MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a964494510ab39940fe01c9a1f6c5277033afe32949af8fcc49a20686bd1051e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 15

Intelligence 15 IOCs YARA 11 File information Comments

SHA256 hash:	a964494510ab39940fe01c9a1f6c5277033afe32949af8fcc49a20686bd1051e
SHA3-384 hash:	ce41c5735ee07fcfc28b4c36133e5fbd8011a8bc85939095f90a28e8a36462749a2d5d1907f5d6e0056abe45c5d56f6d
SHA1 hash:	e39521887013d72f4944f668af576d039a34f483
MD5 hash:	962bd34194db7bd93d52f6dadf591826
humanhash:	sweet-enemy-zulu-quiet
File name:	file
Download:	download sample
Signature	Stealc Create hunting rule
File size:	180'224 bytes
First seen:	2023-10-31 22:14:18 UTC
Last seen:	2023-10-31 23:24:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	da9f25ea3031e9a563d04b4d7ccee4d1 (1 x Stealc)
ssdeep	3072:Tz4+NndYZt4nTWazc16ooZqMJ0XwKF6596I:n4ondYETU6/0AD
Threatray	126 similar samples on MalwareBazaar
TLSH	T126045C03A3E13D55F9264B329F2ED1E8761EF551CEEA77EA32189A2F04B00B2D163751
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0084422022205002 (1 x Stealc)
Reporter	andretavare5
Tags:	exe Stealc

andretavare5

Sample downloaded from http://michaelcoleman.icu/timeSync.exe

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/457448/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.21220.3970.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Sending a custom TCP request

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/65417c670ca0b01851720015/reports/539dee67-2354-45cd-b87c-3f431826fc38/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/a964494510ab39940fe01c9a1f6c5277033afe32949af8fcc49a20686bd1051e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5e7417a0-05f5-4bb2-a677-092780158711

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1335109

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a964494510ab39940fe01c9a1f6c5277033afe32949af8fcc49a20686bd1051e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a964494510ab39940fe01c9a1f6c5277033afe32949af8fcc49a20686bd1051e/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-31 22:15:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 38 (39.47%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vfsesriqvm4zid7adsnb63cso4btv7rsssnpr7getiqgq26raupa._file

Verdict:

malicious

Stealc

64489e0d20826dc8ca25c85b28b4b7e6b6d85f9aa7d5500939952f358ba77592

Stealc

86d9471d56a6882413c72628c79b3e58350c58b6e4c2785ca3e15944aa1f9d6d

Stealc

8d423d5ee4bc84fc088ff35fda7656d0385d35fe1fd6c3cc575c9699cfbb7e62

Stealc

a26dc029cbda5105a0cb0a4a21b0f0001e6b1d957c5b5f8196cf01ea7b039d15

Stealc

a726ad80960cf547e9154a39a704a48b98079786d896c5544044a7c3044d5a18

Stealc

a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

Stealc

e1a44604533a1b1d897da2c3263b0252043a9a5e8acc2c6d20a46e59f84e4a52

Stealc

+ 116 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/231031-157r5sgf63/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Unpacked files

SH256 hash:

765b94af3a78c368f5008b1cf150cdbeba72412a86286a19fc6524c94c2a3498

MD5 hash:

1ec4672d437b48f8d6fe325df2726ae9

SHA1 hash:

69cd885bb9403860cc1ea11834f239290165e1ee

Detections:

stealc

Link:

https://www.unpac.me/results/757abf4b-1bf3-47fb-98b5-7f1bc843c068/

Parent samples :

178b12b7e4469807323da17400204b20455ebe0b63fc51cf34547540749f0adc
983f2e6c6459bc7ff4090afd1ccdb88b1784ba22dbe54e22b6f648945bfd23ca
e98198a357c06231c969ff6cc140143144a8ed924d708ab6e6b9bc17f6b76146
6d2a158348cbde04534fe5c28bef8d260a3ef8f9f89c31d3e46ca6d41b194970
54cbdd7ff4d1839f292e7cde1d17cb42d3a7d375993db9538f2cd9f6c0c68004
53dc29187191f04860a12fcec1d810f8c2e6b827dfc1d3c06471c6b865b96897
7202870c0d2dae977e6623e759cecc723a47f3c0de5c5138a0da0fec0a2a7e14
68d0e11261bd22cf58be2c6e0e8c7966dc4c969b08f522a63a923b8389c7cf75
6d788b9cbe3c45094ea5b283af221abe944c7bca570953da930a8649b6b7eeff
86d9471d56a6882413c72628c79b3e58350c58b6e4c2785ca3e15944aa1f9d6d
8d58024006a6c3503ba5af8f92dbdfd9178e27082491717ca1a2bdc35cf81b02
60c362f073df8d07e13eb47a3cffaf20f89caaf3a5617279deb5b14221652152
ee14c3519c9ff46b675af5ffe701e0515e6707583b11b1deb8031a99b984aa2a
7217ad57b053373c9dec1728de52487b9968616acba2be9223aaed275090be4b
4bfc364074b20dd2cc778fff6fbda1941cdbb195178ee19ee5fb3e065dd0eea9
64489e0d20826dc8ca25c85b28b4b7e6b6d85f9aa7d5500939952f358ba77592
a85528d4fcbc101d6c0fc37aad3e1859ad6e8a2556883900627f5e5f455f4f0d
fb7c402ea01a5e7329769d8b6339dff11c4f9bcba06aa9b4805804f37f46359b
e1a44604533a1b1d897da2c3263b0252043a9a5e8acc2c6d20a46e59f84e4a52
2af1996c9bdeac76c07143527a4512cabe28a9b7aba7bbf7ccf81539b05379af
ef47dd1d41c6600f29de3428794a8770aa8061a40fa98f64f2d2bd3d883f6e45
546a88deccac12d32cb3a91f1216e63753d3b221d8f20b63b455bc76f3601bec
afdcc4632e5f4bae6bec0b82c91f9dcba2918aca8c75797f7f9dea5bbdc4063f
f1ffae3fba1359eb7e6756134268ebabe97102c3674d964469a718e258ff0130
9c9306c968318a95791dee86bbc6c16f6b1d0f53b5b7d682c2a48a5c6cc1a75e
fafe7d66e5bd7b863c859d329c390978d7e2db8627664e1427f7f184ba7dc24e
64af94fc80d0295702a599ad9a8845c3a869b61ae5b41e5360c679cba6f32c2b
a26dc029cbda5105a0cb0a4a21b0f0001e6b1d957c5b5f8196cf01ea7b039d15
c45acfd6fbe8a1c5f12302fa74ff9f33dcffa172c073c9ff9c9335315382077f
591ad6570cbba766edbe7eb69c93204c2eead7a24d43860d9fae61d00264557f
63a2fa37393b054082a377b69657728756be5dbcca6c271eb80779a2bea1fb44
ed094abd877a142de3367df9ee27ee86e9807dcd4756b02c68132ff0a0d6b168
50df521fcf74817c9a42f044fa19649b3830844265e62d9ce4147a223f435de1
566bd76c6e87fc1d7c40588e4ae6277f32b80fe5829979a0467ce568bc2b25e5
80cfcd7495b811cf63d893cad16758e413256b31c61987fecf840d55c565bc43
ce7d4e42214fb2d3fd16554aabcf1b2e7e96908575ef20cd56f154918c950b5f
a217dee30587e692a690bb7dbb8a43c77deb9dcff2522930c0b0f40d76f168b1
e4afe296a82993d386d4619f8a91152ac7da03a2dcf52c7eaee4397796d0f32d
513c3c2f07c8455f6d465bf22bfd8b11ddfc4c0ba27e231cef4d70a935162ae4
5b122ee4042d6674264625bd373c46910047160fc946d3e55058269056b31638
a964494510ab39940fe01c9a1f6c5277033afe32949af8fcc49a20686bd1051e
97b63bd9ce81bc4d87fd55f6f51c95d27fca98878e346e6f5698afbf2e3a50ab
ac69894fed204b5f69601fb0e231975316fe0a09bb1b79217f722e9fffba8c5f
f84d3179e6b58dec9a4e2e862ef03a531330540e80e099f5c0d9ae54492f5e2f
f919263c6b7b515b8977d80260b204a581038a86e830203a95b671c0ab6db481
5c00aa250e356a29b7e0e558d9d4fc76dd9b2a27294e410a0a2c3153bf062e6b
c796f0643d421491278d4d27f14f6707cacaacf1c34b5c35f61d4f4f7d39c074
66467375d604cb25ddf27d225148d50f47c7f1fda23d561cc8325aaf1ff7a30f
eb54dab9a40c3f156794c2c4294e04a44e25232e32602d38882ff59057d223ca

SH256 hash:

a964494510ab39940fe01c9a1f6c5277033afe32949af8fcc49a20686bd1051e

MD5 hash:

962bd34194db7bd93d52f6dadf591826

SHA1 hash:

e39521887013d72f4944f668af576d039a34f483

Link:

https://www.unpac.me/results/757abf4b-1bf3-47fb-98b5-7f1bc843c068/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a964494510ab/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a964494510ab39940fe01c9a1f6c5277033afe32949af8fcc49a20686bd1051e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Trojan_W32_Gh0stMiancha_1_0_0 Create hunting rule

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	yarahub_win_stealc_bytecodes_oct_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/457448/

URLhaus

https://urlhaus.abuse.ch/url/2726689/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample