MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6904d59e10e8349493b64fad899e70b694c60af552fcc8f70a7f090d7b3559b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6904d59e10e8349493b64fad899e70b694c60af552fcc8f70a7f090d7b3559b
SHA3-384 hash: de9d8c9e7c76af8a8aaf138a01d37220b9dbc8923e1834bd6589cc1b9974061abe41dd48fd8e9cdc8b83c9a6e20f7b14
SHA1 hash: f4beac8138432483f4c82cf396e2468ea219c936
MD5 hash: 1e9314537d32215aac9b9e508cad802a
humanhash: blossom-failed-stairway-butter
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'808'384 bytes
First seen:2024-12-03 21:05:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:Zm1J95zSL4AKmB3NR9mPk4NH0mDozXWq9:MJWRTR9mxRiXWq
TLSH T1A38533726C167D77C580E073C0F686CD3B62B82FC8790DF13A9B0A95954FB863489B99
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-03 21:06:42 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/7a317a62-ba61-47c9-96ad-e2abdaf11fd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25301.12843.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674f7468bc8c6beb307572b9
Tags:
virus small
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/674f72857bae4cb4820016d1/reports/8a88839e-f945-4223-a9bd-2888e0926468/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/b6904d59e10e8349493b64fad899e70b694c60af552fcc8f70a7f090d7b3559b
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/940709b2-fbe2-4a3f-8208-1154d4df0eba
Result
Threat name:
Amadey, Credential Flusher, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1567824
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Nymaim
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567824 Sample: file.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 91 dare-curbys.biz 2->91 93 youtube.com 2->93 95 12 other IPs or domains 2->95 125 Suricata IDS alerts for network traffic 2->125 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 17 other signatures 2->131 9 skotes.exe 4 32 2->9         started        14 file.exe 36 2->14         started        16 4ce771dacd.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 109 185.215.113.43, 49774, 49780, 80 WHOLESALECONNECTIONSNL Portugal 9->109 111 31.41.244.11, 49786, 80 AEROEXPRESS-ASRU Russian Federation 9->111 75 C:\Users\user\AppData\...\9ee672f485.exe, PE32 9->75 dropped 77 C:\Users\user\AppData\...\b6b2cc7351.exe, PE32 9->77 dropped 79 C:\Users\user\AppData\...\c0f0a05fb1.exe, PE32 9->79 dropped 87 8 other malicious files 9->87 dropped 171 Creates multiple autostart registry keys 9->171 173 Hides threads from debuggers 9->173 175 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->175 20 9ee672f485.exe 9->20         started        23 rhnew.exe 9->23         started        26 ff20f29f4c.exe 13 9->26         started        35 3 other processes 9->35 113 185.215.113.16, 49760, 80 WHOLESALECONNECTIONSNL Portugal 14->113 115 185.215.113.206, 49730, 49750, 49761 WHOLESALECONNECTIONSNL Portugal 14->115 117 127.0.0.1 unknown unknown 14->117 81 C:\Users\user\Documents\KKECBFCGIE.exe, PE32 14->81 dropped 83 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->83 dropped 85 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->85 dropped 89 12 other files (8 malicious) 14->89 dropped 177 Detected unpacking (changes PE section rights) 14->177 179 Attempt to bypass Chrome Application-Bound Encryption 14->179 181 Drops PE files to the document folder of the user 14->181 193 5 other signatures 14->193 28 cmd.exe 1 14->28         started        30 chrome.exe 14->30         started        183 Found many strings related to Crypto-Wallets (likely being stolen) 16->183 185 Tries to harvest and steal browser information (history, passwords, etc) 16->185 187 Tries to steal Crypto Currency Wallets 16->187 189 Binary is likely a compiled AutoIt script file 18->189 191 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->191 32 firefox.exe 18->32         started        file6 signatures7 process8 dnsIp9 133 Multi AV Scanner detection for dropped file 20->133 135 Detected unpacking (changes PE section rights) 20->135 137 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->137 153 3 other signatures 20->153 97 dare-curbys.biz 104.21.43.156 CLOUDFLARENETUS United States 23->97 139 Antivirus detection for dropped file 23->139 141 Machine Learning detection for dropped file 23->141 143 Tries to evade debugger and weak emulator (self modifying code) 23->143 99 92.63.197.221 NOVOGARA-ASNL Russian Federation 26->99 145 Hides threads from debuggers 26->145 147 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->147 149 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 26->149 37 KKECBFCGIE.exe 4 28->37         started        41 conhost.exe 28->41         started        101 192.168.2.4, 443, 49723, 49724 unknown unknown 30->101 103 239.255.255.250 unknown Reserved 30->103 43 chrome.exe 30->43         started        105 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 GOOGLEUS United States 32->105 71 C:\Users\user\AppData\...\places.sqlite-wal, SQLite 32->71 dropped 46 firefox.exe 32->46         started        48 firefox.exe 32->48         started        107 atten-supporse.biz 172.67.165.166 CLOUDFLARENETUS United States 35->107 151 Binary is likely a compiled AutoIt script file 35->151 50 taskkill.exe 35->50         started        52 taskkill.exe 35->52         started        54 taskkill.exe 35->54         started        56 3 other processes 35->56 file10 signatures11 process12 dnsIp13 73 C:\Users\user\AppData\Local\...\skotes.exe, PE32 37->73 dropped 155 Detected unpacking (changes PE section rights) 37->155 157 Tries to evade debugger and weak emulator (self modifying code) 37->157 159 Tries to detect virtualization through RDTSC time measurements 37->159 161 3 other signatures 37->161 58 skotes.exe 37->58         started        119 plus.l.google.com 172.217.17.78, 443, 49755 GOOGLEUS United States 43->119 121 www3.l.google.com 172.217.19.206, 443, 49753 GOOGLEUS United States 43->121 123 3 other IPs or domains 43->123 61 conhost.exe 50->61         started        63 conhost.exe 52->63         started        65 conhost.exe 54->65         started        67 conhost.exe 56->67         started        69 conhost.exe 56->69         started        file14 signatures15 process16 signatures17 163 Antivirus detection for dropped file 58->163 165 Detected unpacking (changes PE section rights) 58->165 167 Machine Learning detection for dropped file 58->167 169 4 other signatures 58->169
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b6904d59e10e8349493b64fad899e70b694c60af552fcc8f70a7f090d7b3559b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6904d59e10e8349493b64fad899e70b694c60af552fcc8f70a7f090d7b3559b/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-12-03 21:06:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2ie2wpbb2bussj3mt5nrgphbnuuyyfpkux4zd3qu7yjbv5tkwnq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:drum discovery evasion stealer
Link:
https://tria.ge/reports/241203-zw7kcazkgl/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
Verdict:
Suspicious
Tags:
Stealer Stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/ddead8fc-b6c9-4954-be7a-a5bc550d6124
Unpacked files
SH256 hash:
7a8eb24fdb09ff058f83d936dce3303c1d81d8f7040d54e8e34f1b48131921b6
MD5 hash:
55af9006d0fb85dbe6289bf60aed8f94
SHA1 hash:
f24984a417985fcb1f4e951aed76c203346a71c1
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/d6c441f5-d2bb-415c-b45a-34095a11edf3/
SH256 hash:
b6904d59e10e8349493b64fad899e70b694c60af552fcc8f70a7f090d7b3559b
MD5 hash:
1e9314537d32215aac9b9e508cad802a
SHA1 hash:
f4beac8138432483f4c82cf396e2468ea219c936
Link:
https://www.unpac.me/results/d6c441f5-d2bb-415c-b45a-34095a11edf3/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b6904d59e10e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6904d59e10e8349493b64fad899e70b694c60af552fcc8f70a7f090d7b3559b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe b6904d59e10e8349493b64fad899e70b694c60af552fcc8f70a7f090d7b3559b

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3079150/
  
URLhaus
https://urlhaus.abuse.ch/url/3279845/
  
URLhaus
https://urlhaus.abuse.ch/url/3284801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments