MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb
SHA3-384 hash: ec94dc51dd00de66390b76c58d8dabfde970054d30ae10df81b59453807ac086f1b2bab3877277f1391e6b4988706d91
SHA1 hash: 176854b69dfab7ec3520e25f90dbc516ff7672d4
MD5 hash: 08335bdd48a24722cad27405aa41b915
humanhash: sink-hawaii-fish-ack
File name:08335bdd48a24722cad27405aa41b915.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:2'608'128 bytes
First seen:2023-12-28 07:00:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:GDKeuUS/fe2a2AN8jrqXgOWqaSyJYhZcn3uOoaX6uKP5P0z4YxAwuLNKRUqHyuHg:QK5UUeOk8jrqXLyW3yuIQKhSwuRWSaHH
Threatray 204 similar samples on MalwareBazaar
TLSH T1C2C53353F7E60161DDB4233058EA07C31E35BD83DD74A30B7B92A2CE49B39A56471B2A
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
195.20.16.103:20440

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469496/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Сreating synchronization primitives
Searching for the browser window
DNS request
Sending a custom TCP request
Reading critical registry keys
Blocking the Windows Defender launch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/658d1d2f314dbc3b9b5a66c2/reports/bcf55c78-324c-45b6-bbdd-a8f2e2b2661c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0799c7ea-3c56-418e-ad31-862f36d10554
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367586
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1367586 Sample: DC4M6bXlbl.exe Startdate: 28/12/2023 Architecture: WINDOWS Score: 100 146 rr5.sn-q4fzen7l.googlevideo.com 2->146 148 rr5---sn-q4fzen7l.googlevideo.com 2->148 150 ipinfo.io 2->150 182 Snort IDS alert for network traffic 2->182 184 Antivirus detection for URL or domain 2->184 186 Antivirus detection for dropped file 2->186 188 12 other signatures 2->188 12 DC4M6bXlbl.exe 1 4 2->12         started        15 FANBooster131.exe 2->15         started        18 OfficeTrackerNMP131.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 file5 134 2 other malicious files 12->134 dropped 22 Ue3JF47.exe 1 4 12->22         started        120 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 15->120 dropped 122 C:\...\hKIvcFAvWQRufmNShp6H0NXpCKyenvPQ.zip, Zip 15->122 dropped 208 Antivirus detection for dropped file 15->208 210 Multi AV Scanner detection for dropped file 15->210 212 Detected unpacking (changes PE section rights) 15->212 226 3 other signatures 15->226 26 WerFault.exe 15->26         started        124 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->124 dropped 126 C:\...\JTGpIAc4vdfqbNqR10EBhxQBPjKic0V4.zip, Zip 18->126 dropped 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->214 216 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 18->216 218 Machine Learning detection for dropped file 18->218 28 powershell.exe 18->28         started        30 powershell.exe 18->30         started        32 powershell.exe 18->32         started        38 10 other processes 18->38 128 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->128 dropped 130 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->130 dropped 132 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->132 dropped 136 3 other malicious files 20->136 dropped 220 Tries to steal Mail credentials (via file / registry access) 20->220 222 Modifies Windows Defender protection settings 20->222 224 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 20->224 34 powershell.exe 20->34         started        36 powershell.exe 20->36         started        40 12 other processes 20->40 signatures6 process7 file8 112 C:\Users\user\AppData\Local\...\fv8zB07.exe, PE32 22->112 dropped 114 C:\Users\user\AppData\Local\...\6bq3xf1.exe, PE32 22->114 dropped 194 Antivirus detection for dropped file 22->194 196 Multi AV Scanner detection for dropped file 22->196 198 Machine Learning detection for dropped file 22->198 42 fv8zB07.exe 1 4 22->42         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        58 9 other processes 38->58 56 conhost.exe 40->56         started        60 9 other processes 40->60 signatures9 process10 file11 116 C:\Users\user\AppData\Local\...\5tt6EV0.exe, PE32 42->116 dropped 118 C:\Users\user\AppData\Local\...\2Dd4530.exe, PE32 42->118 dropped 200 Antivirus detection for dropped file 42->200 202 Multi AV Scanner detection for dropped file 42->202 204 Binary is likely a compiled AutoIt script file 42->204 206 Machine Learning detection for dropped file 42->206 62 5tt6EV0.exe 21 40 42->62         started        67 2Dd4530.exe 12 42->67         started        signatures12 process13 dnsIp14 162 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 62->162 164 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 62->164 138 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 62->138 dropped 140 C:\Users\user\AppData\...\FANBooster131.exe, PE32 62->140 dropped 142 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 62->142 dropped 144 2 other malicious files 62->144 dropped 166 Antivirus detection for dropped file 62->166 168 Multi AV Scanner detection for dropped file 62->168 170 Detected unpacking (changes PE section rights) 62->170 180 9 other signatures 62->180 69 cmd.exe 62->69         started        72 powershell.exe 62->72         started        74 cmd.exe 62->74         started        83 12 other processes 62->83 172 Binary is likely a compiled AutoIt script file 67->172 174 Machine Learning detection for dropped file 67->174 176 Found API chain indicative of sandbox detection 67->176 178 Contains functionality to modify clipboard data 67->178 76 chrome.exe 1 67->76         started        79 chrome.exe 67->79         started        81 chrome.exe 67->81         started        file15 signatures16 process17 dnsIp18 190 Uses schtasks.exe or at.exe to add and modify task schedules 69->190 98 2 other processes 69->98 192 Found many strings related to Crypto-Wallets (likely being stolen) 72->192 85 conhost.exe 72->85         started        100 2 other processes 74->100 158 192.168.2.4 unknown unknown 76->158 160 239.255.255.250 unknown Reserved 76->160 87 chrome.exe 76->87         started        89 chrome.exe 76->89         started        92 chrome.exe 76->92         started        94 chrome.exe 79->94         started        96 chrome.exe 81->96         started        102 11 other processes 83->102 signatures19 process20 dnsIp21 104 WerFault.exe 87->104         started        106 WerFault.exe 87->106         started        108 WerFault.exe 87->108         started        110 3 other processes 87->110 152 142.250.113.113 GOOGLEUS United States 89->152 154 142.250.113.119 GOOGLEUS United States 89->154 156 49 other IPs or domains 89->156 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2023-12-28 07:01:11 UTC
File Type:
PE (Exe)
Extracted files:
202
AV detection:
16 of 22 (72.73%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfmabwpinnedypbeopraevoci7ciphc5smcvsczow54yog5rg35q._file
Verdict:
malicious
Similar samples:
1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11
Stealc
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
Stealc
6f490f3430e51eabccc5ae73df35e0d2193da083f1760b562fa2ed7309a30490
Stealc
7324e9649a54a5f6767cf58fcec138770627780486cbb709f751a684be7a0b1a
Stealc
7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59
Stealc
99753090c0c3e5c80cafb63500cb9bff3d2e1ee0277cb35ceef317955fd4d0db
Stealc
aab601c71cc06d2fb8a80bc4884640bcdcca0bd1787598afd1a82fa4de0200f7
Stealc
e676efee6430e704781265aaa9f98be910d8a0897ad2b4dc2cc93d8461c2851b
Stealc
+ 194 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader family:stealc botnet:777 botnet:up3 backdoor evasion infostealer persistence stealer trojan
Link:
https://tria.ge/reports/231228-hs7x9safgm/
Behaviour
Creates scheduled task(s)
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Launches sc.exe
AutoIT Executable
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Modifies Windows Firewall
Detect Lumma Stealer payload V4
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Stealc
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
http://5.42.66.58
http://host-file-host6.com/
http://host-host-file8.com/
195.20.16.103:20440
Unpacked files
SH256 hash:
8f050e056a2ddd5a68accd4aa289a10a743ca45c6936dd2c71abcd4cedea7bc8
MD5 hash:
3cf93b68e76de749c700599e4128910e
SHA1 hash:
b78ec3f93e0a5c15836e8a9c440bdc9beefc6aa8
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/86e895fc-9268-44ec-9b0c-67b77ea971a8/
SH256 hash:
b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb
MD5 hash:
08335bdd48a24722cad27405aa41b915
SHA1 hash:
176854b69dfab7ec3520e25f90dbc516ff7672d4
Link:
https://www.unpac.me/results/86e895fc-9268-44ec-9b0c-67b77ea971a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469496/

Comments