MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485
SHA3-384 hash:	e7f534b59aecefb8dcefc8f7447de5f1cef0f9c61fd02f156b67acaa53611e1dc28797c12fb7a6ae12075fc4e779ea79
SHA1 hash:	dbddfe1f315d2bb48d0ae028fbae201f9f5ad8da
MD5 hash:	e4f8054a977a1017f13e7cd57b62a979
humanhash:	washington-lima-pip-violet
File name:	e4f8054a977a1017f13e7cd57b62a979.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	436'736 bytes
First seen:	2024-11-10 10:35:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d95cb6d9d64631a29a0347bf1998ced5 (2 x Stealc)
ssdeep	6144:xqH2pVYR5I/mQeAOhYMy9crhpehhy7PYVBoHshEjdZPYW5f:xqH2pV9mQeg3qvehhy7QVBbhEBZPH
Threatray	66 similar samples on MalwareBazaar
TLSH	T19794BE4252F16892F7BF4A3D5E3F92E42A3FB4626E38725D22115A1F0D311E0E96271F
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10522/11/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
File icon (PE):
dhash icon	8e86830b0e4e4e0a (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://62.204.41.163/16fa04073490929d.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://62.204.41.163/16fa04073490929d.php	https://threatfox.abuse.ch/ioc/1343892/

Intelligence

File Origin

# of uploads :

# of downloads :

371

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e4f8054a977a1017f13e7cd57b62a979.exe

Verdict:

Malicious activity

Analysis date:

2024-11-10 10:37:17 UTC

Tags:

loader stealer stealc

Link:

https://app.any.run/tasks/29f12830-2a12-4e14-aba4-edb8d1f53042

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.13514.30199.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67308ccd6c614f3030a3fbb1

Tags:

clipbanker extens trojan virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Connection attempt to an infection source

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc monero packed packed packer_detected

Link:

https://www.filescan.io/uploads/67308c93058cd3deb69df4ff/reports/2c79725e-3c3b-4146-b46c-399e2c0ebbd3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c0515a07-8bab-4210-a50a-8444ac6f9891

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=64mzi27u7zekeqw3cv3rcsr44ubntqlfqwmg7iwcyhujz6kqwscq._file

Verdict:

malicious

Label(s):

shellcode_loader_002

Stealc

695b8d6b97edf8239d5ae772c2d726740d81a0b4893199c3be812406e0942123

Stealc

6b9ac0209eb00ae78340fed2bce162254e778c2ce3cd6b327daa56c3297e070f

Stealc

8a9d0e2c45e9bb11038f5844381731f87f91619409e607d9b2ec6c090300e501

Stealc

d6ffb2defbd91f492a96ae8695abd7a599db086e92e0340f80d9c1c793c978ff

Stealc

error

Stealc

f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485

Stealc

+ 56 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/241110-mm8ptsvjcz/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0c9ff12c-ad74-4b4e-be34-78f3023623ef

Unpacked files

SH256 hash:

2f841285068467a1b17875763849bd7d0fd88f732351cd2ce9f000239fbdc34c

MD5 hash:

8855493f8be066bd5b5aa6804925b674

SHA1 hash:

948ff7c8832b5d27c6dd9268004aa46f4f21b69e

Link:

https://www.unpac.me/results/15dffe59-7b75-4be6-aecc-c301426de52a/

SH256 hash:

f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485

MD5 hash:

e4f8054a977a1017f13e7cd57b62a979

SHA1 hash:

dbddfe1f315d2bb48d0ae028fbae201f9f5ad8da

Link:

https://www.unpac.me/results/15dffe59-7b75-4be6-aecc-c301426de52a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe f719946bf4fe48a242db1577114a3ce502d9c16585986fa2c2c1e89cf950b485

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3224762/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::WriteConsoleOutputCharacterW KERNEL32.dll::WriteConsoleA KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasesA KERNEL32.dll::GetConsoleAliasExesLengthW KERNEL32.dll::GetConsoleAliasW KERNEL32.dll::GetConsoleFontSize KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::MoveFileExA KERNEL32.dll::MoveFileA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample