPRvcfB_GHcFWoFvaj98UY77VqA4u
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f33514db-8914-4193-9f63-0463664677c8
Unpacked files
SH256 hash:
97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa
MD5 hash:
fc61c0e4432f088d54b37dab8b4863d0
SHA1 hash:
233b3350e9434e74242aa8e8a2874dd24fcdae89
Link:
https://www.unpac.me/results/2ba96e38-3c1f-44d3-afcb-b2363672e363/
SH256 hash:
477fbeb7acc0db6cdb5cfa72f081124639df6530e6155c02520dcdea55a79dfc
MD5 hash:
5f5422cbaa6b57dd86d5ec3de1e3928a
SHA1 hash:
96b3683c3cd813d49cd870c517e66523ee965ac5
Detections:
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
MALWARE_Win_Multi_Family_InfoStealer
Create hunting rule
MALWARE_Win_Stealerium
Create hunting rule
Link:
https://www.unpac.me/results/2ba96e38-3c1f-44d3-afcb-b2363672e363/
SH256 hash:
3a34077fcafb42f771a6a89273f97cbf07d9b3a41bfcd4af4b5498ab0d8f32cf
MD5 hash:
b8c6252dc49954ff5cd0318a3bcfd99b
SHA1 hash:
c34279bbb3714822823c33592ca71de273c9a05c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2ba96e38-3c1f-44d3-afcb-b2363672e363/
SH256 hash:
ef95a02ea91377eb567b7c9a651608e9c2dee8ff798657968a06324ff953c324
MD5 hash:
4db5fd6c530c9f631d1cede7b77314ca
SHA1 hash:
ec0a08c09cbe1fc45f16eb9ebd7fb4a6240b351d
Link:
https://www.unpac.me/results/2ba96e38-3c1f-44d3-afcb-b2363672e363/
SH256 hash:
d355a4d54ec92527fe2a02d72410960f65ac1721633bf6dcccb986f5eb21e0cc
MD5 hash:
5d43f7f916efc792535f0698952cdb07
SHA1 hash:
0c25b0f88fae9b24b1e470a79fb86321f4330595
Link:
https://www.unpac.me/results/2ba96e38-3c1f-44d3-afcb-b2363672e363/
SH256 hash:
d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c
MD5 hash:
1d3dd9fcc077e6b4f88c05b9aef53ee6
SHA1 hash:
12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66
Link:
https://www.unpac.me/results/2ba96e38-3c1f-44d3-afcb-b2363672e363/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

StealeriumStealer

Executable exe 97bc060177fce1b452b8474da11b19a05eca49b554eb923e4fac8987bcf88caa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/4814/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments