MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e
SHA3-384 hash: 5d22f1d028fcd9457fb9260e2303488045ce039deadefb576cd44780d8d689a1d0862b54eb2ebaaa6db345f3538ade8b
SHA1 hash: 769f39012e471d0792724df8115845b0a0de5b52
MD5 hash: cd22a257cec25714a677d7de762b0b22
humanhash: king-sierra-may-zebra
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'521'000 bytes
First seen:2023-12-09 18:48:58 UTC
Last seen:2023-12-09 23:43:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:S5hGLwpPxh8Z+x68WhOFbRSWSLajZRYE7AV4sFw73wpGvp8KagGJapmxgaode67x:SvhPx7QWMaVRyV4sKDwpkdtGJapEgN9x
TLSH T11765F1AFB5C47B0DB0691D303C691E5AF4D15B85132903B2E99E442EE698BCCC635BCE
TrID 27.3% (.SCR) Windows screen saver (13097/50/3)
22.0% (.EXE) Win64 Executable (generic) (10523/12/4)
13.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Gofile Inc
Issuer:Gofile Inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-09T18:35:43Z
Valid to:2024-12-09T18:35:43Z
Serial number: 299971c66eb3e610cff3988e7a6b254c
Thumbprint Algorithm:SHA256
Thumbprint: ddef8a6a5703dfd2213ab30b6e30a8179d5647fc879c160a4f2bb6fda740bd0d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://15.204.49.148/files/Installsetup2.exe

Intelligence

File Origin
# of uploads :
10
# of downloads :
348
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464045/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.9539.32473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Changing a file
Launching cmd.exe command interpreter
Blocking the User Account Control
Forced shutdown of a system process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6574b69e3636548f374618bf/reports/159df597-4cd2-4407-af3c-2221220780c6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bba0c05b-298d-4ab4-9787-e07facb51ccf
Result
Threat name:
Glupteba, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356991
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1356991 Sample: file.exe Startdate: 09/12/2023 Architecture: WINDOWS Score: 100 164 Multi AV Scanner detection for domain / URL 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 Antivirus detection for URL or domain 2->168 170 14 other signatures 2->170 11 file.exe 2 4 2->11         started        process3 signatures4 194 Writes to foreign memory regions 11->194 196 Allocates memory in foreign processes 11->196 198 Adds extensions / path to Windows Defender exclusion list (Registry) 11->198 200 3 other signatures 11->200 14 CasPol.exe 15 281 11->14         started        19 powershell.exe 23 11->19         started        process5 dnsIp6 150 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 14->150 152 5.42.65.57 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 14->152 154 8 other IPs or domains 14->154 130 C:\Users\...\yHZZziMSCB435I6nS7W3I5QP.exe, PE32 14->130 dropped 132 C:\Users\...\xLjaenmUkPuam2lEEnsc0n0L.exe, PE32 14->132 dropped 134 C:\Users\...\xL2xWMJdntq1tdJo3McuSMyw.exe, PE32 14->134 dropped 136 240 other malicious files 14->136 dropped 158 Drops script or batch files to the startup folder 14->158 160 Creates HTML files with .exe extension (expired dropper behavior) 14->160 162 Writes many files with high entropy 14->162 21 P3xeJDUQHB3aolNrkkrVrchb.exe 14->21         started        26 UGqVCQU4ucrLT4Zx75AMUb7w.exe 14->26         started        28 iIvmrXBHuWWdFXXr3TaOMBvR.exe 14->28         started        32 6 other processes 14->32 30 conhost.exe 19->30         started        file7 signatures8 process9 dnsIp10 138 107.167.110.216 OPERASOFTWAREUS United States 21->138 140 107.167.110.217 OPERASOFTWAREUS United States 21->140 146 6 other IPs or domains 21->146 112 Opera_installer_2312091850092357560.dll, PE32 21->112 dropped 122 6 other malicious files 21->122 dropped 172 Writes many files with high entropy 21->172 34 P3xeJDUQHB3aolNrkkrVrchb.exe 21->34         started        37 P3xeJDUQHB3aolNrkkrVrchb.exe 21->37         started        39 P3xeJDUQHB3aolNrkkrVrchb.exe 21->39         started        124 2 other malicious files 26->124 dropped 41 Install.exe 26->41         started        114 Opera_installer_2312091850179197336.dll, PE32 28->114 dropped 126 3 other malicious files 28->126 dropped 43 iIvmrXBHuWWdFXXr3TaOMBvR.exe 28->43         started        45 iIvmrXBHuWWdFXXr3TaOMBvR.exe 28->45         started        142 104.237.62.212 WEBNXUS United States 32->142 144 173.231.16.77 WEBNXUS United States 32->144 148 2 other IPs or domains 32->148 116 C:\Users\user\AppData\Local\...\INetC.dll, PE32 32->116 dropped 118 C:\Users\user\AppData\...\nse6A4F.tmp.exe, PE32 32->118 dropped 120 C:\Users\user\AppData\Local\...\INetC.dll, PE32 32->120 dropped 128 4 other malicious files 32->128 dropped 174 Detected unpacking (changes PE section rights) 32->174 176 Detected unpacking (overwrites its own PE header) 32->176 178 Found Tor onion address 32->178 180 5 other signatures 32->180 47 AppLaunch.exe 32->47         started        49 AppLaunch.exe 32->49         started        51 3 other processes 32->51 file11 signatures12 process13 file14 88 Opera_installer_2312091850111117864.dll, PE32 34->88 dropped 90 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 34->90 dropped 92 C:\Users\user\...\win10_share_handler.dll, PE32+ 34->92 dropped 104 21 other malicious files 34->104 dropped 53 P3xeJDUQHB3aolNrkkrVrchb.exe 34->53         started        94 Opera_installer_2312091850095777616.dll, PE32 37->94 dropped 96 Opera_installer_2312091850099867740.dll, PE32 39->96 dropped 98 C:\Users\user\AppData\Local\...\Install.exe, PE32 41->98 dropped 56 Install.exe 41->56         started        100 Opera_installer_2312091850199003808.dll, PE32 43->100 dropped 59 reg.exe 43->59         started        61 reg.exe 43->61         started        102 Opera_installer_2312091850190911544.dll, PE32 45->102 dropped 63 dialer.exe 47->63         started        66 WerFault.exe 47->66         started        70 2 other processes 47->70 72 2 other processes 49->72 68 conhost.exe 51->68         started        process15 dnsIp16 106 Opera_installer_2312091850117317956.dll, PE32 53->106 dropped 108 C:\Users\user\AppData\Local\...\fsIBARZ.exe, PE32 56->108 dropped 110 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 56->110 dropped 182 Modifies Windows Defender protection settings 56->182 184 Adds extensions / path to Windows Defender exclusion list 56->184 186 Modifies Group Policy settings 56->186 74 forfiles.exe 56->74         started        77 forfiles.exe 56->77         started        188 Adds extensions / path to Windows Defender exclusion list (Registry) 59->188 156 193.233.132.5 FREE-NET-ASFREEnetEU Russian Federation 63->156 file17 signatures18 process19 signatures20 190 Modifies Windows Defender protection settings 74->190 192 Adds extensions / path to Windows Defender exclusion list 74->192 79 cmd.exe 74->79         started        82 conhost.exe 74->82         started        84 conhost.exe 77->84         started        86 cmd.exe 77->86         started        process21 signatures22 202 Uses cmd line tools excessively to alter registry or file data 79->202
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-09 18:49:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4ud53tis3dal65pbqdmrq45bv53ippq7twhfz6whbzxglh5j6ha._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:rhadamanthys family:stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231209-xgbs1sbed8/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.76.36
Unpacked files
SH256 hash:
b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e
MD5 hash:
cd22a257cec25714a677d7de762b0b22
SHA1 hash:
769f39012e471d0792724df8115845b0a0de5b52
Link:
https://www.unpac.me/results/8b7d7dcf-8e4b-4cbb-a19f-daae9f4cd15a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7283eee6896/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2738073/
Cape
Cape
https://www.capesandbox.com/analysis/464045/

Comments