MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea73f0c424fb7780689b5d0b88bcef9af3b80ed701250ebf8c794b89aea182a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	ea73f0c424fb7780689b5d0b88bcef9af3b80ed701250ebf8c794b89aea182a4
SHA3-384 hash:	f92b38dccb98e3cbbde65beac4ca9a653ecaab42297a10ae65356c379882bf708042615a47cd7ceff0184045310f0403
SHA1 hash:	0cadb14df9ac6833f9a59dc7188c5c3ad465792a
MD5 hash:	363d431816a3d0805a41eb85d0fc7ff3
humanhash:	maryland-two-april-california
File name:	363d431816a3d0805a41eb85d0fc7ff3.exe
Download:	download sample
Signature	Stealc Alert Create hunting rule
File size:	362'496 bytes
First seen:	2023-07-26 15:36:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	44d39cb42f1ecc0351f10c8bc772392a (3 x Stealc, 3 x RedLineStealer, 1 x MarsStealer)
ssdeep	3072:KOBMfVXLkMk3Dg/3Tl0VMemH55+s15fg+wlGvPGT1lTsZxO:3oVXLkMkTg/DvVHf+Qg+jv+HTz
Threatray	39 similar samples on MalwareBazaar
TLSH	T19B74B54383A1BD40E9258B72DE2FCAF8768DF6518F4D7B66A128AF1F04B51B2D173610
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1070d09030381000 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

272

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

363d431816a3d0805a41eb85d0fc7ff3.exe

Verdict:

Malicious activity

Analysis date:

2023-07-26 15:48:30 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/8c163a09-1ca0-4c1b-9a4d-aa4439ee0dff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/434147/

ClamAV Detected

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

FileScan.io

Gathering data

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ea73f0c424fb7780689b5d0b88bcef9af3b80ed701250ebf8c794b89aea182a4

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Oski Stealer

Malware family:

Oski Stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/509c8445-4e2f-414a-8b4b-08f9c7700160

Joe Sandbox Stealc, Vidar

Result

Threat name:

Stealc, Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1280315

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea73f0c424fb7780689b5d0b88bcef9af3b80ed701250ebf8c794b89aea182a4/

ReversingLabs TitaniumCloud Win32.Trojan.RedLine

Threat name:

Win32.Trojan.RedLine

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-26 07:56:28 UTC

File Type:

PE (Exe)

Extracted files:

85

AV detection:

28 of 38 (73.68%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jz7brbe7n3ya2e3lufyrphptlz3qdwxaesq5p4mpffytlvbqksa._file

Threatray malicious

Verdict:

malicious

Similar samples:

046d23bc4411e3fe3a0b2440e505a86751897f44c99d9a73bfac15b49dd9b399

Stealc

04f0be09da2edb51f4606ecb15b9d09703c0659c9c842bcd42ccc81f20836be6

Stealc

88323489bf0a8a306b3964293fc6f80ac5bb322b7111381c5b5074a42484fafc

Stealc

8933096a3a5c51c79403a2dd9bb1db722ec059cb135b203ec1393c0ea3bd15de

Stealc

8afd72197f13d7016291b5799cb9e680146d09b9b06661bb0de3f7972ef56fdc

Stealc

92cdd03295523d1f0b5fdf13489745137a8000a34657dd1316b716a8b52b5b4e

Stealc

970a7ff3bab4b5fffe226cf5e66d997c9a8692623c2fa17fb5e2d35b16686564

Stealc

c4b6bb4bd33e3ef107781a21eb0dedb82dbe90c4e9d6f0b19620c8940e18fa6b

Stealc

d5b4716082c735fbf29d7984ff7a99d1a5b35fb8071b94223cb34d9d77199a74

Stealc

febd6964bdd7f4d619fa5b9fa4cab9664544370704d3cf04976eb8c520825c2e

Stealc

+ 29 additional samples on MalwareBazaar

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230726-s2g4baec71/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

UnpacMe 2

Unpacked files

SH256 hash:

67e733069b858d3b1755210f96834936db5e61cb94f485027fae194c41d04a60

MD5 hash:

2c53a0953fe69825b45ffc2078afa720

SHA1 hash:

7fd7b6be80586deff8af51e8d45ed4b5fca512d2

Link:

https://www.unpac.me/results/c8f0c9cc-0a38-4272-96ed-e48d9791c39b/

SH256 hash:

ea73f0c424fb7780689b5d0b88bcef9af3b80ed701250ebf8c794b89aea182a4

MD5 hash:

363d431816a3d0805a41eb85d0fc7ff3

SHA1 hash:

0cadb14df9ac6833f9a59dc7188c5c3ad465792a

Link:

https://www.unpac.me/results/c8f0c9cc-0a38-4272-96ed-e48d9791c39b/

VMRay Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ea73f0c424fb/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea73f0c424fb7780689b5d0b88bcef9af3b80ed701250ebf8c794b89aea182a4

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe ea73f0c424fb7780689b5d0b88bcef9af3b80ed701250ebf8c794b89aea182a4

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2689718/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/434147/