MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b76165845798adbba7f4070b2e4543e8fbfc9a0282273bd791f39619eee19770. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CrealStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b76165845798adbba7f4070b2e4543e8fbfc9a0282273bd791f39619eee19770
SHA3-384 hash: d187f5fa756cf68243cfdd7841c2b443fcdbce69614728398366a3a959b5586469a360cc0d71b713fc154b0bff4bdf34
SHA1 hash: 3a19952dbe209eebf642fb0ad7e2e681b5fe8ea1
MD5 hash: b051bbe6f5678560e4594b4c65cca682
humanhash: video-november-summer-angel
File name:b76165845798adbba7f4070b2e4543e8fbfc9a0282273bd791f39619eee19770
Download: download sample
Signature CrealStealer
Create hunting rule
File size:13'686'532 bytes
First seen:2023-02-14 03:48:13 UTC
Last seen:2023-07-18 03:39:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 393216:TEu7L/xvdqNdQJluIF3MnG3xl56BaW00TLlSpnpK2:TECLpVgdQt3MGx6P01
Threatray 4'394 similar samples on MalwareBazaar
TLSH T14DD6334693260CE5E7265032F476E620F632ACA54BB0D6164364F2A13E77EA0FD3EF54
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9026d9d4d4641b60 (1 x CrealStealer)
Reporter johnk3r
Tags:BRA CrealStealer exe


Avatar
johnk3r
<--Creal STEALER BEST -->

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Reading critical registry keys
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Launching a tool to kill processes
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b76165845798adbba7f4070b2e4543e8fbfc9a0282273bd791f39619eee19770
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2beee077-1804-418a-b0b2-69283d58d279
Result
Threat name:
Creal Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1174046
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Creal Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b76165845798adbba7f4070b2e4543e8fbfc9a0282273bd791f39619eee19770/
Threat name:
Win64.Infostealer.Disco
Create hunting rule
Status:
Malicious
First seen:
2023-02-13 05:34:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1043
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5qwlbcxtcw3xj7ua4fs4rkd5d57zgqcqittxv4r6olbt3xbs5ya._file
Verdict:
unknown
Similar samples:
1e6112420d4e9561e458e074dad3ebed54ae6f759d5c3ae9844c8a61ac7f33d3
CrealStealer
22cb2fba2dde578f61c82ed450c88c9060629fa7736bb7e27a584c97473c0883
CrealStealer
3c1b7eed78ed128b6463c8b6eb35e46b78f2a9946d0b2a093e51630919b5054a
CrealStealer
3dccae659859d42322b97ebabd21a0f8848b8da98f4fa4351d2ab78625d41471
CrealStealer
77555fc73bde72d601c995f884b564d9f12e3577221ffece363c0f8786745dff
CrealStealer
8e4ce102a531d540a1f643396d6ddfc0da9acc963ca995bcba9d07909ebb58e0
CrealStealer
92ccd1ed10cc76a418d4585a782a0edb69ad311ff7a8f7b6d51c8daf1f481470
CrealStealer
c072f81e922796d43b29a7f7b59b7c6f3a4ff70a05ea1f5b6523ee1b809fabf3
CrealStealer
c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77
CrealStealer
+ 4'384 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/230214-edca9sae47/
Behaviour
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b76165845798adbba7f4070b2e4543e8fbfc9a0282273bd791f39619eee19770
MD5 hash:
b051bbe6f5678560e4594b4c65cca682
SHA1 hash:
3a19952dbe209eebf642fb0ad7e2e681b5fe8ea1
Link:
https://www.unpac.me/results/728f3029-a431-4afd-a82a-95ae147afeb7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b76165845798adbba7f4070b2e4543e8fbfc9a0282273bd791f39619eee19770

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments