MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
SHA3-384 hash: 159663128005ec655ff57527cce6c05b1e9f8bbec6ca4555ed4a1cecf1f1ebb4cd74ef3dd6e0482e039481cf13537cc0
SHA1 hash: 241c128cd12cb0a0c990aba1131f9aa987dc3c5b
MD5 hash: 35792a02ab4306f0d49ac32fd340e507
humanhash: april-sixteen-may-vegan
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'409'282 bytes
First seen:2023-10-15 08:16:10 UTC
Last seen:2023-10-15 08:53:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ff9e770cb7f9e9a6bc475ae0ca7ad026 (1 x Stealc)
ssdeep 24576:txpa5NZDUgskBA0BevJwj5jJjPeLcMD7jJ414jfijcje3j0jFfJj6jnsg7jXjZE3:txMJICze+j5jJj2LBD7jJrjfijcjcj05
Threatray 631 similar samples on MalwareBazaar
TLSH T14765E032F6D01437D5A3137AEC0743AAA939FD102B1855866EFE0A0C5F39695B7372A3
TrID 46.3% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
31.4% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.2% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon 0005010501010303 (1 x Stealc)
Reporter andretavare5
Tags:exe Stealc


Avatar
andretavare5
Sample downloaded from https://cdn.discordapp.com/attachments/1080608481079459943/1162855665484713984/UrLccYj.exe?ex=653d74bb&is=652affbb&hm=c9630ee225427ae20a0120e62840f5490b11f847ef6142193bf89f16627d4c49&

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-15 08:19:30 UTC
Tags:
autoit stealc stealer loader
Link:
https://app.any.run/tasks/f9818552-c7dc-4771-a59a-2cd9b6f90fc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454512/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1333632.17882.5959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for the window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a file
DNS request
Possible injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control keylogger lolbin overlay packed
Link:
https://www.filescan.io/uploads/652ba0135da218a42f4fdd47/reports/96dd3f9a-8ccd-44de-ae82-186d8f9090bf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/89138424-f19c-4c7b-bcce-ce633ce09386
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325881
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1325881 Sample: file.exe Startdate: 15/10/2023 Architecture: WINDOWS Score: 100 63 RHWzvVIrqnNvpL.RHWzvVIrqnNvpL 2->63 77 Snort IDS alert for network traffic 2->77 79 Found malware configuration 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 6 other signatures 2->83 11 file.exe 15 2->11         started        14 wscript.exe 1 1 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\Local\...\Acknowledged, PE32 11->51 dropped 17 cmd.exe 1 11->17         started        95 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->95 20 fyHDzDnFmB.pif 12 14->20         started        signatures6 process7 signatures8 67 Uses ping.exe to sleep 17->67 69 Drops PE files with a suspicious file extension 17->69 71 Uses ping.exe to check the status of other devices and networks 17->71 22 cmd.exe 1 17->22         started        25 conhost.exe 17->25         started        73 Found API chain indicative of sandbox detection 20->73 75 Contains functionality to modify clipboard data 20->75 process9 signatures10 85 Uses ping.exe to sleep 22->85 27 Target.pif 36 22->27         started        32 cmd.exe 2 22->32         started        34 tasklist.exe 1 22->34         started        36 3 other processes 22->36 process11 dnsIp12 65 217.196.96.16, 49747, 49748, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 27->65 53 C:\Users\user\AppData\...\fyHDzDnFmB.pif, PE32 27->53 dropped 55 C:\ProgramData\nss3.dll, PE32 27->55 dropped 57 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 27->57 dropped 61 10 other files (none is malicious) 27->61 dropped 87 Found many strings related to Crypto-Wallets (likely being stolen) 27->87 89 Found API chain indicative of sandbox detection 27->89 91 Drops PE files with a suspicious file extension 27->91 93 3 other signatures 27->93 38 cmd.exe 2 27->38         started        41 cmd.exe 1 27->41         started        59 C:\Users\user\AppData\Local\...\Target.pif, PE32 32->59 dropped file13 signatures14 process15 file16 49 C:\Users\user\AppData\...\fyHDzDnFmB.url, MS 38->49 dropped 43 conhost.exe 38->43         started        45 conhost.exe 41->45         started        47 timeout.exe 1 41->47         started        process17
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
Detection:
stealc
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-15 09:04:16 UTC
AV detection:
15 of 22 (68.18%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvt4d4a7npww3cdrefeuol2smljn3qkkutlmdmcuj2a52cjjsmpq._file
Verdict:
malicious
Similar samples:
05eb5d5bcd4c6af5626eb67b20323c8cc179ccf26a00670b352494b50e19f1a7
Stealc
2bcd2cd9b7ba2e16ee457931ea8cb0b188655aacd4d7516fc5589009b7199a01
Stealc
55c32a9bd16c2d9113c92d2b57f2204aee9f1685c0496cea083309bb70d86c6f
Stealc
6ed9a8b54bcf003ce7c30232c4aec5b6e14dd4722238dd153e8d01a1494eca8f
Stealc
717957544dcfbf0a92f33a1ab039d4197fd7c4b21615ec2fa9a730ef74e24c85
Stealc
9c9b326ea0ae9aec4786fbb1ecd3522d31ea652a7658137c5a9c5d07df7b0c87
Stealc
a52d0bc31a250c5dd5c84c75fca9b965955297d20f582d79849c17fb59c4c04f
Stealc
c3b54b1b12f48682ca31c77c5783db4c235268c52fcf11f2f7a3ee0364c9f8df
Stealc
eaf34ebdae29847449ff304a13b306c74cb5738c345b03f1bba939c74f65f382
Stealc
+ 621 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/231015-j6wmtsfc78/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://217.196.96.16
Unpacked files
SH256 hash:
49f726559690aee6d88cfb1e775bbcbb53686d5655cb127f334e2bd51e596a54
MD5 hash:
d040e6b89d3e9b6c792c9b4a89549801
SHA1 hash:
995a51ac061716ef7dc327653a90c14c40fb3fc8
Link:
https://www.unpac.me/results/83ba5620-3c89-400d-a9f6-c92c0e8ec385/
Parent samples :
e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d
cdf64a111349a82f90434e360e6312f107a45a6dafa24f8fcddb497e1584ee79
9e56bc168efc43001c19a1720891c88fa4cefb2057b0b38b8c0effaab170e190
cf0c7d8987626b0d2f0115ca56a525762382a4e453365ea740caf733fd8a908e
da928ea0a7b11461c0e4e77880b48723a1138e68c7948a153c17f5e9da624209
e8e307f94d9319f62b20920b93bec8ad8fad2341a3fa1d072a0cd8257295d881
3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb
828cda2143a5d51706f89716c96c8714cdadac696df62a806e566ecead0ed4ce
9120ce3b64b1eea0eccc343744f4e8ff3bdc88b8a79743e07a975c6c313789ee
3830e8249b95e86065288cb7a00ee9139d9e2fd918ff9c7e427e8684c1481579
17eb1a2f794ad5e02a0d96fcbd42fcfe328eb4a10bdda74d8e5cb1dfc46e4fa6
cbb21348582932ab0b31c23529c0cf675ba8b40f85f373d9a33b2853aedd1c16
9410861cbe8204310017cdec72056d49f8effbe26961cc6cb73fee37c731e0a0
267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1
c97aa2240452b4c1db4ccfbfc783c95d6b47309d5bd389675864d0fc3541b93a
fdb1515e4b51131fe289ea794f76acacb9939416b0905ed9e9e44f0ca60fc805
9bccd2dc8f14b92f591fab90b458da775598de51f9c56dca13ed0561e33eea24
SH256 hash:
a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
MD5 hash:
35792a02ab4306f0d49ac32fd340e507
SHA1 hash:
241c128cd12cb0a0c990aba1131f9aa987dc3c5b
Link:
https://www.unpac.me/results/83ba5620-3c89-400d-a9f6-c92c0e8ec385/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/454512/
  
URLhaus
https://urlhaus.abuse.ch/url/2720757/

Comments