MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad1631eef269b7dd54df995000b702d36e5e278ba0277be7252e294f7517b662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad1631eef269b7dd54df995000b702d36e5e278ba0277be7252e294f7517b662
SHA3-384 hash: 33c65c53957f753666c2903f7dd898abd477080113e5b44ccf03ac6e6c3c3af577b0e1c1156f6f72aa2a9ed7fb6bcfd9
SHA1 hash: e7f6fbbc7f2ee1bc1a09a41fded604a30c8e6fda
MD5 hash: e7946204dee344a8e0ec8bdc4a7f6b9e
humanhash: muppet-ceiling-may-tennessee
File name:Office_Setup_v2.65.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:24'324'512 bytes
First seen:2023-05-29 18:49:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (260 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 393216:wnFCJ92stxaUoxBAoYIn04B8PT5UbkYkKJW6ctXyt5K13N7QvDpK7KO+In:KCT2stMUoxSpI0A8VfKOXY5Kv7X7iK
Threatray 1'254 similar samples on MalwareBazaar
TLSH T1E237333FB258B53EC96A4A324673A320997B7A61B41B8C0F4BF0055CDF674211F3EA56
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter ULTRAFRAUD
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Office_Setup_v2.65.exe
Verdict:
Malicious activity
Analysis date:
2023-05-29 18:51:04 UTC
Tags:
installer stealc trojan stealer loader
Link:
https://app.any.run/tasks/ee010ff5-ebab-4fb1-ab21-30fdf7d25e8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Creating a file
Moving a recently created file
Moving a file to the %temp% subdirectory
Creating a process with a hidden window
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88562/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6474f3dc4f6e9af56fc3e2c3/reports/88fcb3d7-4358-472c-83b4-b3f19c8ab412/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ad1631eef269b7dd54df995000b702d36e5e278ba0277be7252e294f7517b662
Result
Verdict:
MALICIOUS
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244637
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Obfuscated command line found
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877643 Sample: Office_Setup_v2.65.exe Startdate: 29/05/2023 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Yara detected Stealc 2->54 56 Yara detected Vidar stealer 2->56 58 2 other signatures 2->58 10 Office_Setup_v2.65.exe 2 2->10         started        process3 file4 38 C:\Users\user\...\Office_Setup_v2.65.tmp, PE32 10->38 dropped 74 Obfuscated command line found 10->74 14 Office_Setup_v2.65.tmp 5 19 10->14         started        signatures5 process6 dnsIp7 50 192.168.2.1 unknown unknown 14->50 40 C:\Users\user\...\mkl_avx512.1.dll (copy), PE32+ 14->40 dropped 42 C:\Users\user\AppData\Local\...\is-PCRA4.tmp, PE32+ 14->42 dropped 44 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 14->44 dropped 46 4 other files (3 malicious) 14->46 dropped 18 Dcmhpa.exe 4 14->18         started        file8 process9 file10 36 C:\Users\user\AppData\...\Dcmhpa.exe.log, ASCII 18->36 dropped 60 Encrypted powershell cmdline option found 18->60 62 Found evasive API chain (may stop execution after checking locale) 18->62 64 Injects a PE file into a foreign processes 18->64 66 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 18->66 22 Dcmhpa.exe 16 18->22         started        26 powershell.exe 16 18->26         started        signatures11 process12 dnsIp13 48 179.43.162.125, 49703, 80 PLI-ASCH Panama 22->48 68 Tries to steal Mail credentials (via file / registry access) 22->68 70 Tries to harvest and steal browser information (history, passwords, etc) 22->70 72 Tries to steal Crypto Currency Wallets 22->72 28 cmd.exe 1 22->28         started        30 conhost.exe 26->30         started        signatures14 process15 process16 32 conhost.exe 28->32         started        34 timeout.exe 1 28->34         started       
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vuldd3xsng352vg7tfiabnyc2nxf4j4luatxxzzffyuu65ixwzra._file
Verdict:
malicious
Similar samples:
0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8
Stealc
23f0440bae78c2d40ebdf75a4127857fd531ea167e7525271330e966e24fa13a
Stealc
2841d614844219e1c2e937b51d5cd94f816f6b1985bf7372f0ee41c5bcb176b5
Stealc
86c349ad1aecf41f402adad10ff1c7a8e34b2f9f733db02bfd88bb1abac8128a
Stealc
886c3d89d68ecf8d0d4b7ba45ea28f0474ece21a234c54b7aa4350342688c35d
Stealc
8d00abb9dc2e8161d63530424d10b66ad851ce075be2db66aa7e25cf1883c15f
Stealc
d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944
Stealc
d182fa757e7b1a39ae31bb165ff358931a5454115363bd636faeeb41e2aee3c1
Stealc
d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3
Stealc
+ 1'244 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230529-xgxeqade3v/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad1631eef269/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad1631eef269b7dd54df995000b702d36e5e278ba0277be7252e294f7517b662

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments