MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd
SHA3-384 hash: be78475f6125a6f64a1fc4086c0a259c8dbbc1df559b666a9ebb6b3c27c86eb064f21d07bb246be8a63bc70a94f1adc6
SHA1 hash: aac5f1d27ae395ffa041be5fcde218259a3d7588
MD5 hash: c75984f447ad4549ea21ead79445613f
humanhash: texas-six-nine-florida
File name:c75984f447ad4549ea21ead79445613f.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:291'328 bytes
First seen:2023-10-26 00:01:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72431b3d5f73f874ee133ab82d8797d8 (1 x Stealc)
ssdeep 3072:mVXH8c4u6anKy/LUjesYjKcx82nuJwN75aDRFtz5QoOb0R:uH8c4zaKy/LceLWcx8tO21P
Threatray 23 similar samples on MalwareBazaar
TLSH T1D8548E839AF1BC95D9264A728E2EE6F8371DF5608F197766221ADB1F04F1072C273B11
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00004c48234c4c01 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://howardwood.top/e9c345fc99a4e67e.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
c75984f447ad4549ea21ead79445613f.exe
Verdict:
Malicious activity
Analysis date:
2023-10-26 00:03:51 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/d3e01b14-3d38-446b-93be-082b88d0a4ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456399/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6539ac7b4ebf05ac3f3999f5/reports/37bb7531-c52c-46e1-8fac-fa4a448cb161/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f755973e-b76d-4476-a148-d40939b4428b
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332315
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332315 Sample: E55Da1lQH1.exe Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 21 dpav.cc 2->21 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 6 other signatures 2->33 7 E55Da1lQH1.exe 2->7         started        10 ecbhsvj 2->10         started        signatures3 process4 signatures5 35 Detected unpacking (changes PE section rights) 7->35 37 Found evasive API chain (may stop execution after checking system information) 7->37 39 Found API chain indicative of debugger detection 7->39 49 4 other signatures 7->49 12 explorer.exe 36 3 7->12 injected 41 Antivirus detection for dropped file 10->41 43 Multi AV Scanner detection for dropped file 10->43 45 Machine Learning detection for dropped file 10->45 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->47 process6 dnsIp7 23 dpav.cc 180.94.156.61, 49716, 49717, 49718 CTM-MOCompanhiadeTelecomunicacoesdeMacauSARLMO Macau 12->23 25 179.25.199.183, 49758, 49759, 49760 AdministracionNacionaldeTelecomunicacionesUY Uruguay 12->25 17 C:\Users\user\AppData\Roaming\ecbhsvj, PE32 12->17 dropped 19 C:\Users\user\...\ecbhsvj:Zone.Identifier, ASCII 12->19 dropped 51 System process connects to network (likely due to code injection or exploit) 12->51 53 Benign windows process drops PE files 12->53 55 Deletes itself after installation 12->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->57 file8 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-10-26 00:02:06 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpd7kasqhuyqf3h2n4qukvz2xbizi7ot6k672qx67kzysr4dpxgq._file
Verdict:
malicious
Similar samples:
27c5bd50c47c47f3c4b0ccd545a51dc2e79e9ec4db7ee28964a8308cee669ff4
Stealc
2aa1983e8bebb5c132a6c844c690b9c2fce8c6a3a3022983984c96192e541f81
Stealc
983f2e6c6459bc7ff4090afd1ccdb88b1784ba22dbe54e22b6f648945bfd23ca
Stealc
a726ad80960cf547e9154a39a704a48b98079786d896c5544044a7c3044d5a18
Stealc
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
Stealc
bc2023ef1d7cc334746fc04ff08735c5c25e5c15f0a5f674b1f8682032c5570b
Stealc
e98198a357c06231c969ff6cc140143144a8ed924d708ab6e6b9bc17f6b76146
Stealc
f5ab502850f557c78d1ad09eb855a47ff25ce8aa00e8d67b4144a88228ebca3c
Stealc
fbc1570fbd324836f10a5465dbb45516ef9941422489506cb631ea5a989e7b0b
Stealc
+ 13 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/231026-abgezsac8v/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Unpacked files
SH256 hash:
dfce14ca9fa6c76df25ff3d3ff18ba943031d07a5cae3f0bad422e2b5e7eb559
MD5 hash:
37875cacee117b15e05b3f1c808592ac
SHA1 hash:
6a7882ca410e781262af685cf395bd2458c35a3b
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/983e397d-1e56-4e2b-990a-261db1934507/
Parent samples :
b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd
07850ea1732b07aae1b520bc4e07f939a29ea8f842993a5849965d71aec14cb1
8ce95aee92cffc56420902fa657bc82a44574450ada63eb864d11e404a59a078
73639e5216b7fb5c0550f69d63bcbb3e568fd912f9288216795eb965b1b2b6fe
5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1
fc447974118abe161835c31fd3b0305a84b9ba374f47a4295b435a85cc756f57
98368ebea0db4a1ef1ef8ae8b9cdc862c8dc5bb00bfb570f83a50794ce6ad816
90575d53104fa810c6896f874e421e905c3687ff1767574842d10cc143237762
e669dd52d97cc96b42efb1661dfeb898b6277a0484d25b8e86b492acf41c8f7d
1729faf82ded430ab520c6ebd82743abb231222a867329f5b15c2d01b7578016
f8619a870e7c7ef001512d9b2d5caf3b40a4855c5c72ec9a8fe7d4ee44a93b3a
1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
SH256 hash:
b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd
MD5 hash:
c75984f447ad4549ea21ead79445613f
SHA1 hash:
aac5f1d27ae395ffa041be5fcde218259a3d7588
Link:
https://www.unpac.me/results/983e397d-1e56-4e2b-990a-261db1934507/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3c7f502503d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712462/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712491/
Cape
Cape
https://www.capesandbox.com/analysis/456399/

Comments