MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669
SHA3-384 hash: 1c36c740c6a97bface42870d2b50abdc26b9a5927ebaa41bee0c1bd5dd5e21609858b5409b7dadc215159c1d4b9b2ca1
SHA1 hash: e05829361f10b99d6f554b3a76df33edf24063c2
MD5 hash: 684b2bdbe523cd89846944b6814f4de3
humanhash: oven-april-pip-eleven
File name:684b2bdbe523cd89846944b6814f4de3
Download: download sample
Signature Stealc
Create hunting rule
File size:13'700'200 bytes
First seen:2023-03-25 00:40:43 UTC
Last seen:2023-03-25 03:27:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ec728b69f9b2c2cd0c25c220fb7500a (1 x Amadey, 1 x Stealc)
ssdeep 196608:UaX543YpgKiG1mrZHSEWQiPhIjNLvPfpTCJJlcvtFvsvqc+hrBYv:UaQGQZH72pIjNLv3xCJkRNYv
TLSH T16FD6F12E39566CABD5BBB83096BFC479B7721AAC404318275D8EEE60774FB503C5D00A
TrID 36.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
27.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
14.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe Stealc

Intelligence

File Origin
# of uploads :
2
# of downloads :
420
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ba6a75f0c69a7f22b526ad940c3451b4
Verdict:
Malicious activity
Analysis date:
2023-03-25 00:24:42 UTC
Tags:
installer trojan amadey loader
Link:
https://app.any.run/tasks/bb7cf328-362b-4ef3-9740-de39f1e59fef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.13995.4645.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm evasive greyware hacktool overlay packed
Link:
https://www.filescan.io/uploads/641e4320b270ef3bdbe3ea7d/reports/515aeb76-0147-4acd-bc16-cc9ba857a3c2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669
Result
Verdict:
MALICIOUS
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ecc33c9-97bf-40cf-9bd8-61a37ed6ea29
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1201650
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-24 11:04:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2i2vhb3sxbxd54pezuxqbvfxsmoixrrc2knk2onx4otkiznbyzuq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230325-a1rx1scd2y/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
0cdc207b2a9b28f8b7cbb48f3185afe080a53b5a9bd415887ac1022b39df8324
MD5 hash:
6b516709dd9e922aef15b7064985d68b
SHA1 hash:
3a15d0da09dc3bd4f337e4f8e2bc057a7a5c9133
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/e8ca9632-645c-4b10-9295-52dc7ecf30a5/
Parent samples :
64b0d4ff01dc13572b748c0caa19d797aa6841994a90e5643d23dd5c692c0f17
d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669
SH256 hash:
d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669
MD5 hash:
684b2bdbe523cd89846944b6814f4de3
SHA1 hash:
e05829361f10b99d6f554b3a76df33edf24063c2
Link:
https://www.unpac.me/results/e8ca9632-645c-4b10-9295-52dc7ecf30a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe d235538772b86e3ef1e4cd2f00d4b7931c8bc622d29aad39b7e3a6a465a1c669

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2584831/

Comments


Avatar
zbet commented on 2023-03-25 00:40:47 UTC

url : hxxp://79.137.248.23/RedHat.exe