MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7
SHA3-384 hash: 4934153cab569235e33650e8fcad651129dfa3a7efbc9c1747abf2ad9176c83d53d17f3d87d93a6e56adf1f37224b0ee
SHA1 hash: bf246f61d7d62133efe5401388cf6168b4191b20
MD5 hash: 084222b639a1b3f35be40ca5282a6e0a
humanhash: kentucky-fillet-mockingbird-lamp
File name:stale.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:13'657'088 bytes
First seen:2024-02-04 07:34:24 UTC
Last seen:2024-02-04 09:23:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bff37c7a49190d2c339ddd01860611a0 (1 x Stealc, 1 x Rhadamanthys)
ssdeep 196608:GU+cdCfmrKBePnrd/dff/Qf6QyakYOtPdyxVmRPoictmJMVPTAvrnEtmcDp75:VsMKsftd3oiwO/nVRLrnGLb
Threatray 1 similar samples on MalwareBazaar
TLSH T1DAD633953BDF80F8DBC2183457275FCB13F292F9898498287AC5A946BD61F7110AFC62
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter iamdeadlyz
Tags:194-120-116-120 CVE-2023-27363 exe Stealc


Avatar
Iamdeadlyz
Outfoxing a Malicious PDF: An attacker's attempt to deliver a Stealc infostealer. Exploiting CVE-2023-27363.

Agreement_eSign.pdf drops officeupdate.hta [persisting via startup folder]
Retrieves: hxxps://brazilanimalshelp[.]com/updating/stale.exe
Stealc C&C: hxxp://194.120.116[.]120/7a957ef6cc168ff6.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
509
Origin country :
SG SG
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.24243.8631.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed vmprotect
Link:
https://www.filescan.io/uploads/65bf3e28a317adb7426223b2/reports/8a96cd38-8daf-4410-9245-a5159966795e/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f69a87cd-c2e0-4d59-b18d-fb32a16b3994
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386294
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7/
Threat name:
Win32.Trojan.StealC
Create hunting rule
Status:
Malicious
First seen:
2024-02-04 09:02:30 UTC
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgsngiowzt7gxkpa7bypwg7vsbjvy3qquciyaubasmg44rxbc23q._file
Verdict:
malicious
Similar samples:
a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7
Stealc
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240204-jensxaehbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Downloads MZ/PE file
Unpacked files
SH256 hash:
a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7
MD5 hash:
084222b639a1b3f35be40ca5282a6e0a
SHA1 hash:
bf246f61d7d62133efe5401388cf6168b4191b20
Link:
https://www.unpac.me/results/a4a3d1c5-9a90-455e-ab98-2eb4bfa051df/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9a4d321d6cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Stealc
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

pdf 3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c

Stealc

Executable exe a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7

(this sample)

  
Link
https://iamdeadlyz.gitbook.io/malware-research/february-2024/outfoxing-a-malicious-pdf-an-attackers-attempt-to-deliver-a-stealc-infostealer
  
Dropped by
SHA256 3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c
  
Dropped by
SHA256 84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2756528/
  
Dropped by
MD5 cfab7a2f5302b8fcdd98159c3c892404
  
Dropped by
MD5 4913fe0e4d17f0a4b18a9acb04c255ac

Comments