MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a
SHA3-384 hash:	e5282c86badc2ac2b072af07957cd2cd663745de145761153c9d00d02de2fd28df6e2817ac68d10fcd94ebed5eff8ea7
SHA1 hash:	21c72370f35211453e7a138a2e3aadf1f3c5fe1d
MD5 hash:	a489451e7885c377550df325bc4ca9ae
humanhash:	quebec-bravo-queen-berlin
File name:	e1a43c5dade2825c2dfa9ef9c41c552709f15875174c9.exe
Download:	download sample
Signature	Stealc Alert Create hunting rule
File size:	194'048 bytes
First seen:	2023-12-29 16:50:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ea8c534c28e2062536233b200d3f650 (2 x Stealc)
ssdeep	3072:3WaSGPZLPR20g8j4b18685gHlQT63Naazy4i1WDCT6/z:GaS+LJBA585L63NaaUZT6
TLSH	T10214CE107AF0C5B7E7B745709DF589A02AFBB9669BB080EB3344172E0E316C15E39762
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	000831a2a4a0b480 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://5.42.66.57/3886d2276f6914c4.php

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

377

Origin country :

NL

Vendor Threat Intelligence

ClamAV Detected

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Sending an HTTP GET request to an infection source

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

packed xpack

Link:

https://www.filescan.io/uploads/658ef8f7b290743934efb5ca/reports/dd1601d0-e2e2-4567-b246-50ec9ee03e2b/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7fd0bdc5-4c4b-4c46-b2d0-602ca35aac2b

Joe Sandbox Stealc, Vidar

Result

Threat name:

Stealc, Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1368033

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a

CERT.PL MWDB stealc

Detection:

stealc

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a/

ReversingLabs TitaniumCloud Win32.Spyware.Stealc

Threat name:

Win32.Spyware.Stealc

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-29 16:51:06 UTC

File Type:

PE (Exe)

Extracted files:

14

AV detection:

17 of 23 (73.91%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4gsdyxnn4kbfylp2t344ihcve4e7cwdvc5gjpl4h2geezjkxlyva._file

Threatray malicious

Verdict:

malicious

Hatching Triage stealc

Result

Malware family:

stealc

Alert

Create hunting rule

Score:

  10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/231229-vcs6dsecfl/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://5.42.66.57

UnpacMe stealc win_stealc_auto win_stealc_a0

Unpacked files

SH256 hash:

06627ef186f9f578bb0752326fbbd7821506d908554693598e45e2e124155ca7

MD5 hash:

093af6fde09383ecd853fa7b69ad5c7a

SHA1 hash:

eceb6b45df22a2b08ffa34b4faed6d4c7043d9de

Detections:

stealc

Alert

Create hunting rule

win_stealc_auto

Alert

Create hunting rule

win_stealc_a0

Alert

Create hunting rule

Link:

https://www.unpac.me/results/ffa0e8bd-5051-4306-9476-4b648bcf2bc6/

Parent samples :

3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0
e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a
8d9d7bd03b63923dcd739dfd6d836d4b8229268dcb8869526de90c99e5286d9d

SH256 hash:

e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a

MD5 hash:

a489451e7885c377550df325bc4ca9ae

SHA1 hash:

21c72370f35211453e7a138a2e3aadf1f3c5fe1d

Link:

https://www.unpac.me/results/ffa0e8bd-5051-4306-9476-4b648bcf2bc6/

VMRay Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e1a43c5dade2/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a