MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab
SHA3-384 hash: 7ee17fcfd2d66018f1c7f8b24d3c280a2f5243f703b83a64b5ce2943bee7d315e22f87bc86ad6d7e23a18d7a0a79ea41
SHA1 hash: 374021521d524c3c4e8e54937eb21b1982511277
MD5 hash: f69f1b099abe6b8ec4d6319db86fd01d
humanhash: autumn-fanta-magazine-coffee
File name:f69f1b099abe6b8ec4d6319db86fd01d.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:1'917'952 bytes
First seen:2024-10-10 06:59:35 UTC
Last seen:2024-10-10 07:26:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:eyL3rEy79flmbmBE5fukWuuS+vr8GlkJsiSde2Pm0UL:3LIAIb75vWuI6s/4l
Threatray 3'839 similar samples on MalwareBazaar
TLSH T1FB953380BDBAE967C0108779D69E23FE2B1D549C6DB3EC5A32BD4501E8D6DD809360F4
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe Stealc

Intelligence

File Origin
# of uploads :
2
# of downloads :
438
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-10 00:57:49 UTC
Tags:
lumma stealer opendir loader stealc themida amadey botnet
Link:
https://app.any.run/tasks/2898d918-233b-44b9-87df-ab1bcb780759

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.11548.17147.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67077b78f936b5621b0c2226
Tags:
Vmdetect Autorun Autoit Spam
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/67077b73a617144147820792/reports/b50f1ace-53b4-4275-abbf-d955ecc35b4e/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e1048ec6-c391-4e20-8f70-11f624c9cabd
Result
Threat name:
LummaC, Amadey, Credential Flusher, Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1530558
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530558 Sample: zYlQoif21X.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 83 steamcommunity.com 2->83 85 sergei-esenin.com 2->85 87 40 other IPs or domains 2->87 107 Multi AV Scanner detection for domain / URL 2->107 109 Suricata IDS alerts for network traffic 2->109 111 Found malware configuration 2->111 113 18 other signatures 2->113 9 skotes.exe 4 25 2->9         started        14 zYlQoif21X.exe 5 2->14         started        16 skotes.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 103 185.215.113.43, 56810, 56811, 56814 WHOLESALECONNECTIONSNL Portugal 9->103 105 185.215.113.103, 56812, 56815, 56832 WHOLESALECONNECTIONSNL Portugal 9->105 71 C:\Users\user\AppData\...\0994e74918.exe, PE32 9->71 dropped 73 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->73 dropped 75 C:\Users\user\AppData\...\a93e9fcc54.exe, PE32 9->75 dropped 81 5 other malicious files 9->81 dropped 141 Creates multiple autostart registry keys 9->141 143 Hides threads from debuggers 9->143 145 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->145 20 0994e74918.exe 9->20         started        24 d62e7c3d83.exe 9->24         started        26 num.exe 13 9->26         started        36 2 other processes 9->36 77 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->77 dropped 79 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->79 dropped 147 Detected unpacking (changes PE section rights) 14->147 149 Tries to evade debugger and weak emulator (self modifying code) 14->149 151 Tries to detect virtualization through RDTSC time measurements 14->151 28 skotes.exe 14->28         started        153 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->153 155 Binary is likely a compiled AutoIt script file 18->155 30 firefox.exe 18->30         started        32 firefox.exe 3 61 18->32         started        34 taskkill.exe 18->34         started        38 4 other processes 18->38 file6 signatures7 process8 dnsIp9 89 sergei-esenin.com 172.67.206.204, 443, 56846, 56868 CLOUDFLARENETUS United States 20->89 91 steamcommunity.com 104.102.49.254, 443, 56843, 56862 AKAMAI-ASUS United States 20->91 115 Antivirus detection for dropped file 20->115 117 Multi AV Scanner detection for dropped file 20->117 119 Detected unpacking (changes PE section rights) 20->119 121 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->121 123 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->123 125 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 24->125 93 185.215.113.37, 56818, 56850, 56853 WHOLESALECONNECTIONSNL Portugal 26->93 127 Found evasive API chain (may stop execution after checking locale) 26->127 129 Searches for specific processes (likely to inject) 26->129 131 Machine Learning detection for dropped file 28->131 133 Tries to evade debugger and weak emulator (self modifying code) 28->133 135 Hides threads from debuggers 28->135 40 firefox.exe 30->40         started        95 youtube.com 142.250.185.110, 443, 56826, 56827 GOOGLEUS United States 32->95 97 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 56828, 56836, 56837 GOOGLEUS United States 32->97 99 5 other IPs or domains 32->99 43 firefox.exe 32->43         started        45 firefox.exe 32->45         started        47 conhost.exe 34->47         started        137 Binary is likely a compiled AutoIt script file 36->137 139 Found API chain indicative of sandbox detection 36->139 49 taskkill.exe 1 36->49         started        51 taskkill.exe 1 36->51         started        53 taskkill.exe 1 36->53         started        55 3 other processes 36->55 57 4 other processes 38->57 signatures10 process11 dnsIp12 101 push.services.mozilla.com 40->101 59 firefox.exe 40->59         started        61 conhost.exe 49->61         started        63 conhost.exe 51->63         started        65 conhost.exe 53->65         started        67 conhost.exe 55->67         started        69 conhost.exe 55->69         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-10 07:00:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=642sydpj7pjszfkjr6thoavonrr4ch42cfcrmgufbx2l3atsxwvq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
amadey
Create hunting rule
Similar samples:
04a4ed789f8a254681cc65fe7361660373cc8a37b66992979c916bf4f990c8b9
Stealc
1a6fc3b2bda9a9615ec0f20492bd75257b41581e9ccef8d2c04f26642d985632
Stealc
92a218b4b6cbd696cb07698a2da0fc8578ad1f966a88509e25db827fe85a2920
Stealc
a2082b155a75d3e93b273f49890631a2a574a34c6d69871b9c7e17208a5e4489
Stealc
d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835
Stealc
d39f448e8875c318fe4b2e48cfd0bbdba371c787f82584eefe2fa5ee5addaea7
Stealc
fc3286ee1ef68ef62e2dd2652d5a37b9a24bf47f2c0e81b1c4023ec0c64a7146
Stealc
+ 3'829 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc botnet:9c9aa5 botnet:doma discovery evasion persistence stealer trojan
Link:
https://tria.ge/reports/241010-hsnvdswdmm/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Lumma Stealer, LummaC
Stealc
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.37
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/542361e9-4390-4514-95b0-c095b0219a63
Unpacked files
SH256 hash:
595c757e1d428e0fba143c1f3e47ba22638407425efd9f15295af1a5c2ece97e
MD5 hash:
290a2821cad0c5314e381a22154fa0ee
SHA1 hash:
22f85025317e84713be87485ae9cb7876be08990
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/4113420d-3ab6-4cb4-950a-cd7461f569a2/
SH256 hash:
f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab
MD5 hash:
f69f1b099abe6b8ec4d6319db86fd01d
SHA1 hash:
374021521d524c3c4e8e54937eb21b1982511277
Link:
https://www.unpac.me/results/4113420d-3ab6-4cb4-950a-cd7461f569a2/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f7352c0de9fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3183445/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments