MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc2cb621cd67b222f252fdc1adb74832f4d5bfc8073c3b7b8355028a23c12746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc2cb621cd67b222f252fdc1adb74832f4d5bfc8073c3b7b8355028a23c12746
SHA3-384 hash: ae1aa6f74f6885522c3263c4370eed6c4feea6a7442221e047abe714ddb7bc5b1c11a36700d41a81d7e8e95cd0861edd
SHA1 hash: 80df9c919266a0ed651c47d23931fc5cbd5daf0a
MD5 hash: c80daace1f75b6af2b650dc619840093
humanhash: high-yankee-crazy-texas
File name:c80daace1f75b6af2b650dc619840093.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:1'119'744 bytes
First seen:2023-07-04 02:25:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c0b982935066cb4c97fab7a3ba797919 (2 x RedLineStealer, 1 x Stealc)
ssdeep 6144:TFk+jKPRBdsmyUzvw3AwPHDLd1x/AOxcYPF+NN:JWRBdsmyU7wPHxf3PwD
Threatray 596 similar samples on MalwareBazaar
TLSH T17E358C2131D1B033D6A22D3F48908778D77DA52209664E6F97D3CB7E8EAF640892CD76
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://212.118.43.207/b5e0972e09e482c4.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c80daace1f75b6af2b650dc619840093.exe
Verdict:
Malicious activity
Analysis date:
2023-07-04 02:27:36 UTC
Tags:
stealc trojan stealer loader lumma
Link:
https://app.any.run/tasks/83feac42-68ed-418d-a316-ca6f6c5fbc12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/406229/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.14123.12847.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Searching for the window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95456/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin packed shell32
Link:
https://www.filescan.io/uploads/64a3833afec95302e26333d1/reports/9f57333b-d635-4bd2-8087-078a7b53d3c7/overview
Verdict:
Malicious
Labled as:
GenKryptik.GLLM trojan
Link:
https://www.hybrid-analysis.com/sample/dc2cb621cd67b222f252fdc1adb74832f4d5bfc8073c3b7b8355028a23c12746
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e87669ff-69a4-4b64-97ca-2446dda173ae
Result
Threat name:
MinerDownloader, Stealc, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266310
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Country aware sample found (crashes after keyboard check)
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266310 Sample: JuwD3SxfBQ.exe Startdate: 04/07/2023 Architecture: WINDOWS Score: 100 89 Snort IDS alert for network traffic 2->89 91 Found malware configuration 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 13 other signatures 2->95 12 JuwD3SxfBQ.exe 2->12         started        process3 signatures4 111 Writes to foreign memory regions 12->111 113 Allocates memory in foreign processes 12->113 115 Injects a PE file into a foreign processes 12->115 15 AppLaunch.exe 18 12->15         started        20 WerFault.exe 24 9 12->20         started        process5 dnsIp6 75 212.118.43.207, 49698, 80 CITYLAN-ASRU Russian Federation 15->75 77 acienco.com 190.8.176.31, 443, 49701 ColombiaHostingCO Colombia 15->77 63 C:\Users\user\AppData\...\HDAFHIDGIJ.exe, PE32 15->63 dropped 65 C:\Users\user\...\mmfqdf2p9r107[1].exe, PE32 15->65 dropped 81 Tries to steal Mail credentials (via file / registry access) 15->81 83 Tries to harvest and steal browser information (history, passwords, etc) 15->83 85 Found evasive API chain (may stop execution after checking locale) 15->85 87 2 other signatures 15->87 22 cmd.exe 1 15->22         started        79 192.168.2.1 unknown unknown 20->79 67 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->67 dropped file7 signatures8 process9 signatures10 97 Encrypted powershell cmdline option found 22->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 22->99 25 HDAFHIDGIJ.exe 22->25         started        28 conhost.exe 22->28         started        process11 signatures12 103 Multi AV Scanner detection for dropped file 25->103 105 Machine Learning detection for dropped file 25->105 107 Writes to foreign memory regions 25->107 109 2 other signatures 25->109 30 AppLaunch.exe 1 25->30         started        33 WerFault.exe 19 9 25->33         started        35 AppLaunch.exe 25->35         started        process13 signatures14 119 Injects a PE file into a foreign processes 30->119 37 AppLaunch.exe 15 31 30->37         started        42 conhost.exe 30->42         started        process15 dnsIp16 71 github.com 140.82.121.4, 443, 49710, 49711 GITHUBUS United States 37->71 73 pastebin.com 172.67.34.170, 443, 49709 CLOUDFLARENETUS United States 37->73 69 C:\ProgramData\HostData\logs.uce, ASCII 37->69 dropped 101 Sample is not signed and drops a device driver 37->101 44 cmd.exe 37->44         started        47 cmd.exe 37->47         started        49 cmd.exe 37->49         started        file17 signatures18 process19 signatures20 117 Encrypted powershell cmdline option found 44->117 51 conhost.exe 44->51         started        53 powershell.exe 44->53         started        55 conhost.exe 47->55         started        57 schtasks.exe 47->57         started        59 conhost.exe 49->59         started        61 schtasks.exe 49->61         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc2cb621cd67b222f252fdc1adb74832f4d5bfc8073c3b7b8355028a23c12746/
Threat name:
Win32.Spyware.Marsstealer
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 02:26:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
12 of 24 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qwlmionm6zcf4ss7xa23n2igl2nlp6ia46dw64dkubiui6be5da._file
Verdict:
malicious
Similar samples:
23f0440bae78c2d40ebdf75a4127857fd531ea167e7525271330e966e24fa13a
Stealc
2841d614844219e1c2e937b51d5cd94f816f6b1985bf7372f0ee41c5bcb176b5
Stealc
37aa7fbf692cbc7da1f9f233c37cd4e7f1a41e12d61f2c34d6bb1171863d2790
Stealc
3cdf268a506536698b15da0e4592751178563f1f2b8e7d4eb1757756761918f5
Stealc
4a7e241ed991bc710a5cfe0528fce37d8bdf5be3c5e3b6d43b876fbf6f97686a
Stealc
5c70adfeec8dd32457e92854ef1351eb0d78e0fb43bb90467683f6233ecfcf4a
Stealc
6e0db6c01d51ba9b33ca59e169183cd3ae971707ca7cdfe56708af3bf85242d4
Stealc
86c349ad1aecf41f402adad10ff1c7a8e34b2f9f733db02bfd88bb1abac8128a
Stealc
8d00abb9dc2e8161d63530424d10b66ad851ce075be2db66aa7e25cf1883c15f
Stealc
d182fa757e7b1a39ae31bb165ff358931a5454115363bd636faeeb41e2aee3c1
Stealc
+ 586 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc spyware stealer
Link:
https://tria.ge/reports/230704-cwvjfsag67/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detects Stealc stealer
Stealc
Malware Config
C2 Extraction:
http://212.11843.207/b5e0972e09e482c4.php
Unpacked files
SH256 hash:
5b8d65c889f80a7338dd3cc50e2d43af1502c8a6420d0f831278fcfb7ded3b68
MD5 hash:
3313110876534e6137e4bec3f027b174
SHA1 hash:
ae9214c13ce315ebc85f973dfe4c9f012be22546
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_auto
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/625b0991-d483-45a4-9cb9-00d929b8f237/
SH256 hash:
dc2cb621cd67b222f252fdc1adb74832f4d5bfc8073c3b7b8355028a23c12746
MD5 hash:
c80daace1f75b6af2b650dc619840093
SHA1 hash:
80df9c919266a0ed651c47d23931fc5cbd5daf0a
Link:
https://www.unpac.me/results/625b0991-d483-45a4-9cb9-00d929b8f237/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc2cb621cd67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:Stealc
Create hunting rule
Author:kevoreilly
Description:Stealc Payload
Rule name:Win32_Infostealer_StealC
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects StealC infostealer.
Rule name:win_stealc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stealc.
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/406229/

Comments