MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54
SHA3-384 hash:	3592ddfaa463582b2c9ceedad95a99ef9003d32d9e900e9305360a5843d526b38b5aba03bed55a968616f192ed546fcf
SHA1 hash:	83ed4831e61e1d5a94589a22c2bb8201f8c350da
MD5 hash:	a1eaaa73a1c0cc9600a07ff469f1e257
humanhash:	twelve-salami-hawaii-washington
File name:	file
Download:	download sample
Signature	Stealc Create hunting rule
File size:	314'368 bytes
First seen:	2023-12-01 00:56:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	73f64d5610703b4f05e5f8dfa1eaa537 (8 x Smoke Loader, 3 x Tofsee, 2 x Stealc)
ssdeep	3072:N8AKyPxwvtEivlRtJc7Yr6JGAMu5jPXzxpMu63jXdo:WQPKplv6VJGATPXzxyjX
TLSH	T18F64C50382E17D86EA278B729F2FC6EC771EF6508E49777912289E1F14B05B6D1A3710
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	00044c822011c184 (1 x Stealc)
Reporter	andretavare5
Tags:	exe Stealc

andretavare5

Sample downloaded from http://5.42.64.35/timeSync.exe

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461533/

Gathering data

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54

Result

Verdict:

MALICIOUS

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/885e879d-7edd-4a89-9d1a-f7d5d94e6d44

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1350993

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-12-01 00:57:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 23 (91.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vqsoewv7cixvbq7p62im5rrtz3q64c6rce4iii3e43dabj6krrka._file

Verdict:

malicious

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/231201-bazevadb75/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://5.42.64.41

Unpacked files

SH256 hash:

2cb8f1b5d0419a80db8d6b13eaed2bfe60f1c053b465a72d4620ad8027c0d15a

MD5 hash:

c99986364003af19ed59e34b3c1f3d24

SHA1 hash:

c1d1f084ba481886039c589b464d18e892e42f74

Detections:

stealc

win_stealc_a0

win_stealc_bytecodes_oct_2023

Link:

https://www.unpac.me/results/d8489c3e-8c0c-4a2d-8cd4-54b7cff66428/

Parent samples :

f836045456af9da9a397af00ce4e70252a5b9c2416562de20ea1e63c7c908a8b
0148bb7b1f0e2a85950913783f58a58f806e4b5511e40d11ee8b5510983e1031
4141832da8cb4c2cb699e490a67c16f8223b0dbdb0fc48632d9f999e19b87a8f
5fdc91ad771c9fc0b8f3fa547a3616468ce0b7bb448f726ad9c055083ac13c0f
65bc094bc96a1963c31c2acd9a564cc0486dce8fcf23d6f69e09a4c61a2d1528
904911e002a065b01a16fe92c9f86493bb9af9ba08b554c3da4011ade98a9936
c4fb74adbe02c3469b66e3e007c312a18736a343a8dca3f4c051a32de8ae135c
4495aea2bdca5be58cc0530892de3d3a983dbf47e73980c463b0048968c13074
47281571c8ba7092f5e7864377be0dc4c8d170f501203a6dc104a401ddc62eac
67126ea123114450c7cf76ad268976944fa96565b334652d6e5b1248d1970f42
ec8023c54a870806d4ba36d1dd4635fd69d3f7b0dd72c75d41b6c93b19a34b8a
d407f1314cc37bec7df6922d915a66f6b46d76d47f71bc6223884a2f218bdd09
9e7d1738d15d92b3bcd8838788eedd625ce7914b194696f3e3f448ec2ad6ef47
1f6011a2da78434b09f854d3ff86cb92ffdb3d6e953ce0a8535c32cac13cfdb3
7bee0b7e7a3c0a66e7bbbdf689bcd6d58f9f6fa4599a8f9f24d52d6946824a92
078751d09762788794092a2425538653f726a36b7f33d6f312b49bfcbcf8d001
834b73d2202e64d5ad7aca2f5763c5fa77683e7144ba53eb385a381cd99fc4ae
a6cbb9cd010b8a448fa1d0b702dd4f7b8a7892838cda3dac30b6d6b4171a4274
a8c7148da91a091247169f57067439a8204c1140fefb2d6d0d71751acb30dd22
55f31583dbfc665b28b7a3a1830d3be4170cad27be46fe1f15a843d15b9f36ac
aae15c961d1ea186efb77a1357b8179a30a4dc3590a8bf76e11ff0f5091a16cc
0099b3b2a2214984005724020f9704153efcca043132a2c27aa741592d449b53
ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54
854454fcf6cdce3223bea2e9cabf030047d7f81537eda0e1ca94baff43cc59e6
7a5adde924262ecd4fa4d627b02796d7d338104bad89bf2ddc019b678c30d740
5422d127b342135a6064e8f87b66d7586551d2208fd21cff5a0c73f6161bded7
27f9fabd0c8cc215850373feb61598fc5e0ffce5b29f779fbdcc4e1f1583f609
02d4c69ea3f0fecf650085b84096dc9360675697531ca3e8eb053668603cf760
9b1f16fc5a7eb84cd73ad46c684151303bdacb2e9ea7bd239e5557822026426c
4a6344d67c4ab2b8360bd3f1051506a0d61a327a332c20f925c68c26afd176bd
55f1014c9332b18b45ee1a3f8e750900c3c53c0f5d94441a5cd889fc952383e6
028705f4f1cbc7e7aea4ac2469457c46fe7651cc366bd49ab1f832cce08bf05c
8bcace1ac73adbcc0d5a2bd4addbb5b07c74050f2a231b5f6d2b0d02cb942874
4a9df1083d5ea6c9eb009bb4cb4053896a267f0b5302a7d91670ac265022eab3

SH256 hash:

ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54

MD5 hash:

a1eaaa73a1c0cc9600a07ff469f1e257

SHA1 hash:

83ed4831e61e1d5a94589a22c2bb8201f8c350da

Link:

https://www.unpac.me/results/d8489c3e-8c0c-4a2d-8cd4-54b7cff66428/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ac24e25abf12/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ac24e25abf122f50c3eff690cec633cee1ee0bd11138842364e6c600a7ca8c54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2735175/

Cape

https://www.capesandbox.com/analysis/461533/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample