MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa50f9faafbf5561f5d7ad97e295a755a2ce4b53660dfb2f69a8defdbc9f41fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa50f9faafbf5561f5d7ad97e295a755a2ce4b53660dfb2f69a8defdbc9f41fa
SHA3-384 hash: 0518398229363095eedb7af9246d2f24a3e3a41f8bef057c48c6c717138555d815498b0e1f12b3120816bb803d47b317
SHA1 hash: 6c6f3de0bb9d1ea7ee8d9784ba2ef0339fc3aa28
MD5 hash: ac15a12abb4c08cabdb301e91cf96bad
humanhash: texas-nitrogen-snake-lion
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'132'544 bytes
First seen:2024-07-17 11:54:21 UTC
Last seen:2024-07-24 20:07:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 001806c33a6e9fe5fbff34bdbd79b591 (112 x Stealc, 9 x MarsStealer, 1 x Amadey)
ssdeep 24576:PIXPNPZVrEkPlVv3/d6TWtXJJaXoNQcOGXOUurOODI3YiNE2ow:Eh7vV6+c3cROUu7I3YCV
TLSH T1AF3533203CEAE68AD50BEDF774C5E11D2B0F931F410D2A258648C42F85A73BBD9DB616
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://77.91.77.81/stealc/random.exe

Intelligence

File Origin
# of uploads :
16
# of downloads :
356
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6697b118da4062e29ae8a2ea
Tags:
Infostealer Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma lolbin microsoft_visual_cc obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/6697b11f7b9add553ed62de0/reports/e59df63a-2b5f-4dcd-8a54-69f7e181e06c/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/aa50f9faafbf5561f5d7ad97e295a755a2ce4b53660dfb2f69a8defdbc9f41fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5953bdff-0deb-4b91-8d3b-ae1dd696a467
Result
Threat name:
Amadey, Mars Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1474951
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1474951 Sample: file.exe Startdate: 17/07/2024 Architecture: WINDOWS Score: 100 87 youtube-ui.l.google.com 2->87 89 www.youtube.com 2->89 91 33 other IPs or domains 2->91 105 Snort IDS alert for network traffic 2->105 107 Found malware configuration 2->107 109 Antivirus detection for URL or domain 2->109 111 16 other signatures 2->111 11 file.exe 37 2->11         started        16 firefox.exe 2->16         started        18 explorti.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 99 85.28.47.30, 49704, 49721, 49796 GES-ASRU Russian Federation 11->99 101 77.91.77.81, 49705, 49719, 49722 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 11->101 69 C:\Users\user\AppData\...BGIDGCAFC.exe, PE32 11->69 dropped 71 C:\Users\user\AppData\...\softokn3[1].dll, PE32 11->71 dropped 73 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 11->73 dropped 75 12 other files (8 malicious) 11->75 dropped 125 Detected unpacking (changes PE section rights) 11->125 127 Tries to steal Mail credentials (via file / registry access) 11->127 129 Found many strings related to Crypto-Wallets (likely being stolen) 11->129 137 4 other signatures 11->137 22 cmd.exe 1 11->22         started        24 cmd.exe 2 11->24         started        26 firefox.exe 16->26         started        131 Hides threads from debuggers 18->131 133 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->133 135 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->135 file6 signatures7 process8 dnsIp9 29 EBGIDGCAFC.exe 4 22->29         started        33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        93 youtube-ui.l.google.com 142.250.185.238, 443, 49747, 49749 GOOGLEUS United States 26->93 95 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49750, 49756, 49760 GOOGLEUS United States 26->95 97 9 other IPs or domains 26->97 37 pingsender.exe 26->37         started        39 pingsender.exe 26->39         started        41 pingsender.exe 26->41         started        43 3 other processes 26->43 process10 file11 77 C:\Users\user\AppData\Local\...\explorti.exe, PE32 29->77 dropped 139 Antivirus detection for dropped file 29->139 141 Detected unpacking (changes PE section rights) 29->141 143 Machine Learning detection for dropped file 29->143 147 5 other signatures 29->147 45 explorti.exe 21 29->45         started        145 Tries to harvest and steal browser information (history, passwords, etc) 37->145 50 conhost.exe 37->50         started        52 conhost.exe 39->52         started        54 conhost.exe 41->54         started        signatures12 process13 dnsIp14 103 77.91.77.82, 49718, 49720, 49723 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 45->103 79 C:\Users\user\AppData\...\cd22adaafa.exe, PE32 45->79 dropped 81 C:\Users\user\AppData\...\307a8145b3.exe, PE32 45->81 dropped 83 C:\Users\user\AppData\...\a8c06dd7c7.exe, PE32 45->83 dropped 85 3 other malicious files 45->85 dropped 149 Antivirus detection for dropped file 45->149 151 Detected unpacking (changes PE section rights) 45->151 153 Tries to detect sandboxes and other dynamic analysis tools (window names) 45->153 155 6 other signatures 45->155 56 a8c06dd7c7.exe 12 45->56         started        59 29338d4634.exe 45->59         started        61 307a8145b3.exe 1 45->61         started        63 cd22adaafa.exe 45->63         started        file15 signatures16 process17 signatures18 113 Antivirus detection for dropped file 56->113 115 Detected unpacking (changes PE section rights) 56->115 117 Machine Learning detection for dropped file 56->117 119 Hides threads from debuggers 59->119 121 Multi AV Scanner detection for dropped file 61->121 123 Binary is likely a compiled AutoIt script file 61->123 65 firefox.exe 61->65         started        67 firefox.exe 63->67         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa50f9faafbf5561f5d7ad97e295a755a2ce4b53660dfb2f69a8defdbc9f41fa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa50f9faafbf5561f5d7ad97e295a755a2ce4b53660dfb2f69a8defdbc9f41fa/
Threat name:
Win32.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-07-17 11:55:06 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjipt6vpx5kwd5oxvwl6ffnhkwrm4s2tmyg7wl3jvdpp3pe7ih5a._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:stealc botnet:4dd39d botnet:funny discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/240717-n3fjnaseka/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Stealc
Malware Config
C2 Extraction:
http://85.28.47.30
http://77.91.77.82
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9aa15039-debd-40ed-927b-3460c64a3461
Unpacked files
SH256 hash:
aa50f9faafbf5561f5d7ad97e295a755a2ce4b53660dfb2f69a8defdbc9f41fa
MD5 hash:
ac15a12abb4c08cabdb301e91cf96bad
SHA1 hash:
6c6f3de0bb9d1ea7ee8d9784ba2ef0339fc3aa28
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/5af224a5-cc4a-4d11-91b6-24cdb779c4f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa50f9faafbf5561f5d7ad97e295a755a2ce4b53660dfb2f69a8defdbc9f41fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe aa50f9faafbf5561f5d7ad97e295a755a2ce4b53660dfb2f69a8defdbc9f41fa

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3047216/
  
URLhaus
https://urlhaus.abuse.ch/url/3047209/
  
URLhaus
https://urlhaus.abuse.ch/url/3047215/
  
URLhaus
https://urlhaus.abuse.ch/url/2908698/
  
URLhaus
https://urlhaus.abuse.ch/url/2909131/
  
URLhaus
https://urlhaus.abuse.ch/url/2909129/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments