MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e007c47e0d8481bc55c96cf726690770e50211b8087b4674f9dee04f51bc6a17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e007c47e0d8481bc55c96cf726690770e50211b8087b4674f9dee04f51bc6a17
SHA3-384 hash: 63315dc89a53c37e930b1c1fb2515c2a1f9c44712ac4cd046fe88a55e33c6d4e47e2bfcb307b64dabc3a0f77fb5424d4
SHA1 hash: b2f94c979cfab830e3c1687cdbb8699728ba1b14
MD5 hash: 3868a789366cd7be5401220c3ece2b24
humanhash: utah-enemy-avocado-blue
File name:3868a789366cd7be5401220c3ece2b24.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:1'260'184 bytes
First seen:2023-08-17 04:20:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ddef02f3fe1fdd30aa1a5f68ac30fc56 (1 x Stealc)
ssdeep 12288:9djhyMR0mzd/diBt5/0bPjR4bhW5tIkKOc2yymO8T71/Y+8QJAXzkVXYsorrb+UT:vRHzdsBQbjR4VeOkKtdOwheQJIFs4+
Threatray 222 similar samples on MalwareBazaar
TLSH T11745285F50B531A3FAC955E836CB832DC81A7CB1AB66B401BB7471D441B9C31EF2A887
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 483974c4a4ecdc38 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://5.42.65.52/9fd9dde806b954c2.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3868a789366cd7be5401220c3ece2b24.exe
Verdict:
No threats detected
Analysis date:
2023-08-17 04:21:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0343527-a37a-40cd-b109-5e6bd568f506

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443124/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7807.4350.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/103020/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin overlay packed winlock
Link:
https://www.filescan.io/uploads/64dda02fd93d2691ab4fd717/reports/f55218da-1d8a-410a-b831-0a8e9afe8d58/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/e007c47e0d8481bc55c96cf726690770e50211b8087b4674f9dee04f51bc6a17
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b3bdf07-350b-48d0-8854-3b6b28311090
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292569
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e007c47e0d8481bc55c96cf726690770e50211b8087b4674f9dee04f51bc6a17/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2023-08-09 13:20:48 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ad4i7qnqsa3yvojnt3sm2ihodsqeenybb5um5hz33qe6un4nilq._file
Verdict:
malicious
Similar samples:
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
Stealc
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
Stealc
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
Stealc
61436285b70355a6e0239c982c9b4a12cf2061c5b9c1eb2f4ff97133c549e891
Stealc
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
Stealc
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Stealc
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
Stealc
daff7ba0e08e663f81f9b13a759221cb626b0e5cf45a6b17bb4d65663023cf78
Stealc
f842837f9f2f4794a3e909771825541f207304a5148cc630812be2ae71253d1b
Stealc
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
Stealc
+ 212 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230817-eym89sfc32/
Behaviour
Downloads MZ/PE file
Unpacked files
SH256 hash:
e007c47e0d8481bc55c96cf726690770e50211b8087b4674f9dee04f51bc6a17
MD5 hash:
3868a789366cd7be5401220c3ece2b24
SHA1 hash:
b2f94c979cfab830e3c1687cdbb8699728ba1b14
Link:
https://www.unpac.me/results/0f6f8ad4-b1ef-45d8-a013-c599c8b69912/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e007c47e0d8481bc55c96cf726690770e50211b8087b4674f9dee04f51bc6a17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/443124/

Comments