MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a34f51bda3056e9f9f721277cf9f6b9c890afc4196b590d016edbb45753b505. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	9a34f51bda3056e9f9f721277cf9f6b9c890afc4196b590d016edbb45753b505
SHA3-384 hash:	c42f10854617b8b3558acc40f5893840e903445c25d3901fc6e4385127206b483f5085762bcd12d4dfeb9aa1d71aa086
SHA1 hash:	7ad51514c97fc4534bb369e58e8f3c7dc8d576df
MD5 hash:	9c80bb86beb564ef1f02f0de1e45c829
humanhash:	beryllium-seven-beryllium-purple
File name:	9c80bb86beb564ef1f02f0de1e45c829.exe
Download:	download sample
Signature	Stealc Alert Create hunting rule
File size:	304'640 bytes
First seen:	2023-08-02 09:08:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b960f8af34a227089edf1078d597a8fc (1 x Stealc)
ssdeep	3072:AdFnGZZybL+ZuqC9LdznddC/mpsTtqKKbp4S3u1AjVZ/oYlBNssQZrgc1VmpXh+v:Q0ZmL+ZuqILdz1V/b+S3t8CYec1Vm
Threatray	82 similar samples on MalwareBazaar
TLSH	T13B549D02B691E872E62605718D1AC2F4796EF8748F195AD777483F6F29323E3DA32341
TrID	60.4% (.EXE) InstallShield setup (43053/19/16) 14.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	0000030158213219 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

257

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

9c80bb86beb564ef1f02f0de1e45c829.exe

Verdict:

Malicious activity

Analysis date:

2023-08-02 09:17:38 UTC

Tags:

installer stealc stealer

Link:

https://app.any.run/tasks/16fae30b-a744-4c9d-95ee-f9aae6fa2168

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/439815/

ClamAV Detected

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64ca1d364e7fe43c67057d38/reports/47a895c5-5a5e-4c09-b1e1-5a603848cd0f/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9a34f51bda3056e9f9f721277cf9f6b9c890afc4196b590d016edbb45753b505

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Oski Stealer

Malware family:

Oski Stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c5a64288-cea6-4832-add1-44fe74451be8

Joe Sandbox Stealc, Vidar

Result

Threat name:

Stealc, Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1284289

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a34f51bda3056e9f9f721277cf9f6b9c890afc4196b590d016edbb45753b505/

ReversingLabs TitaniumCloud Win32.Trojan.Privateloader

Threat name:

Win32.Trojan.Privateloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-08-01 22:59:33 UTC

File Type:

PE (Exe)

Extracted files:

31

AV detection:

29 of 38 (76.32%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ti2pkg62gblot6pxeetxz6pwxhejbl6edfvvsdibn3n3iv2twucq._file

Threatray malicious

Verdict:

malicious

Similar samples:

0d46b13d71ca5d6f0d261313969c6e35cb061407339fd3751ea496bdfa06f0f7

Stealc

32fa14add9901eb3a5e94d1fff522323338a0bf665afb0cd019386f1c678b818

Stealc

3357368c0de34a4cef5c6d90e92b5876586f302f7b9255c00d7009e64c51dc87

Stealc

3e073144bb200d405c0b92618d6264dadaae9f7f3b43232a5f36db8fc1ea2641

Stealc

69c49e5fef45e896b891141473eda45f8b83e29cf51fe0115c0b9806183528e7

Stealc

912a69862b4f70093e5fb456a70b75c7c1ff187ef42cbbcabb68c6c7936eed78

Stealc

abe871f5e7219a1448d1308f89acc883b4435574c916253a09c215809e706e1f

Stealc

cead24187e759a0ddf49d1a67476fe0284b586c1aa5066c189879a143e7966be

Stealc

dad7e37e790b7fe49cb37bbd4947d5feac52fcf2240490b36f52ef97dc84bc4c

Stealc

fd1af7b25adc2346a8752e41c68aa8e94b5fc2d51b257e12ed81f5a7e7b97c16

Stealc

+ 72 additional samples on MalwareBazaar

Hatching Triage stealc

Result

Malware family:

stealc

Alert

Create hunting rule

Score:

  10/10

Tags:

family:stealc spyware stealer

Link:

https://tria.ge/reports/230802-k4gassdh26/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://adriaenclaeys.top/e9c345fc99a4e67e.php

UnpacMe 2

Unpacked files

SH256 hash:

a67ebefdcae4ba5d76bce770a4920256e84195bef3a4702d967be7e5b8181c12

MD5 hash:

7055fcde2b7f39ef7f8007b3bfc1a0bf

SHA1 hash:

676adecade4e2b6c3275ca39ac65059c1863509f

Link:

https://www.unpac.me/results/652ea3b0-ef72-4fa1-8e6b-fb3f7932c5f2/

SH256 hash:

9a34f51bda3056e9f9f721277cf9f6b9c890afc4196b590d016edbb45753b505

MD5 hash:

9c80bb86beb564ef1f02f0de1e45c829

SHA1 hash:

7ad51514c97fc4534bb369e58e8f3c7dc8d576df

Link:

https://www.unpac.me/results/652ea3b0-ef72-4fa1-8e6b-fb3f7932c5f2/

VMRay Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9a34f51bda30/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a34f51bda3056e9f9f721277cf9f6b9c890afc4196b590d016edbb45753b505

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 9a34f51bda3056e9f9f721277cf9f6b9c890afc4196b590d016edbb45753b505

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2690247/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/439815/