MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655
SHA3-384 hash: ccddd8e918c88d3aa46a60b78847537d7b50a88625b333655b3c704db7a77ae213d3234e62ea5097c1fcd9888e30be5e
SHA1 hash: 8e382c27793075fa50e3512a137d91984492e059
MD5 hash: 69163f8cd516a3493d026681237ff07a
humanhash: low-gee-salami-yellow
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:637'152 bytes
First seen:2024-03-14 02:14:49 UTC
Last seen:2024-03-14 04:18:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:OqpM/HkxswcXKC2zNWfm2YRm5sm2YRm5hkxswcXKC2zNWX5:PSZX9uWfm2Yysm2YyhZX9uWJ
TLSH T14FD48E0BB302971ACD526D7C95A1C3602735FF69FB439A0BB1BEFB5126431A01EE52D8
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Bitsight
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-13T08:23:45Z
Valid to:2025-03-13T08:23:45Z
Serial number: be927a19efe90e209100f36513c833b9
Thumbprint Algorithm:SHA256
Thumbprint: 41eb41ea9f439a79051d7d5cb8f499c4dc5811679664291d3365735453f11c85
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: http://15.204.38.240/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
402
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655.exe
Verdict:
Malicious activity
Analysis date:
2024-03-14 02:15:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/147da6f3-9fe0-4b2d-b5ff-4d52cc2e610b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478977/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2742.11158.13557.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a process with a hidden window
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a file
Moving a file to the Program Files subdirectory
Replacing files
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65f25da8204403ca94d429ce/reports/0e3b76d4-2c6d-49ce-95a2-5ccede0b4c32/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61569930-aec5-4ec4-b2ed-1d7e8e20a897
Result
Threat name:
Glupteba, Mars Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1408738
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1408738 Sample: file.exe Startdate: 14/03/2024 Architecture: WINDOWS Score: 100 142 Found malware configuration 2->142 144 Malicious sample detected (through community Yara rule) 2->144 146 Antivirus detection for dropped file 2->146 148 19 other signatures 2->148 10 file.exe 15 3 2->10         started        14 cmd.exe 2->14         started        process3 dnsIp4 128 172.67.140.87 CLOUDFLARENETUS United States 10->128 170 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->170 172 Writes to foreign memory regions 10->172 174 Adds a directory exclusion to Windows Defender 10->174 176 3 other signatures 10->176 16 RegAsm.exe 15 498 10->16         started        21 powershell.exe 22 10->21         started        23 WerFault.exe 10->23         started        27 2 other processes 10->27 25 conhost.exe 14->25         started        signatures5 process6 dnsIp7 118 107.167.110.211 OPERASOFTWAREUS United States 16->118 120 107.167.110.216 OPERASOFTWAREUS United States 16->120 124 13 other IPs or domains 16->124 72 C:\Users\...\yIuY7h71Vay5A2Td0NvwofJZ.exe, PE32 16->72 dropped 74 C:\Users\...\xuZcZxCSiDn2foiVbikFAtME.exe, PE32 16->74 dropped 76 C:\Users\...\xGK5yKYVqhLnT4XSalUmioCx.exe, PE32 16->76 dropped 78 255 other malicious files 16->78 dropped 150 Drops script or batch files to the startup folder 16->150 152 Creates HTML files with .exe extension (expired dropper behavior) 16->152 29 Yke4IZ7nz97VxUjIQge1HfN4.exe 16->29         started        33 i3FcSRS9lRfSfFPxLEoqeuJu.exe 16->33         started        35 0BlvF0jizJ4jdJM5f21x0CZw.exe 16->35         started        39 16 other processes 16->39 37 conhost.exe 21->37         started        122 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->122 file8 signatures9 process10 dnsIp11 130 107.167.110.218 OPERASOFTWAREUS United States 29->130 132 107.167.125.189 OPERASOFTWAREUS United States 29->132 140 6 other IPs or domains 29->140 110 7 other malicious files 29->110 dropped 42 Yke4IZ7nz97VxUjIQge1HfN4.exe 29->42         started        45 Yke4IZ7nz97VxUjIQge1HfN4.exe 29->45         started        47 Yke4IZ7nz97VxUjIQge1HfN4.exe 29->47         started        134 185.172.128.187 NADYMSS-ASRU Russian Federation 33->134 136 185.172.128.90 NADYMSS-ASRU Russian Federation 33->136 138 104.26.12.205 CLOUDFLARENETUS United States 33->138 98 C:\Users\user\AppData\Local\...\syncUpd.exe, PE32 33->98 dropped 100 C:\Users\user\AppData\Local\...\INetC.dll, PE32 33->100 dropped 102 C:\Users\user\AppData\...\BroomSetup.exe, PE32 33->102 dropped 49 syncUpd.exe 33->49         started        53 BroomSetup.exe 33->53         started        112 4 other malicious files 35->112 dropped 55 0BlvF0jizJ4jdJM5f21x0CZw.exe 35->55         started        57 0BlvF0jizJ4jdJM5f21x0CZw.exe 35->57         started        104 C:\Users\user\AppData\Local\...\INetC.dll, PE32 39->104 dropped 106 C:\Users\user\AppData\Local\...\INetC.dll, PE32 39->106 dropped 108 C:\Users\user\AppData\Local\...\INetC.dll, PE32 39->108 dropped 114 9 other malicious files 39->114 dropped 162 Detected unpacking (changes PE section rights) 39->162 164 Detected unpacking (overwrites its own PE header) 39->164 166 Found Tor onion address 39->166 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->168 59 yIuY7h71Vay5A2Td0NvwofJZ.exe 39->59         started        61 2 other processes 39->61 file12 signatures13 process14 dnsIp15 94 22 other malicious files 42->94 dropped 63 Yke4IZ7nz97VxUjIQge1HfN4.exe 42->63         started        80 Opera_installer_2403140216078707132.dll, PE32 45->80 dropped 82 Opera_installer_2403140216086887768.dll, PE32 47->82 dropped 126 185.172.128.145 NADYMSS-ASRU Russian Federation 49->126 96 14 other files (10 malicious) 49->96 dropped 154 Detected unpacking (changes PE section rights) 49->154 156 Detected unpacking (overwrites its own PE header) 49->156 158 Tries to steal Mail credentials (via file / registry access) 49->158 160 7 other signatures 49->160 66 cmd.exe 53->66         started        84 Opera_installer_2403140216087717364.dll, PE32 55->84 dropped 86 Opera_installer_2403140216093812932.dll, PE32 57->86 dropped 88 Opera_installer_2403140216147738372.dll, PE32 59->88 dropped 90 Opera_installer_2403140216174348800.dll, PE32 61->90 dropped 92 Opera_installer_2403140216164658680.dll, PE32 61->92 dropped file16 signatures17 process18 file19 116 Opera_installer_2403140216118627484.dll, PE32 63->116 dropped 68 conhost.exe 66->68         started        70 chcp.com 66->70         started        process20
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-13 11:36:20 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dsmaglto7eg7fchb6zz4fsb6t72hhefu5zj5mnv3ql2f3n7ezkq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/240314-cpkexaad48/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMonFS driver.
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
Stealc
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://185.172.128.145
Unpacked files
SH256 hash:
e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655
MD5 hash:
69163f8cd516a3493d026681237ff07a
SHA1 hash:
8e382c27793075fa50e3512a137d91984492e059
Link:
https://www.unpac.me/results/065884f4-2de8-4030-a33b-aaa425453aad/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0e4c0197377/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe e0e4c0197377c86f94470fb39e1641f4ffa39c85a7729eb1b5dc17a2edbf2655

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/478977/
  
URLhaus
https://urlhaus.abuse.ch/url/2781349/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments