MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c19be545bf9f627cb8a1230df7d754b04aa53979aa52043a18bd3e708faaea09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	c19be545bf9f627cb8a1230df7d754b04aa53979aa52043a18bd3e708faaea09
SHA3-384 hash:	b97ff52ecce37cd6487968ad617bbe40b87a3a806248bfbcdcda3e91da775629e7f6e56c6536da51a8c7df1f45681397
SHA1 hash:	cab902c5d0733119f383d7616b6608b07de61775
MD5 hash:	1d2c00de086d483b61de6072a3832324
humanhash:	shade-whiskey-jersey-crazy
File name:	1d2c00de086d483b61de6072a3832324.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	6'621'176 bytes
First seen:	2023-08-03 01:05:20 UTC
Last seen:	2023-08-03 01:27:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	037186f4dc0b9fa0469de68e8c5dd86b (1 x Stealc)
ssdeep	49152:VwPCWolBs7i94ZZ2ggGWKuUE9Y3161vgWD9fl/Wj1sZ1sHQcwz6O1CL:FvK9QQ1eZKRHRwz6O1s
Threatray	99 similar samples on MalwareBazaar
TLSH	T1DA6665C3B1E159DAA0C977B036E6F3F629EA9C3085A15CD79D103959E87D862DC3230E
TrID	26.2% (.SCR) Windows screen saver (13097/50/3) 21.0% (.EXE) Win64 Executable (generic) (10523/12/4) 13.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	316d4d4d5d554569 (4 x AgentTesla, 4 x Stealc, 3 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://77.91.97.18/1c80d1b40e06f613.php

Intelligence

File Origin

# of uploads :

# of downloads :

308

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1d2c00de086d483b61de6072a3832324.exe

Verdict:

No threats detected

Analysis date:

2023-08-03 01:07:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f27f006d-9424-4260-beff-8afbd58791ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/439936/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.68422673.27086.13497.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lolbin overlay packed replace

Link:

https://www.filescan.io/uploads/64cafd7b94fb102ea38c28d4/reports/90dde96d-8b94-4086-99b2-8c2f0a07310a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c19be545bf9f627cb8a1230df7d754b04aa53979aa52043a18bd3e708faaea09

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1efbe5d9-7b22-41d3-98f8-47ddd67d9919

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1284758

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c19be545bf9f627cb8a1230df7d754b04aa53979aa52043a18bd3e708faaea09/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-30 08:37:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ygn6krn7t5rhzofbemg7pv2uwbfkkolzvjjaioqyxu7hbd5k5ieq._file

Verdict:

malicious

Stealc

28d2d3f89f2b35af444964926c1bce39f7ae2d86e3f0864cb6028252b37fca21

Stealc

528a04c98597c2ab37c0d9d536707c2dcd2d1f7bdc0a26fc9b24a8a3035eaf88

Stealc

716857f5e8b803a240c78b87ed060fbef2c96695eadb0e5ac8b83e3d5e817c4f

Stealc

86d03db5bc38058981a38f02f81530fd8fabb10d2911377ecdee221cc525c63a

Stealc

d0e7a341fe199dbabb5f0798dba0564e9b60e4736a405c46eafc7232cc10dc40

Stealc

d87502f99648aac5100598129fd31648afb3dce99bfaf4274dce3997c1bfa6d7

Stealc

e3963384741ca0ea48a1606dd175879458765e8d7f94cf64bc79725ecbd01442

Stealc

+ 89 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230803-bf3pfsbg9s/

Unpacked files

SH256 hash:

c19be545bf9f627cb8a1230df7d754b04aa53979aa52043a18bd3e708faaea09

MD5 hash:

1d2c00de086d483b61de6072a3832324

SHA1 hash:

cab902c5d0733119f383d7616b6608b07de61775

Link:

https://www.unpac.me/results/da79af87-2beb-4149-910f-710d80eafd93/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c19be545bf9f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c19be545bf9f627cb8a1230df7d754b04aa53979aa52043a18bd3e708faaea09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/439936/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample