MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 14

Intelligence 14 IOCs YARA 13 File information Comments

SHA256 hash:	bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa
SHA3-384 hash:	448dfac208eb193937b82d01a034a6c981a41d34601eba18efd6b658699e498f16c30b9edc0494063112f16a3a7a6ca0
SHA1 hash:	b387e6d8e8cfceaacd4d9aba6c99f269311143db
MD5 hash:	608d9794c3186086d7df2cb2ab399ed6
humanhash:	music-snake-jig-venus
File name:	bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa
Download:	download sample
Signature	Stealc Create hunting rule
File size:	1'796'608 bytes
First seen:	2025-01-27 00:23:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:oPwdxihdE+OuJ9FtL1LuopfCQaGcWKFP8UYboRFd:5AdkAF6oxaGcWKFUVud
TLSH	T12D8533C4B08336DBE9DC65763DF3D59661296E0D31C26BA4A00B1278FB13145FBE98CA
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	BastianHein
Tags:	exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

592

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.DownLoader48.1224.12838.29966.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/6796d2236f421d2fd6b12e23/reports/7604bb0d-9c6f-470b-b037-790ebaf96f41/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/febe9295-af3f-4b9f-b537-f7249145ea52

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1600023

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Yara detected Powershell download and execute

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa/

Threat name:

Win32.Trojan.StealC

Status:

Malicious

First seen:

2025-01-05 08:54:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xosm3f7ktio35cy3whobsr2kelcpgqt77cxgsx3e5e5pldhbn2va._file

Verdict:

malicious

Label(s):

stealc

Similar samples:

error

Stealc

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:stok defense_evasion discovery stealer

Link:

https://tria.ge/reports/250127-ap2m3s1lez/

Behaviour

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stealc

Stealc family

Malware Config

C2 Extraction:

http://185.215.113.206

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9c0e5cc8-0afa-409a-8864-b1cd3d3c1ca1

Unpacked files

SH256 hash:

6d3213a3a2d2e0f9c0e2e22cc982ba52c75a0eeb9201deba2d83b1d190fc2574

MD5 hash:

a83902c3eb2e49707168b75c09b62e6a

SHA1 hash:

59802b2c78e17d40df0c4aaa321d9f9236f83a89

Detections:

stealc

Link:

https://www.unpac.me/results/409256cd-e026-4996-9899-00a4ad9f8632/

SH256 hash:

bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa

MD5 hash:

608d9794c3186086d7df2cb2ab399ed6

SHA1 hash:

b387e6d8e8cfceaacd4d9aba6c99f269311143db

Link:

https://www.unpac.me/results/409256cd-e026-4996-9899-00a4ad9f8632/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Stealc

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	malware_Stealc_str Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	Stealc infostealer

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Stealc Create hunting rule
Author:	kevoreilly
Description:	Stealc Payload

Rule name:	Stealer_Stealc Create hunting rule
Author:	Still
Description:	attempts to match instructions/strings found in Stealc

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Generic_Threat_2bba6bae Create hunting rule
Author:	Elastic Security

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3337914/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3284801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample