MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9731a8aa35b79ab73cf572052820f160fd86948e546eafc9f8cf66c285229ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9731a8aa35b79ab73cf572052820f160fd86948e546eafc9f8cf66c285229ab
SHA3-384 hash: 3be66ab6ddb0b67af658cc613e648f7f6e1f74622db1c556567d168907c3d7432634f9cb3003a10641d390af5b13f355
SHA1 hash: 104b8b572f8080aa914bf162eb0762d40da1b6ee
MD5 hash: db93b7eff4c2415afc573cba1930c376
humanhash: bacon-alanine-fifteen-kilo
File name:db93b7eff4c2415afc573cba1930c376.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:810'496 bytes
First seen:2024-02-04 05:15:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7515ecf8c0dfa4d230ad835fe0acb57f (18 x Amadey, 4 x RedLineStealer, 2 x RiseProStealer)
ssdeep 12288:2N0TBLJH+SjPqZ8VfwMnSo7YNQDLPxez8dFlZqBUOZjSVXNpbycdc1mFdj/RA:2N0TBLNDqZ8VDnDwQQz+8PjSfcM7/
TLSH T1900533EA015651A2E171ABF2A0C656FBE5953C1C65CC9A123F8F13920F7017EFF8A305
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
88.210.9.117:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474459/
Detection(s):
PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

Win.Dropper.Gamarue-9789361-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903583-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm enigma lolbin obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/65bf1d94b012cce0edbb655a/reports/ff48eda3-3a8d-48dd-9ee4-b8ae2ebcc5bb/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/d9731a8aa35b79ab73cf572052820f160fd86948e546eafc9f8cf66c285229ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05cce56e-7c97-43e6-a28b-b69776c5251d
Result
Threat name:
Amadey, PureLog Stealer, RedLine, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386269
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386269 Sample: J19tdzgS5w.exe Startdate: 04/02/2024 Architecture: WINDOWS Score: 100 115 secretionsuitcasenioise.shop 2->115 117 pool.hashvault.pro 2->117 119 5 other IPs or domains 2->119 139 Snort IDS alert for network traffic 2->139 141 Multi AV Scanner detection for domain / URL 2->141 143 Found malware configuration 2->143 145 20 other signatures 2->145 10 J19tdzgS5w.exe 1 5 2->10         started        14 smazgcisoglo.exe 2->14         started        16 uyzpsnbeowaz.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 107 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 10->107 dropped 179 Detected unpacking (changes PE section rights) 10->179 181 Contains functionality to detect sleep reduction / modifications 10->181 20 explorhe.exe 68 10->20         started        109 C:\Windows\Temp\kuqnenisrrbs.sys, PE32+ 14->109 dropped 183 Multi AV Scanner detection for dropped file 14->183 185 Injects code into the Windows Explorer (explorer.exe) 14->185 187 Modifies the context of a thread in another process (thread injection) 14->187 25 explorer.exe 14->25         started        111 C:\Windows\Temp\ejecottirzko.sys, PE32+ 16->111 dropped 189 Sample is not signed and drops a device driver 16->189 191 Modifies power options to not sleep / hibernate 16->191 27 cmd.exe 16->27         started        29 powercfg.exe 16->29         started        31 powercfg.exe 16->31         started        37 2 other processes 16->37 33 sc.exe 18->33         started        35 sc.exe 18->35         started        39 2 other processes 18->39 signatures6 process7 dnsIp8 121 185.215.113.68, 49729, 49730, 49732 WHOLESALECONNECTIONSNL Portugal 20->121 123 109.107.182.3, 49737, 49747, 49749 TELEPORT-TV-ASRU Russian Federation 20->123 129 2 other IPs or domains 20->129 93 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 20->93 dropped 95 C:\Users\user\AppData\Local\...\Amadey.exe, PE32 20->95 dropped 97 C:\Users\user\AppData\Local\...\lumma1234.exe, PE32 20->97 dropped 99 33 other malicious files 20->99 dropped 147 Multi AV Scanner detection for dropped file 20->147 149 Detected unpacking (changes PE section rights) 20->149 151 Creates an undocumented autostart registry key 20->151 159 5 other signatures 20->159 41 daissss.exe 20->41         started        44 alex.exe 20->44         started        54 7 other processes 20->54 125 142.202.242.43, 49752, 80 1GSERVERSUS Reserved 25->125 153 System process connects to network (likely due to code injection or exploit) 25->153 155 Query firmware table information (likely to detect VMs) 25->155 127 pool.hashvault.pro 142.202.242.45, 49735, 80 1GSERVERSUS Reserved 27->127 157 Found strings related to Crypto-Mining 27->157 46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        58 2 other processes 37->58 60 2 other processes 39->60 file9 signatures10 process11 dnsIp12 161 Multi AV Scanner detection for dropped file 41->161 163 Machine Learning detection for dropped file 41->163 165 Writes to foreign memory regions 41->165 62 RegAsm.exe 41->62         started        67 conhost.exe 41->67         started        167 Allocates memory in foreign processes 44->167 169 Injects a PE file into a foreign processes 44->169 131 45.15.156.209, 40481, 49754 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 54->131 101 C:\ProgramData\...\smazgcisoglo.exe, PE32+ 54->101 dropped 103 C:\ProgramData\...\uyzpsnbeowaz.exe, PE32+ 54->103 dropped 105 C:\ProgramData\...\uwgxswmtctao.exe, PE32+ 54->105 dropped 171 System process connects to network (likely due to code injection or exploit) 54->171 173 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->173 175 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 54->175 177 3 other signatures 54->177 69 powercfg.exe 1 54->69         started        71 powercfg.exe 1 54->71         started        73 powercfg.exe 1 54->73         started        75 10 other processes 54->75 file13 signatures14 process15 dnsIp16 133 144.76.1.85, 18574, 49750 HETZNER-ASDE Germany 62->133 113 C:\Users\user\AppData\Local\...\qemu-ga.exe, PE32 62->113 dropped 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 62->135 137 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 62->137 77 conhost.exe 69->77         started        79 conhost.exe 69->79         started        81 conhost.exe 71->81         started        83 conhost.exe 73->83         started        85 conhost.exe 75->85         started        87 conhost.exe 75->87         started        89 conhost.exe 75->89         started        91 6 other processes 75->91 file17 signatures18 process19
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d9731a8aa35b79ab73cf572052820f160fd86948e546eafc9f8cf66c285229ab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9731a8aa35b79ab73cf572052820f160fd86948e546eafc9f8cf66c285229ab/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-02-04 05:16:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fzrvcvdln42w46pk4qffaqpcyh5q2ki4vdov7e7rt3gykcsfgvq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:risepro family:xmrig family:zgrat botnet:1 botnet:@oleh_ps botnet:@oni912 botnet:@pixelscloud discovery evasion infostealer miner persistence rat stealer trojan upx
Link:
https://tria.ge/reports/240204-fx5mlaabg4/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Modifies file permissions
UPX packed file
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
XMRig Miner payload
Amadey
Detect ZGRat V1
RedLine
RedLine payload
RisePro
ZGRat
xmrig
Malware Config
C2 Extraction:
http://185.215.113.68
193.233.132.62:50500
45.15.156.209:40481
185.172.128.33:8924
94.156.67.230:13781
92.222.212.74:1450
http://193.233.132.167
Unpacked files
SH256 hash:
d9731a8aa35b79ab73cf572052820f160fd86948e546eafc9f8cf66c285229ab
MD5 hash:
db93b7eff4c2415afc573cba1930c376
SHA1 hash:
104b8b572f8080aa914bf162eb0762d40da1b6ee
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/98982e7e-a4aa-4bd5-a21c-fd5149018da8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9731a8aa35b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9731a8aa35b79ab73cf572052820f160fd86948e546eafc9f8cf66c285229ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe d9731a8aa35b79ab73cf572052820f160fd86948e546eafc9f8cf66c285229ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2751874/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474459/

Comments