MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c623704c56199b36c6ba157ca749c271eb945e9fe62760b9c82e03dd2ec5927b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c623704c56199b36c6ba157ca749c271eb945e9fe62760b9c82e03dd2ec5927b
SHA3-384 hash: 8a527c824cdaea1f47eb47f41072ecee73242b6468a4d71a037f4f6e7bc605840dd6ffeac0d2010472adda08d17482bd
SHA1 hash: 583fde90c494905e55879333a152c2e63d69ce95
MD5 hash: c09bf1e2673a26b500d9ac59865f2c0f
humanhash: eight-fix-oranges-edward
File name:c09bf1e2673a26b500d9ac59865f2c0f.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:242'688 bytes
First seen:2024-02-20 00:45:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af922d14343eaa837537eb745ed612fe (2 x Stealc)
ssdeep 3072:Nz99IXeJGNZ3xdpYpZIFDN9a6/OC+7s0o5X0MGH:NmTXp2ZIFDN9N/OCr0MG
Threatray 55 similar samples on MalwareBazaar
TLSH T10834D0227AA0D071C56B45308870C6BD3B3ABC629A65918F77583F6F2EF0391476A35E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 1212021806020400 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://94.156.65.61/129edec4272dc2c8.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476879/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/65d3f64bc5e1a083fbf258bc/reports/43fe9e3b-e03c-4015-b0c2-059541d82629/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c623704c56199b36c6ba157ca749c271eb945e9fe62760b9c82e03dd2ec5927b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffd439b8-7b37-46e0-b005-72ff63e5e483
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1394900
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c623704c56199b36c6ba157ca749c271eb945e9fe62760b9c82e03dd2ec5927b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c623704c56199b36c6ba157ca749c271eb945e9fe62760b9c82e03dd2ec5927b/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-20 00:46:04 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyrxatcwdgntnrv2cv6kosocohvzixu74ytwbooifyb52lwfsj5q._file
Verdict:
malicious
Similar samples:
0ce20355c39691f815eca3acf7e9e6addd4e8e2159297e4afbceef64111a0837
Stealc
5a1a90919e9303b46ddc59f16f9df6b91fb43321115add86492c8e159a0da5cf
Stealc
5d2d0aadfb9a0f47c7803c207b2f7b5c9efd79261d7f351b367b479788c4d47d
Stealc
66154c5b8e0c5b1efeb07331e240f71a1df15b6e42de7f03198fc313bf94bd20
Stealc
6b0f58da4681748d3b7064e8d6d2664b3cf229047ae99dc33d36f93a30109f09
Stealc
8a12a7cfb07d4ea86f212911775850f6187eea3d7a9c070ae2d68e0b318266e5
Stealc
9eda80b21be4608e90d5f90cf721412e929894ce6d077f8bb45365c0f5d1d613
Stealc
a022daaa10f66f7870e535d0cb76290e5d3d6bba6e73708673c528bdb1417215
Stealc
+ 45 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/240220-a4mgpsgg97/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://94.156.65.61
Unpacked files
SH256 hash:
23759b7dc7810256815fc3b78205743df2392094b82a7bfa30b1ed7ca5d238e6
MD5 hash:
546fe1f4e4c9fb6474560c3f460d3e3c
SHA1 hash:
f7ebc0fc44be8f553281f6d440c67bea738548a3
Link:
https://www.unpac.me/results/de5d8a71-3fed-40e1-8359-61ae4ff9a333/
SH256 hash:
c623704c56199b36c6ba157ca749c271eb945e9fe62760b9c82e03dd2ec5927b
MD5 hash:
c09bf1e2673a26b500d9ac59865f2c0f
SHA1 hash:
583fde90c494905e55879333a152c2e63d69ce95
Link:
https://www.unpac.me/results/de5d8a71-3fed-40e1-8359-61ae4ff9a333/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c623704c5619/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c623704c56199b36c6ba157ca749c271eb945e9fe62760b9c82e03dd2ec5927b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe c623704c56199b36c6ba157ca749c271eb945e9fe62760b9c82e03dd2ec5927b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2756618/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/476879/

Comments