MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b
SHA3-384 hash: 40c5488c9e02048d83df61a1d8da8708d05ed8cbf0cfcdf021666413ee140ff2aec2a32933843c8254eb343b0c76b92a
SHA1 hash: b5e671d3e050c5f27ab45443047619bd3eed28bf
MD5 hash: 092bc2c227db1bb7bc32a047092d27c9
humanhash: fanta-ceiling-king-wisconsin
File name:092bc2c227db1bb7bc32a047092d27c9.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:307'200 bytes
First seen:2023-03-15 16:40:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb1da332f7212d9c576b80377a6c6ffb (2 x Stealc, 1 x Stop)
ssdeep 3072:Zov4S9LXS589ZUkA2JL9CKEUDeb44td76gZNP1lV09KSDxNlfEd542:+vDL00ZZiKEUDedtd+oNPsDbgJ
Threatray 11 similar samples on MalwareBazaar
TLSH T11A642B0383E1BD45E92A8B729E1FC6FC7A1FF6508E4977A922289F1F44B0176D263711
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 82460a4248121200 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
138.201.198.8:8081

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
092bc2c227db1bb7bc32a047092d27c9.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 16:41:42 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/8d8f8653-8688-42fa-9d38-dad9c42bab94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/374625/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73299/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6411f51ee835ac64d683b5e2/reports/d43ddb58-44e0-4e14-9199-c893ef3bd9b9/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a184bfdd-d732-4ca2-af0d-5ac9557b2f0b
Result
Threat name:
Aurora, RedLine, SmokeLoader, Stealc, Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194376
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara Aurora Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 827273 Sample: SCEgQWi3D9.exe Startdate: 15/03/2023 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 12 other signatures 2->93 9 SCEgQWi3D9.exe 2->9         started        12 hrgvuas 2->12         started        14 D70F.exe 2->14         started        process3 signatures4 125 Detected unpacking (changes PE section rights) 9->125 127 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->127 129 Maps a DLL or memory area into another process 9->129 16 explorer.exe 5 16 9->16 injected 131 Machine Learning detection for dropped file 12->131 133 Checks if the current machine is a virtual machine (disk enumeration) 12->133 135 Creates a thread in another existing process (thread injection) 12->135 process5 dnsIp6 75 138.36.3.134, 49714, 49717, 49745 TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR Brazil 16->75 77 vispik.at 175.126.109.15, 49706, 49708, 49726 SKB-ASSKBroadbandCoLtdKR Korea Republic of 16->77 79 11 other IPs or domains 16->79 63 C:\Users\user\AppData\Roaming\hrgvuas, PE32 16->63 dropped 65 C:\Users\user\AppData\Local\Temp\D70F.exe, PE32 16->65 dropped 67 C:\Users\user\AppData\Local\Temp\2E21.exe, PE32+ 16->67 dropped 69 3 other malicious files 16->69 dropped 95 System process connects to network (likely due to code injection or exploit) 16->95 97 Benign windows process drops PE files 16->97 99 Deletes itself after installation 16->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->101 21 102C.exe 16->21         started        25 2DEB.exe 15 4 16->25         started        28 2E21.exe 12 16->28         started        30 D70F.exe 16->30         started        file7 signatures8 process9 dnsIp10 71 C:\Users\user\AppData\...\KKEBKJJDGH.exe, PE32 21->71 dropped 73 C:\Users\user\AppData\Local\...\l[1].exe, PE32 21->73 dropped 103 Detected unpacking (changes PE section rights) 21->103 105 Detected unpacking (overwrites its own PE header) 21->105 107 Tries to steal Mail credentials (via file / registry access) 21->107 109 Tries to steal Crypto Currency Wallets 21->109 32 cmd.exe 21->32         started        34 cmd.exe 21->34         started        81 fronxtracking.com 176.124.192.199, 49723, 80 GULFSTREAMUA Russian Federation 25->81 83 api.ip.sb 25->83 111 Multi AV Scanner detection for dropped file 25->111 113 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->113 115 Machine Learning detection for dropped file 25->115 117 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->117 85 138.201.198.8, 49739, 8081 HETZNER-ASDE Germany 28->85 119 Antivirus detection for dropped file 28->119 121 Detected unpacking (creates a PE file in dynamic memory) 28->121 123 Tries to harvest and steal browser information (history, passwords, etc) 28->123 36 cmd.exe 28->36         started        38 cmd.exe 28->38         started        40 WMIC.exe 1 28->40         started        42 conhost.exe 28->42         started        file11 signatures12 process13 process14 44 KKEBKJJDGH.exe 32->44         started        47 conhost.exe 32->47         started        49 conhost.exe 34->49         started        51 timeout.exe 34->51         started        53 conhost.exe 36->53         started        55 WMIC.exe 36->55         started        57 conhost.exe 38->57         started        59 WMIC.exe 38->59         started        61 conhost.exe 40->61         started        signatures15 137 Detected unpacking (changes PE section rights) 44->137 139 Detected unpacking (overwrites its own PE header) 44->139 141 Machine Learning detection for dropped file 44->141
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 16:41:06 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ukhvyjtcczlspnbpuuabiqzkz4im4oja7352gndsggaxh6maunq._file
Verdict:
malicious
Similar samples:
07c7643d1f63c0306b87574fab09731861f60d3a2543c66d0e29a90b5584d124
Stealc
2a47c2d84f330efa04265b34e7dc1fd149954c5f1110c6896414f313b7ce17a2
Stealc
38befee4c4513de47e667544d9f705f56c195393b116fcd154755c1f7815ae55
Stealc
3c37da8f26c285fbc928409ba4c2118b388ab59fc1ffc62103c755bb49eaf8ab
Stealc
441f41b5d71d87e71c52db1ec1313b3d1eced25e9eebb3b6d83eb2a97a5cacd8
Stealc
4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd
Stealc
5d0be9aaad980137d68677d7ef3758d9ce7a4e2d170df0abee803f64b14dcd67
Stealc
98446a2ba850c3132d15b9cc773c365052631e83f734a2ec0e19f7b71dce3f3d
Stealc
aa5cfe1aca97f5d6871a6fcdca915dd5714fa593f2dd9a45500cec888d8fb8f3
Stealc
fbecd3645d10356c65157677cd1b6a6d9ae8754c584cc6656f3e263bd541483a
Stealc
+ 1 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:pub4 backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230315-t63q9age3t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Checks installed software on the system
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://vispik.at/tmp/
http://ekcentric.com/tmp/
http://hbeat.ru/tmp/
http://mordo.ru/tmp/
Unpacked files
SH256 hash:
93aa95fb6ff1197842539ad7d33661578c19614b641bc01b1339e9c74e8f6077
MD5 hash:
79e11ad9206a0e4207a1916c41d485e3
SHA1 hash:
7b2e2d5c564fe560f76bf3db8ce91acef6db1b3e
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/4919b998-9ada-487e-bee8-46f9395add4c/
Parent samples :
8d817b65185a02fb3050ec898ba6dc15f88e97428402de127d0fe79e6480421d
e9abf1a9ce327a916ba7191b471e3039d5e50093fe7346944a83d020e89da470
3358510dd07f7a0f84f6b8ff788bf5fb661c2259ebff3696c964f928a166a58c
e6ac1fe76c5644ac4f6624ffd984aebf33708da63cd425e58218eac16b9500c3
b3c1c51816ed1e710c16b9979424f6e048de948320e1560664f02b7fd68a1c70
bfa7f935ce2d538f08ef9b71990ff857c855ae47f402010207533a85831b0d69
d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0
9b6da424a0f27a420231b67553454bf11d1283164fd176d688ddd43f2a6c4dfc
35c8d963860e8a3b6f74aae074eeae71dbcd50f4ac55e72f4509f15eb45e6f09
6fcfc6e9c3504129087f399f02026f0857e51702803c00e15c16a98d94414974
86d03866f50e32545514b56e8fc46122c136d24e80954b7f6291b870a1e2a5ac
e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b
a55fb5f4931b56a67accf6b1e95d17bb96a3e12b5a960816c60dfd06bb440d9c
ba22d964e19050f18e2616497d28864c3f3e7e4f6769b6b55020002af356fd52
cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b
92a5b282a453a1d71a1d800a95018b6248da4a8cdcc58e82c56266be169cc98c
1b47e6ab6638a2d79d7a5f80627f4e96a7169b8083c6d69fb8f32ee6efcc2aa5
8566c357f42e4e6f442564c63c376540b4e4d0ee72d38f83a3de84a83931a6ce
49d393dd5011f729861bba497ebc7a0fc1312dff59820659e922bf109dd66ac3
84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602
SH256 hash:
e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b
MD5 hash:
092bc2c227db1bb7bc32a047092d27c9
SHA1 hash:
b5e671d3e050c5f27ab45443047619bd3eed28bf
Link:
https://www.unpac.me/results/4919b998-9ada-487e-bee8-46f9395add4c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5147ae13310/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2571667/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/374625/

Comments