MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d79dd72319dcbefd88975bebca1fc4812d066939aa69cf3f83324025354f95d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d79dd72319dcbefd88975bebca1fc4812d066939aa69cf3f83324025354f95d7
SHA3-384 hash: d86a593e921fca594fa91a29524947784b5618b7b3afca747b113cd4bb96c4460faba9bc172a7b3aec7fceea91096541
SHA1 hash: 4a7690ae985bbf54212257c4e8a8751251980a0e
MD5 hash: a2f81c93997af5cabc886981b6135891
humanhash: east-enemy-fix-vermont
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'740'288 bytes
First seen:2024-08-23 20:26:43 UTC
Last seen:2024-08-23 21:53:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:b57v5Cgc+X0y40yvXeEVEunLVPdzhSOMyAp1l2s:9tCgbPLyGaLRiyArl2s
TLSH T16D85331CC9B3AF80D56AA477EF832D1ABAB613D8A5ADF50C619C473D43171910BA3C78
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://31.41.244.11/steam/random.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
386
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-23 20:28:48 UTC
Tags:
stealer stealc loader themida amadey botnet
Link:
https://app.any.run/tasks/0ee2f13b-f0e3-4981-837b-dafd92380931

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15541.12844.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c8f098e7ff3f5a063bd0f8
Tags:
Execution Generic Infostealer Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66c8f0980f9197595929ff1f/reports/f0403c93-5d71-4a7e-82be-78ff17026bf9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d79dd72319dcbefd88975bebca1fc4812d066939aa69cf3f83324025354f95d7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7ff27272-f7d7-414f-a6b7-ace4400a1259
Result
Threat name:
Amadey, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1498240
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file contains section with special chars
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498240 Sample: file.exe Startdate: 23/08/2024 Architecture: WINDOWS Score: 100 82 sni1gl.wpc.nucdn.net 2->82 84 services.addons.mozilla.org 2->84 86 12 other IPs or domains 2->86 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Antivirus detection for URL or domain 2->114 116 10 other signatures 2->116 9 file.exe 38 2->9         started        14 svoutse.exe 19 2->14         started        16 msedge.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 88 185.215.113.100, 49730, 64124, 80 WHOLESALECONNECTIONSNL Portugal 9->88 90 31.41.244.11, 64118, 64121, 64123 AEROEXPRESS-ASRU Russian Federation 9->90 70 C:\Users\user\AppData\RoamingEBAAAFBGDB.exe, PE32 9->70 dropped 72 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->72 dropped 74 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->74 dropped 80 12 other files (8 malicious) 9->80 dropped 142 Detected unpacking (changes PE section rights) 9->142 144 Tries to steal Mail credentials (via file / registry access) 9->144 146 Found many strings related to Crypto-Wallets (likely being stolen) 9->146 156 6 other signatures 9->156 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        92 31.41.244.10, 64120, 64122, 80 AEROEXPRESS-ASRU Russian Federation 14->92 148 Hides threads from debuggers 14->148 150 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->150 152 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->152 24 c214a110cc.exe 13 14->24         started        27 7f05647a10.exe 1 14->27         started        94 192.168.2.4, 443, 49723, 49724 unknown unknown 16->94 96 239.255.255.250 unknown Reserved 16->96 76 C:\Users\user\AppData\Local\...\Login Data, SQLite 16->76 dropped 78 C:\Users\user\AppData\Local\...\History, SQLite 16->78 dropped 154 Maps a DLL or memory area into another process 16->154 29 msedge.exe 16->29         started        32 msedge.exe 16->32         started        37 3 other processes 16->37 34 firefox.exe 18->34         started        39 2 other processes 18->39 file6 signatures7 process8 dnsIp9 41 RoamingEBAAAFBGDB.exe 4 20->41         started        45 conhost.exe 20->45         started        47 userGCGIDGCGIE.exe 22->47         started        49 conhost.exe 22->49         started        118 Detected unpacking (changes PE section rights) 24->118 120 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->120 122 Tries to evade debugger and weak emulator (self modifying code) 24->122 126 3 other signatures 24->126 124 Binary is likely a compiled AutoIt script file 27->124 51 msedge.exe 27->51         started        53 firefox.exe 27->53         started        98 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->98 100 s-part-0032.t-0009.t-msedge.net 13.107.246.60 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->100 106 14 other IPs or domains 29->106 102 services.addons.mozilla.org 18.65.39.31 MIT-GATEWAYSUS United States 34->102 104 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 34->104 108 4 other IPs or domains 34->108 64 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 34->64 dropped 66 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 34->66 dropped 55 firefox.exe 34->55         started        57 firefox.exe 34->57         started        file10 signatures11 process12 file13 68 C:\Users\user\AppData\Local\...\svoutse.exe, PE32 41->68 dropped 128 Detected unpacking (changes PE section rights) 41->128 130 Tries to evade debugger and weak emulator (self modifying code) 41->130 132 Tries to detect virtualization through RDTSC time measurements 41->132 140 2 other signatures 41->140 59 svoutse.exe 41->59         started        134 Antivirus detection for dropped file 47->134 136 Machine Learning detection for dropped file 47->136 138 Hides threads from debuggers 47->138 62 msedge.exe 51->62         started        signatures14 process15 signatures16 158 Detected unpacking (changes PE section rights) 59->158 160 Tries to evade debugger and weak emulator (self modifying code) 59->160 162 Hides threads from debuggers 59->162 164 2 other signatures 59->164
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d79dd72319dcbefd88975bebca1fc4812d066939aa69cf3f83324025354f95d7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d79dd72319dcbefd88975bebca1fc4812d066939aa69cf3f83324025354f95d7/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2024-08-23 20:27:57 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=26o5oiyz3s7p3cexlpv4uh6eqewqm2jzvju46p4dgjacknkpsxlq._file
Verdict:
unknown
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:leva discovery evasion stealer
Link:
https://tria.ge/reports/240823-y8d8wsxamk/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Malware Config
C2 Extraction:
http://185.215.113.100
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/46ba6fd2-bcef-46a6-bc47-8c22ce4f63b6
Unpacked files
SH256 hash:
8419153fb7d8b65652e0a3002bea34cf54947b8ea7fda5281ec8483eed11e6f0
MD5 hash:
65db3c6c130164c15a61b2e04b4882db
SHA1 hash:
915d612e37b03ec11e51807fd423453b9a286821
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/9cb57de6-4817-4930-944d-41aedd3d67ea/
SH256 hash:
d79dd72319dcbefd88975bebca1fc4812d066939aa69cf3f83324025354f95d7
MD5 hash:
a2f81c93997af5cabc886981b6135891
SHA1 hash:
4a7690ae985bbf54212257c4e8a8751251980a0e
Link:
https://www.unpac.me/results/9cb57de6-4817-4930-944d-41aedd3d67ea/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d79dd72319dc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d79dd72319dcbefd88975bebca1fc4812d066939aa69cf3f83324025354f95d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe d79dd72319dcbefd88975bebca1fc4812d066939aa69cf3f83324025354f95d7

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3114824/
  
URLhaus
https://urlhaus.abuse.ch/url/3120904/
  
URLhaus
https://urlhaus.abuse.ch/url/3122269/
  
URLhaus
https://urlhaus.abuse.ch/url/3120900/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments