MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87
SHA3-384 hash: 67976bf40b7433f52e293a353cc2aa7b457d8545a4328c11d57f739e4e3fb5a9b347aedf73a5b5445d1fc9278506087f
SHA1 hash: df8457ee8030c34112df1216a8457de65c80d122
MD5 hash: 3c1fc0e5501a732f21671110d1593fed
humanhash: red-zebra-robert-ack
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'808'384 bytes
First seen:2024-11-17 21:18:36 UTC
Last seen:2024-11-17 21:18:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:zgSP9rrtmx/nGcFiYQefhoMHud3L55ns5f:Tprta/nHiYXfhoMHu5ns5f
TLSH T1C2853319ADA40327D52065B50D8CD0D1B473872B359FFB29048BB2EFAA6B33546B7E70
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
425
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a78ddb9eacd865eb3afcddb0143c6187a2bb3dabf5de0353b0dbccfbff603167
Verdict:
Malicious activity
Analysis date:
2024-11-17 21:11:49 UTC
Tags:
stealer lumma exfiltration themida loader stealc
Link:
https://app.any.run/tasks/5eb892c1-77c7-4d0e-8d1c-a395cdc38b69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.7703.20620.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673a5e695107a56eacc71a99
Tags:
small spam hype sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/673a5dc8479e73cdc886070a/reports/c2bc1e2a-a9c2-4201-a43d-cfa57521c717/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea0ae559-6364-4d02-b47d-59d999dab971
Result
Threat name:
PureCrypter, LummaC, Amadey, Credential
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557245
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557245 Sample: file.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 108 youtube.com 2->108 110 youtube-ui.l.google.com 2->110 112 36 other IPs or domains 2->112 138 Suricata IDS alerts for network traffic 2->138 140 Found malware configuration 2->140 142 Antivirus detection for URL or domain 2->142 144 15 other signatures 2->144 12 file.exe 37 2->12         started        17 bef6a59ce6.exe 2->17         started        19 skotes.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 dnsIp5 122 185.215.113.206, 49704, 49800, 60797 WHOLESALECONNECTIONSNL Portugal 12->122 124 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 12->124 126 127.0.0.1 unknown unknown 12->126 92 C:\Users\user\DocumentsCGDHIEGCFH.exe, PE32 12->92 dropped 94 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->94 dropped 96 C:\Users\user\AppData\Local\...\random[1].exe, PE32 12->96 dropped 98 11 other files (3 malicious) 12->98 dropped 184 Detected unpacking (changes PE section rights) 12->184 186 Attempt to bypass Chrome Application-Bound Encryption 12->186 188 Drops PE files to the document folder of the user 12->188 200 7 other signatures 12->200 23 cmd.exe 12->23         started        25 msedge.exe 2 11 12->25         started        28 chrome.exe 12->28         started        190 Tries to harvest and steal browser information (history, passwords, etc) 17->190 192 Tries to steal Crypto Currency Wallets 17->192 194 Hides threads from debuggers 17->194 196 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->196 198 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->198 31 msedge.exe 21->31         started        34 msedge.exe 21->34         started        36 msedge.exe 21->36         started        38 2 other processes 21->38 file6 signatures7 process8 dnsIp9 40 DocumentsCGDHIEGCFH.exe 23->40         started        44 conhost.exe 23->44         started        154 Monitors registry run keys for changes 25->154 46 msedge.exe 25->46         started        128 192.168.2.7, 443, 49702, 49703 unknown unknown 28->128 130 239.255.255.250 unknown Reserved 28->130 48 chrome.exe 28->48         started        132 13.107.246.57, 443, 60858, 60859 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->132 134 20.1.248.118, 443, 60905, 60918 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->134 136 22 other IPs or domains 31->136 100 C:\Users\user\AppData\Local\...\Cookies, SQLite 31->100 dropped file10 signatures11 process12 dnsIp13 90 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->90 dropped 156 Detected unpacking (changes PE section rights) 40->156 158 Tries to evade debugger and weak emulator (self modifying code) 40->158 160 Tries to detect virtualization through RDTSC time measurements 40->160 162 3 other signatures 40->162 51 skotes.exe 40->51         started        102 www.google.com 142.250.181.228, 443, 49748, 49749 GOOGLEUS United States 48->102 104 plus.l.google.com 216.58.206.78, 443, 49790 GOOGLEUS United States 48->104 106 3 other IPs or domains 48->106 file14 signatures15 process16 dnsIp17 114 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 51->114 116 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 51->116 82 C:\Users\user\AppData\...\4ff2bfa33f.exe, PE32 51->82 dropped 84 C:\Users\user\AppData\...\3afa1b1567.exe, PE32 51->84 dropped 86 C:\Users\user\AppData\...\5b96a79886.exe, PE32 51->86 dropped 88 7 other malicious files 51->88 dropped 146 Detected unpacking (changes PE section rights) 51->146 148 Creates multiple autostart registry keys 51->148 150 Tries to evade debugger and weak emulator (self modifying code) 51->150 152 4 other signatures 51->152 56 bef6a59ce6.exe 51->56         started        60 4ff2bfa33f.exe 51->60         started        62 5b96a79886.exe 51->62         started        64 2 other processes 51->64 file18 signatures19 process20 dnsIp21 118 cook-rain.sbs 188.114.97.3 CLOUDFLARENETUS European Union 56->118 164 Multi AV Scanner detection for dropped file 56->164 166 Detected unpacking (changes PE section rights) 56->166 168 Query firmware table information (likely to detect VMs) 56->168 182 5 other signatures 56->182 170 Tries to detect sandboxes and other dynamic analysis tools (window names) 60->170 172 Tries to evade debugger and weak emulator (self modifying code) 60->172 174 Hides threads from debuggers 60->174 176 Tries to detect sandboxes / dynamic malware analysis system (registry check) 62->176 178 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 62->178 120 home.fvtejj5vs.top 62.76.234.151 SUPERSERVERSDATACENTERRU Russian Federation 64->120 180 Binary is likely a compiled AutoIt script file 64->180 66 taskkill.exe 64->66         started        68 taskkill.exe 64->68         started        70 taskkill.exe 64->70         started        72 taskkill.exe 64->72         started        signatures22 process23 process24 74 conhost.exe 66->74         started        76 conhost.exe 68->76         started        78 conhost.exe 70->78         started        80 conhost.exe 72->80         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-11-17 21:19:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=veqrtszvb3fre6cidnbn7vkqzx66xqkeyonyh4ur5z66xeochwdq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion
Link:
https://tria.ge/reports/241117-z56dmsydjc/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f51f21d9-554e-4388-8048-786228ae8233
Unpacked files
SH256 hash:
8645dff57289982ad39ed15ac4b73ce02c2126f4f2a635c352dbafe7b1f4c3aa
MD5 hash:
9e1607aebd6be98c5223a18f7c00e695
SHA1 hash:
2f92e3276fc7ffda9148678f0e70ef18935d46ce
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/db30110c-c24e-4550-89bd-48b718ad8b48/
SH256 hash:
a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87
MD5 hash:
3c1fc0e5501a732f21671110d1593fed
SHA1 hash:
df8457ee8030c34112df1216a8457de65c80d122
Link:
https://www.unpac.me/results/db30110c-c24e-4550-89bd-48b718ad8b48/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a92119cb350e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe a92119cb350ecb1278481b42dfd550cdfdebc144c39b83f291ee7deb91c23d87

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3284801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments