MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs YARA 12 File information Comments

SHA256 hash:	e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c
SHA3-384 hash:	648e407d07d5703eb05bb043a3501cf81c01ffdb27cb1c05739edf83751e96e26b9af7bb7a2a449eff30188430479dd4
SHA1 hash:	af9e4dafa7c8576405932f6bf926c47ed4ebdb5f
MD5 hash:	55720e0a9651454e20ed2d81d42e738f
humanhash:	hot-august-orange-orange
File name:	file
Download:	download sample
Signature	Stealc Create hunting rule
File size:	192'000 bytes
First seen:	2024-07-20 21:11:41 UTC
Last seen:	2024-07-21 11:43:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	75f38a281962eafd8c14d2b02cfcdab6 (17 x Stealc, 1 x MarsStealer)
ssdeep	3072:D1Ve1NFj5qD6o8KaxfE54HnnGiayl+beX8nt4I1FrJKa:D1s1jj5q62aOanGiqbIm1FdKa
TLSH	T132146D30F543403DE1A245FE6ADE5F6AE85D2D320320D0D763E26B8C26E51F5A875A2F
TrID	43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	Bitsight
Tags:	exe Stealc

Bitsight

url: http://77.91.77.81/cost/num.exe

Intelligence

File Origin

# of uploads :

# of downloads :

421

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c.exe

Verdict:

Malicious activity

Analysis date:

2024-07-21 10:00:48 UTC

Tags:

stealer stealc loader

Link:

https://app.any.run/tasks/dbe99628-78f1-49a9-b7c5-86b8aa76430d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Zusy.546982.1499.8774.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=669c28232f6eaff4b90f00b5

Tags:

Infostealer Network Stealth

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Connecting to a non-recommended domain

Connection attempt

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

microsoft_visual_cc stealer

Link:

https://www.filescan.io/uploads/669c2823a537d9330be09f7c/reports/ae61fb81-4c90-4e5e-b965-e32b51dec230/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/84612824-483c-434f-8a49-b6febdc03be9

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1477287

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c/

Threat name:

Win32.Trojan.Stealc

Status:

Malicious

First seen:

2024-07-20 21:12:05 UTC

File Type:

PE (Exe)

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5hudq7qhuczazvcivpa7xfsuyimi3zpbbqdu44idbsg5u5hfoaoa._file

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:default stealer

Link:

https://tria.ge/reports/240720-z1573sydkn/

Behaviour

Stealc

Malware Config

C2 Extraction:

http://85.28.47.31

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/09d3ad77-8eee-4869-a061-f2fbd657dffe

Unpacked files

SH256 hash:

e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c

MD5 hash:

55720e0a9651454e20ed2d81d42e738f

SHA1 hash:

af9e4dafa7c8576405932f6bf926c47ed4ebdb5f

Detections:

stealc

Link:

https://www.unpac.me/results/f58b93e6-5dd6-446e-8504-62c674fb5a59/

Parent samples :

e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c
1341f6c36b6bf06dd1f0d88153c8262d98fdfc5747d8996ea45959d0b475f740

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_Stealc_str Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	Stealc infostealer

Rule name:	Stealc_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Stealc Payload

Rule name:	Vidar_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Vidar Payload

Rule name:	Windows_Generic_Threat_2bba6bae Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Stealc_5d3f297c Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Stealc_b8ab9ab5 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe e9e8387e07a0b20cd448abc1fb9654c2188de5e10c074e71030c8dda74e5701c

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2909124/

URLhaus

https://urlhaus.abuse.ch/url/2909129/

URLhaus

https://urlhaus.abuse.ch/url/2908698/

URLhaus

https://urlhaus.abuse.ch/url/2909131/

URLhaus

https://urlhaus.abuse.ch/url/2909123/

URLhaus

https://urlhaus.abuse.ch/url/2903968/

URLhaus

https://urlhaus.abuse.ch/url/3058171/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::OpenProcess
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample