MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620
SHA3-384 hash: 95a213a23b6f0d2404f391d1827af89bc7e3fd458d4a88203140e342f80751c5945e08801638bb1f4042eac306a859e2
SHA1 hash: 8761289110102b0a661ffbe28ed7f0a730311c5e
MD5 hash: 6fbe36ef1d6599968f107c7b6eb19225
humanhash: delta-rugby-single-batman
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:534'152 bytes
First seen:2024-05-07 20:13:32 UTC
Last seen:2024-05-07 21:22:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:39y51HwqQwU0PbQpf1oFdHr34eXHZCTUPEn0IlHgv59OxsDXqYe8RBCu97x+ucSR:3E51HwgRdLoeXMHnfHgzOi6kR5x+9aUI
Threatray 433 similar samples on MalwareBazaar
TLSH T1B3B4F101B74D131BFD5F11BE586284C2BB56D351E3EAAB23AE48DB6448033687DB4E78
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-07T12:04:06Z
Valid to:2025-05-07T12:04:06Z
Serial number: f294657e43ef1a5af69b1cb5c1b654c7
Thumbprint Algorithm:SHA256
Thumbprint: e2c456cf4b4863d044313079dc8d7b2c47750153a623d1113c444b10b7f68630
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: http://193.233.132.234/files/Isetup2.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
Verdict:
Malicious activity
Analysis date:
2024-05-07 20:14:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e66400f-1873-420a-ad4b-1075c69b055e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.31229.22548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Creating a file
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Searching for the window
Running batch commands
Launching cmd.exe command interpreter
Blocking the User Account Control
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/663a8b8c9dc4dda9c0e4ffca/reports/032c7212-76a8-4e15-9b1f-79b5e937380d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd6233a6-a5d4-4c21-8a49-e7838871d688
Result
Threat name:
Neoreklami
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1437769
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disables UAC (registry)
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Neoreklami
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1437769 Sample: file.exe Startdate: 07/05/2024 Architecture: WINDOWS Score: 100 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for URL or domain 2->119 121 Multi AV Scanner detection for dropped file 2->121 123 9 other signatures 2->123 12 file.exe 1 3 2->12         started        process3 signatures4 133 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->133 135 Writes to foreign memory regions 12->135 137 Allocates memory in foreign processes 12->137 139 4 other signatures 12->139 15 InstallUtil.exe 15 372 12->15         started        20 powershell.exe 23 12->20         started        22 WerFault.exe 12->22         started        24 2 other processes 12->24 process5 dnsIp6 101 187.134.46.246 UninetSAdeCVMX Mexico 15->101 103 189.189.229.237 UninetSAdeCVMX Mexico 15->103 107 16 other IPs or domains 15->107 75 C:\Users\...\yjAV55BqaxETSAr8DODOafSV.exe, PE32 15->75 dropped 77 C:\Users\...\xSaJUUOlcfNc423yR4noQftB.exe, PE32 15->77 dropped 79 C:\Users\...\wAOvCWFJekLrzhYrtKkw43UV.exe, PE32 15->79 dropped 81 217 other malicious files 15->81 dropped 109 Drops script or batch files to the startup folder 15->109 111 Creates HTML files with .exe extension (expired dropper behavior) 15->111 113 Writes many files with high entropy 15->113 26 tNqjTKNmZtULvODfsoOigZBK.exe 15->26         started        29 UEcNgfzwzFq8bvLew5ECsYR4.exe 15->29         started        31 8F3OMSg4QZbt3egZhHbCmNhs.exe 15->31         started        36 19 other processes 15->36 115 Loading BitLocker PowerShell Module 20->115 34 conhost.exe 20->34         started        105 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->105 file7 signatures8 process9 file10 83 C:\Users\user\AppData\Local\...\Install.exe, PE32 26->83 dropped 85 C:\Users\user\AppData\Local\...\CastSrv.exe, PE32+ 26->85 dropped 38 Install.exe 26->38         started        87 C:\Users\user\AppData\Local\...\Install.exe, PE32 29->87 dropped 89 C:\Users\user\AppData\Local\...\CastSrv.exe, PE32+ 29->89 dropped 41 Install.exe 29->41         started        99 3 other malicious files 31->99 dropped 145 Writes many files with high entropy 31->145 43 cmd.exe 31->43         started        91 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->91 dropped 93 C:\Users\user\AppData\Local\...\CastSrv.exe, PE32+ 36->93 dropped 95 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->95 dropped 97 C:\Users\user\AppData\Local\...\CastSrv.exe, PE32+ 36->97 dropped signatures11 process12 signatures13 125 Multi AV Scanner detection for dropped file 38->125 127 Modifies Windows Defender protection settings 38->127 45 cmd.exe 38->45         started        48 forfiles.exe 38->48         started        50 cmd.exe 41->50         started        52 Conhost.exe 41->52         started        54 conhost.exe 43->54         started        process14 signatures15 141 Suspicious powershell command line found 45->141 143 Modifies Windows Defender protection settings 45->143 56 forfiles.exe 45->56         started        59 conhost.exe 45->59         started        61 cmd.exe 48->61         started        63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        67 forfiles.exe 50->67         started        process16 signatures17 129 Modifies Windows Defender protection settings 56->129 69 cmd.exe 56->69         started        131 Suspicious powershell command line found 61->131 71 powershell.exe 61->71         started        process18 process19 73 reg.exe 69->73         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620/
Threat name:
ByteCode-MSIL.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-05-07 20:14:06 UTC
File Type:
PE+ (.Net Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjykdg3tbnljztovveb7ps5zrifmictcu55t3al3mxapbsndoyqa._file
Verdict:
malicious
Similar samples:
1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
Stealc
132d0526eda9bdadbb2b402d44738d4fc91255556325b6a1991e053d1710fcce
Stealc
480b540cb344d74306d03347658b2018a4b8504f4055ad15ba43456953d7b33c
Stealc
97d31daa731806026e50a454986e0b1df51ec32176d930e9bc1c16efffaec74e
Stealc
d7a29a6c822d5ac4f4faef4105aa50a563832decca35cfab3c24cb1b389b7f03
Stealc
+ 423 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc family:zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer trojan
Link:
https://tria.ge/reports/240507-yzzhgagd64/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Detect ZGRat V1
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Stealc
UAC bypass
Windows security bypass
ZGRat
Malware Config
C2 Extraction:
http://185.172.128.150
Unpacked files
SH256 hash:
ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620
MD5 hash:
6fbe36ef1d6599968f107c7b6eb19225
SHA1 hash:
8761289110102b0a661ffbe28ed7f0a730311c5e
Link:
https://www.unpac.me/results/a0d84d55-7b87-432b-a22c-251540e644cd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca70a19b730b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2842172/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments