MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e582c5c0b368883ccfdb3eb7bd8e1031504b39d13c4f13915c050ee3a0cbc733. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e582c5c0b368883ccfdb3eb7bd8e1031504b39d13c4f13915c050ee3a0cbc733
SHA3-384 hash: 1e6ae75f3ec65fd1a3b39ea1f2c60a3e87be183977868a68153162414ebdf605e1d7521d0e9229b59fa453304d8c27f4
SHA1 hash: 06b1f4307dbc190c633fbe8cfd3f3c1519b88d2e
MD5 hash: 4f70f085bc14176bcc6022a927250b96
humanhash: august-mobile-alanine-comet
File name:4f70f085bc14176bcc6022a927250b96.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:207'360 bytes
First seen:2023-10-09 14:45:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b1c101b34422332d0062bedf14c71e9 (2 x Smoke Loader, 1 x Tofsee, 1 x Stealc)
ssdeep 3072:tHXiyu0XziGmVm3eOyTbh7hRzuZ6n3W0eoMuHf3HtjQ56e:RiD0jn/3WflhMZK3WNoZHPH12
Threatray 161 similar samples on MalwareBazaar
TLSH T1E914E12177A2C0B2C45B84794460CF60BB7F78B167A4B99F3F981ABF5E303815767249
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0008104808020000 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://dominiczachary.top/e9c345fc99a4e67e.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e582c5c0b368883ccfdb3eb7bd8e1031504b39d13c4f13915c050ee3a0cbc733
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6c9c876-706f-4d30-be12-314dd6c20a2c
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322256
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Detection:
stealc
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e582c5c0b368883ccfdb3eb7bd8e1031504b39d13c4f13915c050ee3a0cbc733/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-09 13:26:15 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wbmlqftncedzt63h2333dqqgfiewoorhrhrhek4auhohigly4zq._file
Verdict:
malicious
Similar samples:
1837622fbafa47eb30d479df4f4c97e41e54c9f65c99859b9b4ef195fa9bcdbc
Stealc
37598ef0d60434956df3670b94e6dee091e89deb67e9eefa820c24312923f8b1
Stealc
55df033fe62f9b849870c10e28db0432cb4287e278cfc80acc3d113a6887513d
Stealc
5e67e7c2573fa5e6522517d3f97cc38b79d47f4e0b16d4d1b9448ba72626d355
Stealc
64270e557c83856508c910892d6079b45aa2d2f6a2bde4b7e6d6180d174d90bc
Stealc
6e75be092dacc4f00da72baf4ea2d7fcc84220ec04f213e0b14eed89004f4ae0
Stealc
ab3c710d9fc4e1bbf83b6a6958a90205968c6bfa51d6dd415ede8ff1df0d3ec9
Stealc
c093df19539455619b30408268030ba22b4fbba44e6872115f58642e626b494d
Stealc
edb2278969b5d26ffe68e461aa7c9873bfcb86823f928a9700a50ef420b92d49
Stealc
f6559e9de5695802ff471ea1769587e6f93aa9a3c1e29451b4b304886ca8489a
Stealc
+ 151 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery stealer
Link:
https://tria.ge/reports/231009-r5amzaff36/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Checks installed software on the system
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://dominiczachary.top
Unpacked files
SH256 hash:
4d269582bd0b2941e2c8bd2ebb9ef462a99d4d9865bb9f7618e47a2cdb8efee4
MD5 hash:
6bb54ee73e53b41678a72e36e051e6b6
SHA1 hash:
2fcf04f8e068840b106652e764aad28d04902443
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/711b1777-cdcf-4286-86a5-250576dcae33/
Parent samples :
e582c5c0b368883ccfdb3eb7bd8e1031504b39d13c4f13915c050ee3a0cbc733
f64398ee74ab5760caccfef93c615d537375c92241c15d2ea09fd402138786a4
31289b717df3d04315d3f0b61cbba5c78679730a9c9fd74aaf953bc0ee6798c7
SH256 hash:
e582c5c0b368883ccfdb3eb7bd8e1031504b39d13c4f13915c050ee3a0cbc733
MD5 hash:
4f70f085bc14176bcc6022a927250b96
SHA1 hash:
06b1f4307dbc190c633fbe8cfd3f3c1519b88d2e
Link:
https://www.unpac.me/results/711b1777-cdcf-4286-86a5-250576dcae33/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e582c5c0b368/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e582c5c0b368883ccfdb3eb7bd8e1031504b39d13c4f13915c050ee3a0cbc733

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe e582c5c0b368883ccfdb3eb7bd8e1031504b39d13c4f13915c050ee3a0cbc733

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715014/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712461/

Comments