MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a777a2eec9933c95e419cce77b09cffb73f0c4afcffde00942b9665098aa7fb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StealeriumStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a777a2eec9933c95e419cce77b09cffb73f0c4afcffde00942b9665098aa7fb4
SHA3-384 hash: 44fcec3c6247371876ce26df67b59a6e44e5e377846dbc1fdb7231205fa2081487213530d64ab7b3ad010c7b2bda87b4
SHA1 hash: b3d36e18d2a94eb5060bb725a1d9a4e70629777d
MD5 hash: 081a892310290038e4ba646c488bad8e
humanhash: kansas-mockingbird-diet-don
File name:OVALWantlist0325.exe
Download: download sample
Signature StealeriumStealer
Create hunting rule
File size:184'832 bytes
First seen:2025-04-04 06:45:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:4ZkluvUjaqwHyXzid7sIMcTzMkg8j/xGc5ptYhlcNZ+XayDwVsSrgIN4ftnr:80u3SXzIvng8N3tMM+qw
TLSH T1CD04291563F8CB17F1BA67B8E4B05160CBF4BAA6A22EEB8E5D0054EE0C17750D81177B
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:exe StealeriumStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OVALWantlist0325.exe
Verdict:
Malicious activity
Analysis date:
2025-04-04 06:55:16 UTC
Tags:
stealer evasion stealerium
Link:
https://app.any.run/tasks/1457a0ac-ec0b-4045-a8ac-90942dacd3ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458/
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.5262.11734.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ef8205855e5ec5240dba9f
Tags:
virus msil dldr
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Launching the process to change network settings
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for analyzed file
Creating a file in the %temp% directory
Reading critical registry keys
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67ef80190eb02f7be139a649/reports/7b44391e-326c-493e-956d-ae6f91e6e2ac/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/a777a2eec9933c95e419cce77b09cffb73f0c4afcffde00942b9665098aa7fb4
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2ba943cc-26f2-4640-9484-aa3488cb3c41
Result
Threat name:
Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1656302
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Drops password protected ZIP file
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected Phantom stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1656302 Sample: OVALWantlist0325.exe Startdate: 04/04/2025 Architecture: WINDOWS Score: 100 51 mail.lightstartrading.com 2->51 53 lightstartrading.com 2->53 55 3 other IPs or domains 2->55 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 Sigma detected: Capture Wi-Fi password 2->93 95 7 other signatures 2->95 9 OVALWantlist0325.exe 14 2 2->9         started        13 msiexec.exe 2->13         started        signatures3 process4 dnsIp5 73 dcrun.co.uk 176.74.27.65, 49681, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU United Kingdom 9->73 101 Attempt to bypass Chrome Application-Bound Encryption 9->101 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->103 105 Found many strings related to Crypto-Wallets (likely being stolen) 9->105 107 5 other signatures 9->107 15 OVALWantlist0325.exe 50 9->15         started        signatures6 process7 dnsIp8 75 lightstartrading.com 170.10.162.116, 49781, 587 STEADFASTUS United States 15->75 77 icanhazip.com 104.16.184.241, 49709, 49779, 49780 CLOUDFLARENETUS United States 15->77 79 127.0.0.1 unknown unknown 15->79 49 C:\Users\user\...\user@367706_en-CH.zip, Zip 15->49 dropped 81 Tries to steal Mail credentials (via file / registry access) 15->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 15->83 85 Tries to harvest and steal browser information (history, passwords, etc) 15->85 87 Tries to harvest and steal WLAN passwords 15->87 20 cmd.exe 1 15->20         started        23 msedge.exe 15->23         started        26 chrome.exe 1 15->26         started        28 3 other processes 15->28 file9 signatures10 process11 dnsIp12 97 Uses netsh to modify the Windows network and firewall settings 20->97 99 Tries to harvest and steal WLAN passwords 20->99 30 netsh.exe 2 20->30         started        32 conhost.exe 20->32         started        34 findstr.exe 1 20->34         started        36 chcp.com 1 20->36         started        69 239.255.255.250 unknown Reserved 23->69 38 msedge.exe 23->38         started        45 2 other processes 23->45 71 192.168.2.7, 138, 443, 49633 unknown unknown 26->71 41 chrome.exe 26->41         started        43 conhost.exe 28->43         started        47 6 other processes 28->47 signatures13 process14 dnsIp15 57 sb.scorecardresearch.com 18.173.218.31, 443, 49750, 49766 MIT-GATEWAYSUS United States 38->57 59 ax-0003.ax-msedge.net 150.171.28.12, 443, 49752 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->59 65 27 other IPs or domains 38->65 61 ogads-pa.clients6.google.com 142.251.40.138, 443, 49716, 49718 GOOGLEUS United States 41->61 63 www.google.com 142.251.40.164, 443, 49696, 49697 GOOGLEUS United States 41->63 67 3 other IPs or domains 41->67
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a777a2eec9933c95e419cce77b09cffb73f0c4afcffde00942b9665098aa7fb4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a777a2eec9933c95e419cce77b09cffb73f0c4afcffde00942b9665098aa7fb4/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-03 19:56:29 UTC
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u532f3wjsm6jlzazzttxwcop7nz7brfpz766ackcxftfbgfkp62a._file
Result
Malware family:
stealerium
Create hunting rule
Score:
  10/10
Tags:
family:stealerium collection credential_access discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250404-hjdytstqx7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Uses browser remote debugging
Stealerium
Stealerium family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/15cb55c5-9439-43e8-93ec-8aec9c4f7242
Unpacked files
SH256 hash:
a777a2eec9933c95e419cce77b09cffb73f0c4afcffde00942b9665098aa7fb4
MD5 hash:
081a892310290038e4ba646c488bad8e
SHA1 hash:
b3d36e18d2a94eb5060bb725a1d9a4e70629777d
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/e9dc0814-50a2-409e-8939-03a3bf5efed1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a777a2eec9933c95e419cce77b09cffb73f0c4afcffde00942b9665098aa7fb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

StealeriumStealer

Executable exe a777a2eec9933c95e419cce77b09cffb73f0c4afcffde00942b9665098aa7fb4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/458/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments