MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3
SHA3-384 hash: a51c32fee3163f26fa7d2fe987048416846dd4ac2d93c48d6e9d62cff94c18c503aaa3468095a193e924d573984c1d52
SHA1 hash: 1bc59ca5e75f717dcd23b73634910b35314bcdee
MD5 hash: 2942cb9fca04e939af4ed1eef717e123
humanhash: triple-bakerloo-pluto-lactose
File name:2942cb9fca04e939af4ed1eef717e123.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:223'744 bytes
First seen:2024-10-08 16:21:12 UTC
Last seen:2024-10-08 17:32:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7529a394fc2aae97d1d4dcd49f0468b5 (1 x Smoke Loader, 1 x Stealc)
ssdeep 3072:niLgkcGSeF56oQ1dHVAFF4Gu5JxVSlh+VkbOp:niL3cGSfoQ1nAFFGVkCp
Threatray 2'615 similar samples on MalwareBazaar
TLSH T1D7245A017AF19026EFBB4B75197096942E3BBCF26A7081DE3144361F99733D399A1363
TrID 34.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.8% (.EXE) InstallShield setup (43053/19/16)
18.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
6.3% (.EXE) Win64 Executable (generic) (10523/12/4)
3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
File icon (PE):PE icon
dhash icon 30f8b48a8ca2d020 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://62.122.184.144/f88d87a7e087e100.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.122.184.144/f88d87a7e087e100.php https://threatfox.abuse.ch/ioc/1334556/
http://45.66.10.126/bfecb730b712bc29.php https://threatfox.abuse.ch/ioc/1334764/

Intelligence

File Origin
# of uploads :
2
# of downloads :
397
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2942cb9fca04e939af4ed1eef717e123.exe
Verdict:
Malicious activity
Analysis date:
2024-10-08 16:23:56 UTC
Tags:
loader smokeloader
Link:
https://app.any.run/tasks/4788e57c-76b8-4a9c-9925-d3dde4165f87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop28.26248.16600.1300.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/69e49c0f-6c5c-422f-bda5-770ff0e98199
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1529186
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529186 Sample: O4zPA1oI9Y.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 53 nwgrus.ru 2->53 55 ninjahallnews.com 2->55 57 2 other IPs or domains 2->57 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 6 other signatures 2->77 10 O4zPA1oI9Y.exe 2->10         started        13 jvgasii 2->13         started        15 uegasii 2->15         started        17 msiexec.exe 2->17         started        signatures3 process4 signatures5 119 Detected unpacking (changes PE section rights) 10->119 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->121 123 Maps a DLL or memory area into another process 10->123 125 Switches to a custom stack to bypass stack traces 10->125 19 explorer.exe 69 9 10->19 injected 127 Antivirus detection for dropped file 13->127 129 Multi AV Scanner detection for dropped file 13->129 131 Machine Learning detection for dropped file 13->131 133 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->133 135 Checks if the current machine is a virtual machine (disk enumeration) 15->135 137 Creates a thread in another existing process (thread injection) 15->137 process6 dnsIp7 59 23.145.40.164, 443, 61410 SURFAIRWIRELESS-IN-01US Reserved 19->59 61 ninjahallnews.com 23.145.40.168, 443, 61433, 61434 SURFAIRWIRELESS-IN-01US Reserved 19->61 63 2 other IPs or domains 19->63 45 C:\Users\user\AppData\Roaming\uegasii, PE32 19->45 dropped 47 C:\Users\user\AppData\Roaming\jvgasii, PE32 19->47 dropped 49 C:\Users\user\AppData\Local\Temp\DE97.exe, PE32 19->49 dropped 51 2 other malicious files 19->51 dropped 85 System process connects to network (likely due to code injection or exploit) 19->85 87 Benign windows process drops PE files 19->87 89 Injects code into the Windows Explorer (explorer.exe) 19->89 91 3 other signatures 19->91 24 8CAE.exe 2 19->24         started        27 DE97.exe 19->27         started        29 explorer.exe 20 19->29         started        31 5 other processes 19->31 file8 signatures9 process10 signatures11 93 Multi AV Scanner detection for dropped file 24->93 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->95 97 Machine Learning detection for dropped file 24->97 115 2 other signatures 24->115 33 cmd.exe 24->33         started        99 Detected unpacking (changes PE section rights) 27->99 101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->101 103 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->103 117 4 other signatures 27->117 105 System process connects to network (likely due to code injection or exploit) 29->105 107 Found evasive API chain (may stop execution after checking mutex) 29->107 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->109 111 Tries to steal Mail credentials (via file / registry access) 29->111 113 Tries to harvest and steal browser information (history, passwords, etc) 31->113 process12 signatures13 65 Uses netsh to modify the Windows network and firewall settings 33->65 67 Uses ipconfig to lookup or modify the Windows network settings 33->67 69 Modifies the windows firewall 33->69 36 WMIC.exe 33->36         started        39 systeminfo.exe 33->39         started        41 conhost.exe 33->41         started        43 17 other processes 33->43 process14 signatures15 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->79 81 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 36->81 83 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 36->83
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-10-06 04:06:34 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5rsbp4qoa7wlenw5sngmurgklae5i6yp3kx7edm6d4nwie4wtbq._file
Verdict:
malicious
Label(s):
shellcode_loader_002
Create hunting rule
smokeloader
Create hunting rule
Similar samples:
03d00112c73404cd29f4eb191574376b580a1c1cf38560d07e988ccea2006e3e
Stealc
0c50705ed7cfc68f11aecd4cee0b808934d4957672ac0ea0615e9a1c31870a52
Stealc
19f14dc636a6db7036cd7e486cd6f78085f1cefeaea6fae280b6f5a1f3f37c85
Stealc
338e2378b54f3a94828bc23452f0b6e7bd7f69bc2fb13c618e727feafe61d1ee
Stealc
5a9e6a5684dcc534e429359d81d83d3221665a87eafd584649de664d78ea434d
Stealc
7f806d99614eef56bddc324cd0c71cff674d7c1694bfbe03d9ea72f2f3d9d08d
Stealc
88efb8b6990e916e7590c2bd3f734f390f7c3d7b517a5fdc1baba0a2f6fbd54c
Stealc
8a04951a8c70c63987bd25e462a98e589e36a2c8f5ce2816f9e5a0906687f031
Stealc
a2b8d4f469a7b8c8900df12569de67f5c8cb68e68177d482ff7ccfe9d580101b
Stealc
error
Stealc
+ 2'605 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub4 backdoor discovery trojan
Link:
https://tria.ge/reports/241008-tt757svdkm/
Behaviour
Checks SCSI registry key(s)
Program crash
System Location Discovery: System Language Discovery
SmokeLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f887d8d8-bfc7-4697-aed9-6e5da629a6f8
Unpacked files
SH256 hash:
c711207b26819dbe7555a81f11bf5b39c2a310303d28d5232436c286c637d66e
MD5 hash:
26a7b7c2db7331200f095d62ebb17a2c
SHA1 hash:
14b2819d3d682761fc993eb7b148104a32f9e455
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/5c14c081-7e7f-48ca-88b3-b65116757550/
Parent samples :
a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3
9141576518bee49ee565f2a71eab03c5b3097c97d025063c90da05656b3f46d9
f018d1a30bc424bfc07ffdf8561dbab03c631550dc152ded17ba2c5def8b23f6
6e41bbf45206030f9a1277d06f28e467d8877ad2b0ea24d1b6179b4d4438346f
338ccdb8d1e330e26c491a0a4c9ca8e7a44d3208b56214dd07c3ae2dda0214c2
50f86ebddd156619b173883981364d8955365d76d2c3ae9391ec911e65551be9
e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114
SH256 hash:
a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3
MD5 hash:
2942cb9fca04e939af4ed1eef717e123
SHA1 hash:
1bc59ca5e75f717dcd23b73634910b35314bcdee
Link:
https://www.unpac.me/results/5c14c081-7e7f-48ca-88b3-b65116757550/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ObjectPrivilegeAuditAlarmW
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputA
KERNEL32.dll::WriteConsoleOutputAttribute
KERNEL32.dll::ReadConsoleA
KERNEL32.dll::SetConsoleMode
KERNEL32.dll::GetConsoleAliasesLengthW
KERNEL32.dll::GetConsoleAliasExesLengthW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
KERNEL32.dll::QueryDosDeviceW

Comments