MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f49d931295e2da64727db9d3d867051232d54f0b2aad5c2cee896b40aa0e86fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f49d931295e2da64727db9d3d867051232d54f0b2aad5c2cee896b40aa0e86fe
SHA3-384 hash: 8b0af77239631fc0559db8d76bc28212cf91aff9c20d67ad6136ef9d796d5158683786a938515309d3a2dc82e267b208
SHA1 hash: 2cb86a0a4cafc825bf413f057ce067da7f802f74
MD5 hash: 9735a5a6882e9fe7578d745f8a693b50
humanhash: carolina-sodium-glucose-mockingbird
File name:9735a5a6882e9fe7578d745f8a693b50.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:1'342'400 bytes
First seen:2023-03-29 16:25:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 93aecbb81928046ce9afe4c7ab7c1d6c (2 x Stealc)
ssdeep 24576:29Cv53II5kebo7w0AshMGqOI0LslSIpO4u6+/3:2EII5Vo7w3shHoSk+v
TLSH T1AA55B609F1D0DEB0C78D413A335DC979E598BA702E16E952FBD2A35F0A340EA660F716
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0c8889eaeca7a9a (8 x RedLineStealer, 1 x CryptBot, 1 x Rhadamanthys)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://5.75.155.1/d522566a552de05d.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9735a5a6882e9fe7578d745f8a693b50.exe
Verdict:
Malicious activity
Analysis date:
2023-03-29 16:28:14 UTC
Tags:
loader
Link:
https://app.any.run/tasks/879f06bc-30e0-4cdc-837a-ad1e02c1f704

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378506/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a window
DNS request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75620/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
anti-debug explorer.exe overlay packed
Link:
https://www.filescan.io/uploads/6424669b54ddd532608460be/reports/b6203a68-aa45-4d7e-aadc-bf714938dacf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f49d931295e2da64727db9d3d867051232d54f0b2aad5c2cee896b40aa0e86fe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2bd4635-29da-4969-bf2c-8e5d48188c8e
Result
Threat name:
Laplas Clipper, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204494
Signature
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Laplas Clipper
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 837404 Sample: aLrUi0lW59.exe Startdate: 29/03/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected Stealc 2->47 49 5 other signatures 2->49 8 aLrUi0lW59.exe 19 2->8         started        13 svcservice.exe 2->13         started        15 svcservice.exe 2->15         started        process3 dnsIp4 35 5.75.155.1, 49701, 80 HETZNER-ASDE Germany 8->35 37 www.4sync.com 199.101.134.238, 443, 49704 WZCOM-US United States 8->37 39 dc534.4sync.com 204.155.145.48, 443, 49705 WZCOM-US United States 8->39 31 C:\Users\user\AppData\...\AEHIECAFCG.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\Lithely[1].exe, PE32 8->33 dropped 53 Tries to steal Mail credentials (via file / registry access) 8->53 55 Tries to harvest and steal browser information (history, passwords, etc) 8->55 57 Tries to steal Crypto Currency Wallets 8->57 17 cmd.exe 1 8->17         started        file5 signatures6 process7 process8 19 AEHIECAFCG.exe 1 3 17->19         started        23 conhost.exe 17->23         started        file9 29 C:\Users\user\AppData\...\svcservice.exe, PE32 19->29 dropped 51 Machine Learning detection for dropped file 19->51 25 svcservice.exe 9 19->25         started        signatures10 process11 dnsIp12 41 51.195.166.203, 49707, 49708, 49709 OVHFR France 25->41 59 Antivirus detection for dropped file 25->59 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f49d931295e2da64727db9d3d867051232d54f0b2aad5c2cee896b40aa0e86fe/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6sozgeuv4lngi4t5xhj5qzyfciznktylfkwvylhorfvubkqoq37a._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:stealc clipper discovery persistence spyware stealer
Link:
https://tria.ge/reports/230329-txhpqaha66/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detects Stealc stealer
Laplas Clipper
Stealc
Malware Config
C2 Extraction:
http://5.75.155.1/d522566a552de05d.php
http://51.195.166.203
Unpacked files
SH256 hash:
efbb9f0d0842effdac14fea6bdb589abeb1e9e7b282a3bbad5ae89b74ff6bc9d
MD5 hash:
8ff09181c8b5728826eaec848ff3f462
SHA1 hash:
63bb23fb203471ce655d3158c4b4635cdb494e7b
Detections:
stealc
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/3760382d-0d42-4e7e-b2b2-f7f455015b0f/
SH256 hash:
f49d931295e2da64727db9d3d867051232d54f0b2aad5c2cee896b40aa0e86fe
MD5 hash:
9735a5a6882e9fe7578d745f8a693b50
SHA1 hash:
2cb86a0a4cafc825bf413f057ce067da7f802f74
Link:
https://www.unpac.me/results/3760382d-0d42-4e7e-b2b2-f7f455015b0f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f49d931295e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f49d931295e2da64727db9d3d867051232d54f0b2aad5c2cee896b40aa0e86fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/378506/

Comments