MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea3c4e9cc6e8b8b5fb61c4ef5afaa0575a895b1ca9377e22e1236057494923e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	ea3c4e9cc6e8b8b5fb61c4ef5afaa0575a895b1ca9377e22e1236057494923e3
SHA3-384 hash:	2befd6a4a49fdad412f60fbd267eb82320a60ac9615066456f8fa274559b038f438b57c343f2ee06f1c0c102c38cb97b
SHA1 hash:	8fa790f69f0628bcf786c55f97b7d0d02b3c53cc
MD5 hash:	cdba4bf95af8e93a8b246376e978934f
humanhash:	coffee-undress-green-double
File name:	cdba4bf95af8e93a8b246376e978934f.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	267'776 bytes
First seen:	2023-03-07 14:35:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7ca9aeb70e388366d4b49ad6e91f0c93 (9 x RedLineStealer, 2 x Smoke Loader, 1 x Stealc)
ssdeep	3072:c+sZDILA33/HLXS3QTqxInA4ZS5hFHsmGkzco1oxg6eYg4eZjU:3LKPfhS5vMmG6coaxg14eZ
Threatray	93 similar samples on MalwareBazaar
TLSH	T17E44C03177D1C072D2A7057058F9DAE9EEBF787266748A9B335417AE0E307C09A6A307
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	001cdac08c949298 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://45.87.154.30/86d110a6ca1786a5.php

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cdba4bf95af8e93a8b246376e978934f.exe

Verdict:

Malicious activity

Analysis date:

2023-03-07 14:36:36 UTC

Tags:

loader stealer

Link:

https://app.any.run/tasks/a4d86f5d-f3ca-43e5-93ac-179499ddd811

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/372359/

Detection(s):

Sanesecurity.Malware.28986.BadIN.UNOFFICIAL

Sanesecurity.Malware.28988.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

greyware

Link:

https://www.filescan.io/uploads/64074bd2e96aa01651234c60/reports/a5668cb0-7c4a-4c2d-b26e-15222b64e2e1/overview

Verdict:

Malicious

Labled as:

Ransom.84989A88

Link:

https://www.hybrid-analysis.com/sample/ea3c4e9cc6e8b8b5fb61c4ef5afaa0575a895b1ca9377e22e1236057494923e3

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/079a3cf3-d31f-44b8-a43a-b0adb51e2287

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1188664

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea3c4e9cc6e8b8b5fb61c4ef5afaa0575a895b1ca9377e22e1236057494923e3/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-03-07 14:49:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5i6e5hgg5c4ll63bytxvv6vak5niswy4ve3x4ixbenqfoskjeprq._file

Verdict:

malicious

Stealc

3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373

Stealc

6d9df22ed6d7844b938c9b2c3f413e2c7e3306a047dc807fdca6d0edbc2d2528

Stealc

719dc62c28d143014a62dbd91017f32020362ee3a06bac5c35d61868d571b127

Stealc

88b6bfe76c0ed2e49897e38ee20f4b62842796649598f47bbe2c59450078e1cd

Stealc

9220c641601d88dc8b8a548de89674f20ea5e5ba33abf3763d8ce5bbc9032a37

Stealc

979afbc8137f3cb684125b0f15be3c34d8539425366c3a067b98a97e181eb142

Stealc

c0ddf7b1a142d4ab25bbdfd2003183873965a25fe6bc7aba2048613c68cfa3ea

Stealc

fcd1f919f21765520aef43063450cc68dbbac04c1748029a80011def917e6e24

Stealc

+ 83 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230307-rykvcsad96/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

54ad8e690ad1dcf9e8821228dc26402a8563cb2527d14cd73dfb94eec036def7

MD5 hash:

ecf150e9184cbf82611418d8a5bf25a1

SHA1 hash:

61791a0704c40ecd24d0c5072360522c16c79bdd

Link:

https://www.unpac.me/results/e425b46c-c8cf-45a6-8ae5-a4c5c387b290/

SH256 hash:

ea3c4e9cc6e8b8b5fb61c4ef5afaa0575a895b1ca9377e22e1236057494923e3

MD5 hash:

cdba4bf95af8e93a8b246376e978934f

SHA1 hash:

8fa790f69f0628bcf786c55f97b7d0d02b3c53cc

Link:

https://www.unpac.me/results/e425b46c-c8cf-45a6-8ae5-a4c5c387b290/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea3c4e9cc6e8b8b5fb61c4ef5afaa0575a895b1ca9377e22e1236057494923e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372359/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample