MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a
SHA3-384 hash: 283a838c10f3693bf9aa0576bd4886a2f23e4d98cecccace44090b3aad14e74914d4e8c76e2c9fcca3c61bf35f724ebc
SHA1 hash: 6bd5ad845b130d2e4ae6b8acc08d9d782cf1276a
MD5 hash: 763c3550f4e0a97baa4ebd6fc8c61996
humanhash: massachusetts-jersey-cold-india
File name:763c3550f4e0a97baa4ebd6fc8c61996
Download: download sample
Signature Stealc
Create hunting rule
File size:368'128 bytes
First seen:2023-03-22 10:15:41 UTC
Last seen:2023-03-22 12:51:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c3df3d0d993bdeac73a0f5fd62093e4d (6 x Gozi, 3 x Stealc, 3 x LaplasClipper)
ssdeep 3072:a9pgleMk/6KojuaEN9MEJApzAJ6EhzgLBSpVF8YdyTc5x/cMlFSvgwn0JV:iZ6VSyaJ6EBgLAVFe4f/ckSv
Threatray 116 similar samples on MalwareBazaar
TLSH T1C0746DC253E06C60E5124732BE2FCBF82A2EBC619E557B6E23596E3F09701A3D153719
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0105090111140305 (1 x Stealc)
Reporter zbetcheckin
Tags:32 exe Stealc

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
763c3550f4e0a97baa4ebd6fc8c61996
Verdict:
Malicious activity
Analysis date:
2023-03-22 10:18:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f9798afd-570c-4f5f-a73e-2e0742fe331a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376422/
Detection(s):
Sanesecurity.Malware.29059.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware lockbit mikey packed
Link:
https://www.filescan.io/uploads/641ad5643b01ade53e705166/reports/ef8d643d-c1a2-41b7-9f3a-c00e4080879c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6a3e4d2-b88c-49c3-aa1d-4d431f27452b
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1199229
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a/
Threat name:
Win32.Trojan.Smokeloadder
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 10:16:08 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=waqmgsr3fnf4j672blcnhsuxfa7c7xhhd5zx4eidxvry5whwmr5a._file
Verdict:
malicious
Similar samples:
07a3bc87d6480a495505c6efe903bb1009c39f79fe7229631e1f1bd65c6ceebe
Stealc
0cfc62e9e3fb70c9319f2b5785dba4a7632b137daf8e0268a557ba9f70e403b3
Stealc
34bb4acf55ee9866edad0f31075c09276dbb303b004b63a1ce00b3504e7c9bc3
Stealc
6d9df22ed6d7844b938c9b2c3f413e2c7e3306a047dc807fdca6d0edbc2d2528
Stealc
8384eb97c0fd7d916cdb454b2212794a8eafa37fe6c7165644d02e8d9bfe5237
Stealc
979afbc8137f3cb684125b0f15be3c34d8539425366c3a067b98a97e181eb142
Stealc
be17c8aac5b1f95da13702092d5d3c37c98f12d0ff7704f163f43a2ab890bcc6
Stealc
ea3c4e9cc6e8b8b5fb61c4ef5afaa0575a895b1ca9377e22e1236057494923e3
Stealc
efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9
Stealc
+ 106 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230322-mas4lsgc29/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
a5109e8b5c44385fe336d3478df6ee1e689092e9177b6cc0f61c731161085065
MD5 hash:
36c70a349a039e41bdff1ed167d62259
SHA1 hash:
f8f6fe2472e02a031806e9740b572961f98109f3
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/39788a3a-db24-437b-9b29-f11e08521261/
Parent samples :
07a3bc87d6480a495505c6efe903bb1009c39f79fe7229631e1f1bd65c6ceebe
b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a
4decda3f59361e62bca26d6c7406c5e8217fd25249fb03843ec78ba0c09416c8
92f0f57250f76ec5486dc7ef617f0145e4de09a1d5d95a4fe42cb5393678b7bd
SH256 hash:
b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a
MD5 hash:
763c3550f4e0a97baa4ebd6fc8c61996
SHA1 hash:
6bd5ad845b130d2e4ae6b8acc08d9d782cf1276a
Link:
https://www.unpac.me/results/39788a3a-db24-437b-9b29-f11e08521261/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe b020c34a3b2b4bc4fbfa0ac4d3ca97283e2fdce71f737e1103bd638ed8f6647a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2580840/
  
URLhaus
https://urlhaus.abuse.ch/url/2580842/
Cape
Cape
https://www.capesandbox.com/analysis/376422/

Comments


Avatar
zbet commented on 2023-03-22 10:15:47 UTC

url : hxxp://jerrysmith.top/notepadp.exe