MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c
SHA3-384 hash: ca5bb469eeff79397f87ae80c5f3439912bb9bf7ecd453c662cc06377c6faa2caf641b3bd9e4f91df32a3a2b0c7c4114
SHA1 hash: 4e416fa39b139eaf9cdc29e2d7346541561aa11b
MD5 hash: 6ab4c3608fa8ddc687eab56f7eb527a8
humanhash: florida-oklahoma-cola-crazy
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:695'296 bytes
First seen:2024-07-19 23:21:36 UTC
Last seen:2024-07-20 02:28:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4d7bc3fdef18bca35b7253afc196af9 (11 x Stealc)
ssdeep 12288:+3XWClo7YNQSTLLxez8dFlZqBjEG6umSyY6+FD7cb48A2cDwZpC:+WCmwQLz+8ziY9Fsb48A2b
TLSH T163E4236E816A65B9D1787BF4614040A761A93DCD324C5F2F25CF0AD18E3480FFBABC99
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://77.91.77.81/stealc/random.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://85.28.47.31/5499d72b3a3e55be.php https://threatfox.abuse.ch/ioc/1302452/

Intelligence

File Origin
# of uploads :
17
# of downloads :
428
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c.exe
Verdict:
Malicious activity
Analysis date:
2024-07-20 11:03:29 UTC
Tags:
stealer stealc loader enigma antivm
Link:
https://app.any.run/tasks/91768eb3-7846-48a6-99f2-962d5e1f9a2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903583-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669af51bb302ab76f4480181
Tags:
Execution Generic Infostealer Network Stealth Trojan
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% directory
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm enigma lolbin microsoft_visual_cc obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/669af51ba537d9330be03acf/reports/3cac75fc-0b09-480f-91f7-5b4eab6dcaaa/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f682844c-63d9-4eb8-bf76-1aaca0815d86
Result
Threat name:
Amadey, Babadeda, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1477102
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477102 Sample: file.exe Startdate: 20/07/2024 Architecture: WINDOWS Score: 100 129 youtube-ui.l.google.com 2->129 131 www.youtube.com 2->131 133 30 other IPs or domains 2->133 161 Snort IDS alert for network traffic 2->161 163 Found malware configuration 2->163 165 Antivirus detection for URL or domain 2->165 167 14 other signatures 2->167 11 file.exe 1 39 2->11         started        16 explorti.exe 2->16         started        18 msedge.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 143 85.28.47.31, 49730, 60668, 61040 GES-ASRU Russian Federation 11->143 145 77.91.77.81, 49731, 60665, 60669 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 11->145 99 C:\Users\user\DocumentsBGDBAKFCFH.exe, PE32 11->99 dropped 101 C:\Users\user\AppData\...\softokn3[1].dll, PE32 11->101 dropped 103 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 11->103 dropped 113 13 other files (9 malicious) 11->113 dropped 187 Detected unpacking (changes PE section rights) 11->187 189 Drops PE files to the document folder of the user 11->189 191 Tries to steal Mail credentials (via file / registry access) 11->191 205 8 other signatures 11->205 22 cmd.exe 1 11->22         started        24 cmd.exe 1 11->24         started        26 cmd.exe 1 11->26         started        147 77.91.77.82, 60664, 60667, 61024 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 16->147 105 C:\Users\user\AppData\...\725b138a53.exe, PE32 16->105 dropped 107 C:\Users\user\AppData\...\a58f6e6339.exe, PE32 16->107 dropped 109 C:\Users\user\AppData\Local\...\random[1].exe, PE32 16->109 dropped 111 C:\Users\user\AppData\Local\...\random[1].exe, PE32 16->111 dropped 193 Creates multiple autostart registry keys 16->193 195 Hides threads from debuggers 16->195 197 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->197 199 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->199 28 725b138a53.exe 16->28         started        31 a58f6e6339.exe 16->31         started        115 4 other malicious files 18->115 dropped 201 Maps a DLL or memory area into another process 18->201 33 msedge.exe 18->33         started        39 4 other processes 18->39 203 Binary is likely a compiled AutoIt script file 20->203 36 firefox.exe 20->36         started        41 3 other processes 20->41 file6 signatures7 process8 dnsIp9 43 userFHJDBKJKFI.exe 4 22->43         started        47 conhost.exe 22->47         started        49 DocumentsBGDBAKFCFH.exe 8 24->49         started        51 conhost.exe 24->51         started        60 2 other processes 26->60 169 Multi AV Scanner detection for dropped file 28->169 171 Binary is likely a compiled AutoIt script file 28->171 53 firefox.exe 28->53         started        173 Detected unpacking (changes PE section rights) 31->173 117 13.107.246.40, 443, 60608, 60609 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->117 119 20.75.60.91, 443, 60599 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->119 125 15 other IPs or domains 33->125 121 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 60611, 60612, 60655 GOOGLEUS United States 36->121 123 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216, 443, 60585, 60653 GOOGLEUS United States 36->123 127 5 other IPs or domains 36->127 93 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 36->93 dropped 95 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 36->95 dropped 55 pingsender.exe 36->55         started        62 4 other processes 36->62 58 firefox.exe 41->58         started        file10 signatures11 process12 dnsIp13 97 C:\Users\user\AppData\Local\...\explorti.exe, PE32 43->97 dropped 175 Antivirus detection for dropped file 43->175 177 Detected unpacking (changes PE section rights) 43->177 179 Machine Learning detection for dropped file 43->179 185 5 other signatures 43->185 64 explorti.exe 43->64         started        181 Detected unpacking (overwrites its own PE header) 49->181 67 cmd.exe 1 49->67         started        141 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123, 443, 61042, 61043 GOOGLEUS United States 55->141 183 Tries to harvest and steal browser information (history, passwords, etc) 55->183 69 conhost.exe 55->69         started        71 conhost.exe 62->71         started        73 conhost.exe 62->73         started        file14 signatures15 process16 signatures17 153 Detected unpacking (changes PE section rights) 64->153 155 Tries to detect sandboxes and other dynamic analysis tools (window names) 64->155 157 Tries to evade debugger and weak emulator (self modifying code) 64->157 159 3 other signatures 64->159 75 chrome.exe 1 67->75         started        78 msedge.exe 16 67->78         started        80 conhost.exe 67->80         started        82 firefox.exe 1 67->82         started        process18 dnsIp19 149 192.168.2.4, 443, 49672, 49723 unknown unknown 75->149 151 239.255.255.250 unknown Reserved 75->151 84 chrome.exe 75->84         started        87 chrome.exe 75->87         started        89 chrome.exe 75->89         started        91 msedge.exe 78->91         started        process20 dnsIp21 135 www3.l.google.com 142.250.185.78, 443, 60627 GOOGLEUS United States 84->135 137 www.google.com 216.58.206.36, 443, 60639 GOOGLEUS United States 84->137 139 4 other IPs or domains 84->139
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2024-07-19 23:22:04 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubho24rxlpoyu3hbddrq46opnxcgddsmosehhqg2fhhq5h47amoa._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:default stealer
Link:
https://tria.ge/reports/240719-3cjkysvhjq/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Stealc
Malware Config
C2 Extraction:
http://85.28.47.31
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/772ed5a4-6d69-428b-be2e-29b91f4f9f84
Unpacked files
SH256 hash:
a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c
MD5 hash:
6ab4c3608fa8ddc687eab56f7eb527a8
SHA1 hash:
4e416fa39b139eaf9cdc29e2d7346541561aa11b
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/1ed4d77c-675b-4459-8feb-728020300d0f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe a04eed72375bdd8a6ce118e30e79cf6dc4618e4c748873c0da29cf0e9f9f031c

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2909131/
  
URLhaus
https://urlhaus.abuse.ch/url/3050871/
  
URLhaus
https://urlhaus.abuse.ch/url/2909129/
  
URLhaus
https://urlhaus.abuse.ch/url/2908698/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments