MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3
SHA3-384 hash: 30e3f7dda4b238b369e903d25624664a6b64bcb8a79e33205875488483bab908207c7363d4b1bcb7a81f9e8b9223ae65
SHA1 hash: 8df9e4cac614e8506e7bfea255bf1a4ac3d1c638
MD5 hash: 613ba44c4ff2fb8e3f74f7ad29d18244
humanhash: yankee-alaska-hawaii-double
File name:613ba44c4ff2fb8e3f74f7ad29d18244
Download: download sample
Signature Stealc
Create hunting rule
File size:3'942'736 bytes
First seen:2023-08-07 01:41:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3293ddb1c3687762145ebb6ae84c84f6 (1 x Stealc)
ssdeep 49152:YvnQHJMAYe3gWX6OpfHjyLQq0hnK18BS1ZTPF:gQpMbe3LXTpfHs10hKy4Z
Threatray 147 similar samples on MalwareBazaar
TLSH T15B067E20D6CA92D0CF692DB29E5BB4BA46046D60CC32CD4BEC1E7D513537834687EB6E
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 316d4d4d5d554569 (4 x AgentTesla, 4 x Stealc, 3 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
101416cedaf94b696ca97774b069c645.exe
Verdict:
Malicious activity
Analysis date:
2023-08-06 23:22:24 UTC
Tags:
amadey trojan loader stealc stealer
Link:
https://app.any.run/tasks/f28789ee-f720-4713-be60-1fc7923f3678

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440939/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for the window
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3c25851-b6d8-4665-8b00-9f27ce2987d9
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1286803
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 01:42:08 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4pz3pmss224lgfc7hc3yrohhovabw7bsuqklw7iclujoxl4mlzq._file
Verdict:
malicious
Similar samples:
28d2d3f89f2b35af444964926c1bce39f7ae2d86e3f0864cb6028252b37fca21
Stealc
32fa14add9901eb3a5e94d1fff522323338a0bf665afb0cd019386f1c678b818
Stealc
86d03db5bc38058981a38f02f81530fd8fabb10d2911377ecdee221cc525c63a
Stealc
b63d41c60aa52cae9806a4fe233d9a55b0c2dfdc67f215ab66c660503cc1a5f3
Stealc
c19be545bf9f627cb8a1230df7d754b04aa53979aa52043a18bd3e708faaea09
Stealc
d0e7a341fe199dbabb5f0798dba0564e9b60e4736a405c46eafc7232cc10dc40
Stealc
d87502f99648aac5100598129fd31648afb3dce99bfaf4274dce3997c1bfa6d7
Stealc
e3963384741ca0ea48a1606dd175879458765e8d7f94cf64bc79725ecbd01442
Stealc
fd1af7b25adc2346a8752e41c68aa8e94b5fc2d51b257e12ed81f5a7e7b97c16
Stealc
+ 137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230807-b4nv7seb61/
Behaviour
Downloads MZ/PE file
Unpacked files
SH256 hash:
0873b7a5cfae17a6dfebe6afde535a186b08d76b4b8ef56a129459c56f016729
MD5 hash:
88bc775e7bf2bd5290ab834177605a67
SHA1 hash:
60f55884d7359fa199667cbd87d7716c05f6d2a1
Link:
https://www.unpac.me/results/8af38bad-0260-4847-925b-7d3637b6b9e4/
SH256 hash:
b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3
MD5 hash:
613ba44c4ff2fb8e3f74f7ad29d18244
SHA1 hash:
8df9e4cac614e8506e7bfea255bf1a4ac3d1c638
Link:
https://www.unpac.me/results/8af38bad-0260-4847-925b-7d3637b6b9e4/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b71f9dbd9296/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2701060/
Cape
Cape
https://www.capesandbox.com/analysis/440939/

Comments


Avatar
zbet commented on 2023-08-07 01:41:30 UTC

url : hxxp://212.113.106.72/oe6cc80c760cf8ed83e7c1500cf771a69.exe