MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14
SHA3-384 hash: 2f3778d6f1ab306870ca79b897140a1b75d56354fa72cfbf749d15c65858e293d313b7f69f799252694f3f1830e78ca0
SHA1 hash: cb242be6f7e91486164e2a2809b8f7d3cc3f3ead
MD5 hash: 34b192cdba8a579bf39af4aa49e7fa75
humanhash: twenty-alpha-hamper-magazine
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:2'481'152 bytes
First seen:2024-07-05 08:35:07 UTC
Last seen:2024-07-05 09:23:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 001806c33a6e9fe5fbff34bdbd79b591 (112 x Stealc, 9 x MarsStealer, 1 x Amadey)
ssdeep 49152:Qk1OSXD3iVJu7j8IlbGzSPRan72jRO78wKo4LKQ4lQpZ6WkackdD:vuu7gIwbQOvX4LKlQpPjck
Threatray 70 similar samples on MalwareBazaar
TLSH T111B533D5C1693FD3C2107EBBAE5C9D3880B16548EACED3859EDA2926D41C8C0D9B6D0B
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://77.91.77.81/stealc/random.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://85.28.47.30/920475a59bac849d.php https://threatfox.abuse.ch/ioc/1294769/

Intelligence

File Origin
# of uploads :
4
# of downloads :
445
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14.exe
Verdict:
Malicious activity
Analysis date:
2024-07-05 08:37:47 UTC
Tags:
stealer stealc loader antivm amadey botnet themida
Link:
https://app.any.run/tasks/ffd82359-8b4d-44d1-a93f-d7780d5c50de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6687d9ef6d9aa9d4552676dewin7simulatehigh_evasion
Tags:
Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma lolbin microsoft_visual_cc packed packed shell32
Link:
https://www.filescan.io/uploads/6687b08bce78046c1aae9c3c/reports/36a80561-d8c4-4b63-bf5f-a7d35174cba8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5e98972-804d-4907-a7b6-b9e4634de8f5
Result
Threat name:
Amadey, Mars Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1468101
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1468101 Sample: file.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 16 other signatures 2->72 9 file.exe 37 2->9         started        14 explorti.exe 2->14         started        16 explorti.exe 2->16         started        process3 dnsIp4 52 85.28.47.30, 49704, 49721, 80 GES-ASRU Russian Federation 9->52 54 77.91.77.81, 49711, 49718, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 9->54 40 C:\Users\user\AppData\...\CAEGHIJEHJ.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->42 dropped 44 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 9->44 dropped 46 11 other files (7 malicious) 9->46 dropped 90 Detected unpacking (changes PE section rights) 9->90 92 Tries to steal Mail credentials (via file / registry access) 9->92 94 Found many strings related to Crypto-Wallets (likely being stolen) 9->94 102 4 other signatures 9->102 18 cmd.exe 1 9->18         started        20 cmd.exe 2 9->20         started        96 Hides threads from debuggers 14->96 98 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->98 100 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->100 file5 signatures6 process7 process8 22 CAEGHIJEHJ.exe 4 18->22         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        file9 38 C:\Users\user\AppData\Local\...\explorti.exe, PE32 22->38 dropped 82 Antivirus detection for dropped file 22->82 84 Detected unpacking (changes PE section rights) 22->84 86 Machine Learning detection for dropped file 22->86 88 5 other signatures 22->88 30 explorti.exe 16 22->30         started        signatures10 process11 dnsIp12 56 77.91.77.82, 49717, 49720, 49722 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 30->56 48 C:\Users\user\AppData\...\3a7c7dc7c6.exe, PE32 30->48 dropped 50 C:\Users\user\AppData\Local\...\random[1].exe, PE32 30->50 dropped 58 Antivirus detection for dropped file 30->58 60 Detected unpacking (changes PE section rights) 30->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->62 64 5 other signatures 30->64 35 3a7c7dc7c6.exe 12 30->35         started        file13 signatures14 process15 signatures16 74 Antivirus detection for dropped file 35->74 76 Multi AV Scanner detection for dropped file 35->76 78 Detected unpacking (changes PE section rights) 35->78 80 2 other signatures 35->80
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2024-07-05 08:36:05 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zyq2ekz5oqt6xofaflmpzdptnqdqawx4gwnfiavbnjtimlmr7qka._file
Verdict:
malicious
Similar samples:
230280a480e2b4301c9beed0e5519c1f72f8c5a2d4193b5f69d7a02f6884bb16
Stealc
420a0afef2b1ca0becba2405377ee528cc5d1e6d903eac4e59de97b1ac22ca86
Stealc
579804532d286ba442de9a9f8b9a20a2d5239eb510558805fa18ec0717182e0f
Stealc
5e3cae26ee0d86cf2c2660baf9d0fc27227173cc8440a94abe5c85a698e0293f
Stealc
86ccbff05056433ad05dcc8dfcf5b9b89bda2b2bbbe74a609e1d333f38cee3e4
Stealc
9f5b516487cc6c3218efb06cb2ebcc72ce724dc64aa84d217464af873c048b7a
Stealc
d64aab9e3aa0e3f707bfff0b1179a3d4f1bf4e7335c922a85181f8b3c05e7bd5
Stealc
+ 60 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:stealc botnet:4dd39d botnet:nice discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/240705-khkfbsvgkj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Stealc
Malware Config
C2 Extraction:
http://85.28.47.30
http://77.91.77.82
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5ea13515-2906-4973-ae34-9d1dcbdf955f
Unpacked files
SH256 hash:
ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14
MD5 hash:
34b192cdba8a579bf39af4aa49e7fa75
SHA1 hash:
cb242be6f7e91486164e2a2809b8f7d3cc3f3ead
Link:
https://www.unpac.me/results/375ab483-b20d-4174-8792-1e21053e55b1/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce21a22b3d74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe ce21a22b3d7427ebb8a02ad8fc8df36c07005afc359a5402a16a66862d91fc14

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2909131/
  
URLhaus
https://urlhaus.abuse.ch/url/2909129/
  
URLhaus
https://urlhaus.abuse.ch/url/2920704/
  
URLhaus
https://urlhaus.abuse.ch/url/2908698/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments