MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5
SHA3-384 hash: 9ca5cfe9de3d3a2477047070b2ea07003a00b3b5606d27f7698055fdfc2cf436e963ee389ea1313af6483fa6fa7e3b7d
SHA1 hash: 33fdf37b3a3f1394edc5d64c0952064b7f4177ea
MD5 hash: cbf2b84f9b993a77c0e2170cccbacb7c
humanhash: mississippi-thirteen-edward-bakerloo
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'799'168 bytes
First seen:2024-12-09 21:33:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:JHwIuVNz7KeE3qh5Mr1OeRw2iKZHZPQs23/kOWNY:NuT+ednCwI1ZH5Qs23x
TLSH T1D58533F93AEBEE7AF70818F2F9EC03402647EFA63B5DBE042D44036E445692F6105852
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
453
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-09 21:36:15 UTC
Tags:
stealer stealc loader themida amadey botnet lumma gcleaner
Link:
https://app.any.run/tasks/c46444f6-813d-4609-a9bf-25b7cb1d2e73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25191.31293.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6757624d4a662cb526572dec
Tags:
vmdetect autorun autoit cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6757624c23c77cfc05951089/reports/6faf24fa-e579-4ebd-8778-76ba147875c8/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/9c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/51cea797-c51a-476b-bcca-aaf1941b28e4
Result
Threat name:
Amadey, Credential Flusher, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1571960
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Excessive usage of taskkill to terminate processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1571960 Sample: file.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 136 Found malware configuration 2->136 138 Antivirus detection for URL or domain 2->138 140 Antivirus detection for dropped file 2->140 142 15 other signatures 2->142 8 skotes.exe 4 30 2->8         started        13 file.exe 36 2->13         started        15 f039f524ee.exe 2->15         started        17 7 other processes 2->17 process3 dnsIp4 112 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 8->112 114 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 8->114 78 C:\Users\user\AppData\...\9f6ad733e2.exe, PE32 8->78 dropped 80 C:\Users\user\AppData\...\18d00389b3.exe, PE32 8->80 dropped 82 C:\Users\user\AppData\...\f377015f96.exe, PE32 8->82 dropped 90 7 other malicious files 8->90 dropped 170 Creates multiple autostart registry keys 8->170 172 Hides threads from debuggers 8->172 174 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->174 19 9f6ad733e2.exe 8->19         started        22 f039f524ee.exe 8->22         started        25 f377015f96.exe 8->25         started        35 2 other processes 8->35 116 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 13->116 118 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 13->118 120 127.0.0.1 unknown unknown 13->120 84 C:\Users\user\Documents\BAKFCBFHJD.exe, PE32 13->84 dropped 86 C:\Users\user\AppData\...\softokn3[1].dll, PE32 13->86 dropped 88 C:\Users\user\AppData\Local\...\random[1].exe, PE32 13->88 dropped 92 11 other files (7 malicious) 13->92 dropped 176 Detected unpacking (changes PE section rights) 13->176 178 Attempt to bypass Chrome Application-Bound Encryption 13->178 180 Drops PE files to the document folder of the user 13->180 194 5 other signatures 13->194 27 cmd.exe 1 13->27         started        29 chrome.exe 13->29         started        182 Query firmware table information (likely to detect VMs) 15->182 184 Tries to harvest and steal ftp login credentials 15->184 186 Tries to harvest and steal browser information (history, passwords, etc) 15->186 188 Excessive usage of taskkill to terminate processes 17->188 190 Tries to steal Crypto Currency Wallets 17->190 192 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->192 31 firefox.exe 17->31         started        33 firefox.exe 17->33         started        37 9 other processes 17->37 file5 signatures6 process7 dnsIp8 144 Multi AV Scanner detection for dropped file 19->144 146 Detected unpacking (changes PE section rights) 19->146 148 Machine Learning detection for dropped file 19->148 166 4 other signatures 19->166 102 104.21.48.1 CLOUDFLARENETUS United States 22->102 150 Antivirus detection for dropped file 22->150 152 Query firmware table information (likely to detect VMs) 22->152 154 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->154 156 Tries to steal Crypto Currency Wallets 22->156 39 chrome.exe 22->39         started        41 chrome.exe 22->41         started        158 Tries to evade debugger and weak emulator (self modifying code) 25->158 168 2 other signatures 25->168 43 BAKFCBFHJD.exe 4 27->43         started        47 conhost.exe 27->47         started        104 192.168.2.4 unknown unknown 29->104 106 239.255.255.250 unknown Reserved 29->106 160 Excessive usage of taskkill to terminate processes 29->160 49 chrome.exe 29->49         started        108 35.190.72.216 GOOGLEUS United States 31->108 54 2 other processes 31->54 52 firefox.exe 33->52         started        110 80.82.65.70 INT-NETWORKSC Netherlands 35->110 162 Binary is likely a compiled AutoIt script file 35->162 164 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 35->164 56 6 other processes 35->56 58 8 other processes 37->58 signatures9 process10 dnsIp11 60 chrome.exe 39->60         started        63 chrome.exe 41->63         started        94 C:\Users\user\AppData\Local\...\skotes.exe, PE32 43->94 dropped 196 Detected unpacking (changes PE section rights) 43->196 198 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 43->198 200 Tries to evade debugger and weak emulator (self modifying code) 43->200 202 4 other signatures 43->202 65 skotes.exe 43->65         started        96 142.250.181.110 GOOGLEUS United States 49->96 98 142.250.181.68 GOOGLEUS United States 49->98 100 6 other IPs or domains 49->100 68 firefox.exe 52->68         started        70 conhost.exe 56->70         started        72 conhost.exe 56->72         started        74 conhost.exe 56->74         started        76 2 other processes 56->76 file12 signatures13 process14 dnsIp15 122 13.107.246.63 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->122 124 172.217.21.36 GOOGLEUS United States 60->124 126 3 other IPs or domains 60->126 128 Antivirus detection for dropped file 65->128 130 Detected unpacking (changes PE section rights) 65->130 132 Machine Learning detection for dropped file 65->132 134 5 other signatures 65->134 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5/
Threat name:
Win32.Ransomware.StealC
Create hunting rule
Status:
Malicious
First seen:
2024-12-09 21:34:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tslip2ggdn4e2chw3aefgztpvieiibb4464z6t5tm5xtxrldyl2q._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:lumma family:stealc botnet:9c9aa5 botnet:stok credential_access discovery evasion loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/241209-1eq2psskb1/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
http://185.215.113.43
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
https://atten-supporse.biz/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/629ba56c-6020-4a48-9622-356585d1cf3b
Unpacked files
SH256 hash:
82fd003ab343a9a8d59c98fc90d1d5538a97ffd932910de986063242747d55b6
MD5 hash:
5840152b401ca80f40083b73441f4965
SHA1 hash:
a89db3390007a5761d82e6176836751d1c32ed78
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/ca748111-6a39-4a35-8576-39d626b3bdee/
SH256 hash:
9c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5
MD5 hash:
cbf2b84f9b993a77c0e2170cccbacb7c
SHA1 hash:
33fdf37b3a3f1394edc5d64c0952064b7f4177ea
Link:
https://www.unpac.me/results/ca748111-6a39-4a35-8576-39d626b3bdee/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c9687e8c61b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 9c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338053/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments