MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af
SHA3-384 hash:	c22f660c0d726ab97ba2017a4f7f08ff001dfcb08279527d47212e8936e620a3ddb9998b4e214528032dcb236399b450
SHA1 hash:	43208843e80266106e5c96867e7113e90a6f0b59
MD5 hash:	967d1d2071a7f0afa075145319eea73d
humanhash:	nuts-yankee-floor-delaware
File name:	967d1d2071a7f0afa075145319eea73d.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	223'232 bytes
First seen:	2024-05-10 07:45:08 UTC
Last seen:	2024-05-10 08:36:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	eb1649baa83dbc66737b8a7de83dd782 (3 x Stealc)
ssdeep	3072:nab6hHRRQOm9UuHbbrTNjd6SeQU04rUvKew5V1Nk4vY:ZhHRHZufH5QgUHUyeIrv
Threatray	1'033 similar samples on MalwareBazaar
TLSH	T1A624DF2176D0D032F8D785705574C6F4EE7AB872C7A9944BB3A82BAE1A733D05336386
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	64d29a9891b98981 (1 x Stealc, 1 x PureLogsStealer)
Reporter	abuse_ch
Tags:	exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af.exe

Verdict:

Malicious activity

Analysis date:

2024-05-10 08:21:54 UTC

Tags:

stealer stealc

Link:

https://app.any.run/tasks/80086081-c4cb-4f33-8cef-e2ae3ffe2113

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.16420.4843.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Connection attempt to an infection source

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint

Link:

https://www.filescan.io/uploads/663dd0be11114a9ab5e798f2/reports/6efdbf78-7bd0-4606-bac7-b2759cd3fed4/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7ee78ead-bcb2-4bc8-9854-e26fb6aa7808

Result

Threat name:

Mars Stealer, PrivateLoader, Stealc, Vid

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1439394

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Overwrites Mozilla Firefox settings

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Mars stealer

Yara detected PrivateLoader

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2024-05-09 18:16:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3tswwa6rhdhnmlcrg7awjumcidx6hzfaqtdqkr3bjnsx4icjy2xq._file

Verdict:

malicious

Stealc

326a97291a3f81e3b1b9e96576add117922b946e04e119f22cdf08e2863f6d07

Stealc

373fdc4b1219c8bd03862099f5f7bc85c46d77b727ee79553fcf978fbcafcc49

Stealc

47e56f3493eeb0f41a19e825ab34bc25176aef6708f1e20df70f9dbe0c4f1203

Stealc

62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414

Stealc

715ef91104fd8160361294cbc50db128ebb02bd5c707d3cfe41e825d54dc76fa

Stealc

adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8

Stealc

+ 1'023 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/240510-jlf2msba9z/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://185.172.128.150

Unpacked files

SH256 hash:

18f53dd06e6d9d5dfe1b60c4834a185a1cf73ba449c349b6b43c753753256f62

MD5 hash:

8022ef84cfe9deb72b1c66cd17cac1cd

SHA1 hash:

a952b1ed963346d5029a9acb3987d5e3a65c47a3

Detections:

stealc

win_stealc_auto

Link:

https://www.unpac.me/results/0754bf64-1ffa-4766-b7e0-2dd4e5513fad/

Parent samples :

f98a232e9e666e4af8894757f171505040762677b4fcfa4e00269ea548ca13f7
6760a4705383711ee29812a1e6f56b8d60c48a5375382025ce98ad4d0f2893ac
52aa0c072e5c7fef19391a933cb34b085bf34d258d3fd7603a99907b262d547d
fc78e8de8a0ef72dba38b06c7f884087a37db530035976a88a230fe0c683c4cc
508baf86ec9cd4c0ed812dfa9cbdd444a14a54de40f50543d71b21b052da72d2
a825b92f75bda1a0ab93970d92a09b91c04ea7cccae4c7524b2fa4aa9108ffbd
7da7503189aac8a6be5b013858eb04b2e4c2e605c0c39b7a19279fca10241261
091f1847e19348057903f9118cbffe6c61eb097deb75ccfd9faa19f4f2566a37
40aafb9123cf17b680ab9bf168950a073d7c1c703af7f61cf3b6ab907ec4244a
2144c4137bde2e41c2cd63b8c509889c33b564f6a9bc40f0c2dfb8edad66026b
d37f54aa31485a49ae8d66d29e1d235cad52c576403da0785b82df6dab97db29
49367aa06446dda922e9fff631a7e35bd85555f5e6554d22728d69c543111b82
dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af
024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9
7dbf762b2ef2b651a4e8c7b7d9b8996a1de0cfa44119452f1d3f29bfe03dfd86

SH256 hash:

dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af

MD5 hash:

967d1d2071a7f0afa075145319eea73d

SHA1 hash:

43208843e80266106e5c96867e7113e90a6f0b59

Link:

https://www.unpac.me/results/0754bf64-1ffa-4766-b7e0-2dd4e5513fad/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleScreenBufferSize KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample