MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d198da5624dee1ce2f38222ad1693bdeeec82495031fa8ca53ef3f28efec384b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	d198da5624dee1ce2f38222ad1693bdeeec82495031fa8ca53ef3f28efec384b
SHA3-384 hash:	f30fe450ce21861242934b0ab75175225d0ae631706eaf747453eee00bf03fc6237631ba4b7c515d2313798a019c9d50
SHA1 hash:	9810901997cc0779b1bae1acea16b3d065ccca8b
MD5 hash:	81bb9a2505ff83c35813fb7562223f6e
humanhash:	bacon-fanta-utah-tennessee
File name:	Agreement.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	3'141'280 bytes
First seen:	2023-12-12 20:26:40 UTC
Last seen:	2023-12-12 22:37:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2f68b5011e7717e34f2fd9a3fb18e45d (1 x Stealc)
ssdeep	24576:sTrzuP5oSpP3w21wVrhWPFHdqbmBt1uKtxnn8a2ixAArI2YTddBiWk5cfSM02Yvp:urzuPjp/w21wVrk5UxkaI2YvsHGQ+Z
TLSH	T15BE5F81AD24964C4F56B9338C9730BD29A6D7C08635838EF20597A563E322E1A37F773
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter	FilipiPires
Tags:	exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

405

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467064/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.6318.7309.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Unauthorized injection to a recently created process by context flags manipulation

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6578c2163636548f374d2111/reports/b34d8f05-265f-4488-b408-7d2290466b5d/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d198da5624dee1ce2f38222ad1693bdeeec82495031fa8ca53ef3f28efec384b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/43b5052f-8af8-4318-b675-c7ae50fbb62f

Result

Threat name:

n/a

Detection:

suspicious

Classification:

evad

Score:

24 / 100

Link:

https://www.joesandbox.com/analysis/1360765

Behaviour

Behavior Graph:

n/a

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d198da5624dee1ce2f38222ad1693bdeeec82495031fa8ca53ef3f28efec384b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d198da5624dee1ce2f38222ad1693bdeeec82495031fa8ca53ef3f28efec384b/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-12-10 21:56:08 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 37 (35.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2gmnuvre33q44lzyeivnc2j333xmqjevamp2rsst547sr37mhbfq._file

Verdict:

malicious

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc stealer

Link:

https://tria.ge/reports/231212-y8dx5ache5/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Executes dropped EXE

Stealc

Malware Config

C2 Extraction:

http://80.66.85.128

Unpacked files

SH256 hash:

d198da5624dee1ce2f38222ad1693bdeeec82495031fa8ca53ef3f28efec384b

MD5 hash:

81bb9a2505ff83c35813fb7562223f6e

SHA1 hash:

9810901997cc0779b1bae1acea16b3d065ccca8b

Link:

https://www.unpac.me/results/ad210163-70d7-4902-a5e0-76d52001f20c/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d198da5624de/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d198da5624dee1ce2f38222ad1693bdeeec82495031fa8ca53ef3f28efec384b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1q3NFXJ2PDgVS1fuDH-M6f2MIHOCBFeYS

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/467064/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample