MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db079b9f4b4bbe149d6acaae93f18a5da2f1017dbf900dfbef3559452718e999. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db079b9f4b4bbe149d6acaae93f18a5da2f1017dbf900dfbef3559452718e999
SHA3-384 hash: cbe7e5150c56293ade2e230147ef9c7b3682e460f42af24d4016418ab15e9e9e7b4a855268d980dccb7363b72ffc22bf
SHA1 hash: 130152a4103b7e29de4a1afc79a4e7fb986a3e90
MD5 hash: 6b0748085f0c2402574c138e0cd836b6
humanhash: king-chicken-winner-michigan
File name:6B0748085F0C2402574C138E0CD836B6.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:1'847'296 bytes
First seen:2023-08-28 05:55:29 UTC
Last seen:2023-08-28 13:25:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5745aa5ddd0d2812d1fd030bec82f591 (1 x Stealc)
ssdeep 24576:7YbZnq/bVIBla/hB6/c+pIs04ERWn8enP+ryES2HHHH45:7Cw/pB5gE08eP+r/S
Threatray 168 similar samples on MalwareBazaar
TLSH T134856D22B18288FAC073553C9C27BE7994567D1C1E38ABF93AF44E8C4E3D6513929397
TrID 69.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:94-228-170-65 exe Stealc


Avatar
abuse_ch
Stealc C2:
http://94.228.170.65/f242026083c87346.php

Intelligence

File Origin
# of uploads :
3
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6B0748085F0C2402574C138E0CD836B6.exe
Verdict:
Malicious activity
Analysis date:
2023-08-28 05:58:17 UTC
Tags:
stealc stealer loader
Link:
https://app.any.run/tasks/721e7db7-2655-4db8-83f9-8eba7017cac5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.20421.32351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin
Link:
https://www.filescan.io/uploads/64ec36f2781a72521a3d704b/reports/7fd4b0b9-db58-4691-a5db-4e8a3f640514/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/db079b9f4b4bbe149d6acaae93f18a5da2f1017dbf900dfbef3559452718e999
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18b40bab-659f-429d-bba6-dd98606b3676
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1298487
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db079b9f4b4bbe149d6acaae93f18a5da2f1017dbf900dfbef3559452718e999/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2023-08-25 00:43:37 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mdzxh2ljo7bjhlkzkxjh4mklwrpcal5x6ia367pgvmukjyy5gmq._file
Verdict:
malicious
Similar samples:
05564e0d6fe1ae0a70943353d51dd0bc19a47ec896ee36533632d34b9f557a90
Stealc
0ae1d3ff00b7076d442781a34a881890ff117897c6d889247131eb18f0581f72
Stealc
13ce643b4ba34757d8d5fa9e071308fbb0120bd467588a4b3b7e6181275af6e7
Stealc
1b0da8603f31103a5d90152c983ddd534e128abed1901fe5debb660c0bb6ecce
Stealc
715821d03d18bb8dab9435aa68a6507532630ed3252dcbf76316a2e8ea228be8
Stealc
8320b1984cd007f2e819d2572382e0d231feae3b91ec2d30163665aa1295cdc5
Stealc
9e9898215c57e4dd2d5e9e34e6bd3eef1f1594ccb17ef2f1e4c6f90481044a18
Stealc
c4cc355c8e3bc52a53f43f85c606d824b607fd91ffff384393bc7f99823bb219
Stealc
cbc45ecc527566af8060f7dbaea341962df2350423dbc3c674c27dcf5b7d3892
Stealc
d8e82dd460b3e9538fcef64e56b5348fa777e5d73dc1d61d92fd49e7e7e7305b
Stealc
+ 158 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc spyware stealer
Link:
https://tria.ge/reports/230828-gm1rbsac6t/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Unpacked files
SH256 hash:
8f1acc0b78f398052d3189bddef8856de9e1f3c81b4b1fc172d229823f5dfad6
MD5 hash:
1a380e32e5630b0eede0e52c6dc78630
SHA1 hash:
5d196c7aa940a194338745be9603dd0e3d873b3d
Link:
https://www.unpac.me/results/4b39f403-9e5e-402f-89e3-b5102f981a20/
SH256 hash:
db079b9f4b4bbe149d6acaae93f18a5da2f1017dbf900dfbef3559452718e999
MD5 hash:
6b0748085f0c2402574c138e0cd836b6
SHA1 hash:
130152a4103b7e29de4a1afc79a4e7fb986a3e90
Link:
https://www.unpac.me/results/4b39f403-9e5e-402f-89e3-b5102f981a20/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db079b9f4b4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db079b9f4b4bbe149d6acaae93f18a5da2f1017dbf900dfbef3559452718e999

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments