MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb
SHA3-384 hash: 53eb9ddde502f7a5232e70bac2ee15a5d4af4177ea447279250080cfad2ce47b8483b00bcde465a78028aa6d5e574674
SHA1 hash: 4c2af518ec4d2e2c65d6b6bda8327a6d76f89a49
MD5 hash: 4ceec32c4addd2c0f6894d0cc1234771
humanhash: earth-earth-spring-cola
File name:4ceec32c4addd2c0f6894d0cc1234771.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:363'008 bytes
First seen:2024-10-25 16:40:16 UTC
Last seen:2024-10-25 17:42:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d2b48fd60d7f0264d6ec6db121e9a1d (6 x Stealc)
ssdeep 6144:SASzDBKEcQK42PcPotkXioiluUt2f0UsBKc3V65UJgTz:Ajjq0PNEuGg0Us565UJgT
Threatray 274 similar samples on MalwareBazaar
TLSH T168748DD065F1952BEBFB87785A70D6B81A3BBC63AA70834E3510360F39737918911B93
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon 1030684064321000 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://185.241.61.210/849647684a13b905.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.241.61.210/849647684a13b905.php https://threatfox.abuse.ch/ioc/1339335/

Intelligence

File Origin
# of uploads :
2
# of downloads :
413
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ceec32c4addd2c0f6894d0cc1234771.exe
Verdict:
Malicious activity
Analysis date:
2024-10-25 17:28:50 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/f309a210-a971-4cd7-ad7f-befb60c780de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Trojan.PSE.1SE2B7C.6651.13799.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671bca1fa75e41aa6721674b
Tags:
Powershell Cobalt Lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/671bca27b5a54248f9e453cd/reports/f2cceaa9-16e9-4328-8b48-0313ac8a9bc9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5df698d4-6865-46f5-a53a-b34b91d26185
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1542279
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Searches for specific processes (likely to inject)
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542279 Sample: oNL2jSvLHj.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 73 sirault.be 2->73 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 12 other signatures 2->87 10 oNL2jSvLHj.exe 35 2->10         started        15 updater.exe 2->15         started        17 svchost.exe 3 8 2->17         started        signatures3 process4 dnsIp5 75 185.241.61.210, 49730, 49738, 80 ULX-UKGB unknown 10->75 77 sirault.be 185.98.131.200, 443, 49737 RMI-FITECHFR France 10->77 65 C:\Users\user\AppData\...\softokn3[1].dll, PE32 10->65 dropped 67 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 10->67 dropped 69 C:\Users\user\AppData\...\mozglue[1].dll, PE32 10->69 dropped 71 10 other files (6 malicious) 10->71 dropped 97 Detected unpacking (changes PE section rights) 10->97 99 Detected unpacking (overwrites its own PE header) 10->99 101 Tries to steal Mail credentials (via file / registry access) 10->101 109 6 other signatures 10->109 19 cmd.exe 1 10->19         started        21 WerFault.exe 21 16 10->21         started        103 Multi AV Scanner detection for dropped file 15->103 105 Query firmware table information (likely to detect VMs) 15->105 107 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->107 111 4 other signatures 15->111 24 WerFault.exe 2 17->24         started        file6 signatures7 process8 file9 26 HCGCBFHCFC.exe 1 3 19->26         started        30 conhost.exe 19->30         started        59 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->59 dropped process10 file11 61 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 26->61 dropped 63 C:\Windows\System32\drivers\etc\hosts, ASCII 26->63 dropped 89 Multi AV Scanner detection for dropped file 26->89 91 Query firmware table information (likely to detect VMs) 26->91 93 Uses powercfg.exe to modify the power settings 26->93 95 7 other signatures 26->95 32 powershell.exe 23 26->32         started        35 cmd.exe 1 26->35         started        37 sc.exe 1 26->37         started        39 12 other processes 26->39 signatures12 process13 signatures14 79 Loading BitLocker PowerShell Module 32->79 41 WmiPrvSE.exe 32->41         started        43 conhost.exe 32->43         started        45 conhost.exe 35->45         started        47 wusa.exe 35->47         started        49 conhost.exe 37->49         started        51 conhost.exe 39->51         started        53 conhost.exe 39->53         started        55 conhost.exe 39->55         started        57 9 other processes 39->57 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-25 16:41:04 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bxysrwnqvbgldfobdl73fteywewy5t7nbkl3pzettofapdrxlvq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
shellcode_loader_002
Create hunting rule
Similar samples:
2818498f5686279b9a8ed4e58a6e7106364c28048c218f4b31bc7c6e2f0ddb17
Stealc
5dea0d7ca0ceda1a20692bb09d5809b654729f6e790a29be3cd85366e361641c
Stealc
5dffe3668ba7b8a66c24d5941411986adc79331598e84a3152a41f1c487be2ff
Stealc
5fd4b6c1b58ff9016562ab9ec9020461fe2452b389e360dd83cbe2ab2eb30fae
Stealc
8f3b669882cbc3302feae900aaeb4abd04f613eb58b43428aff8bf222dd731cb
Stealc
ae3ae0f5f9d8e2911a2e7feecf26e9567ca3f4fe8a9b6c9d7f350c2db6e6e1eb
Stealc
d0aee6ef091a8fa47c9f78f7964bafa6dc84e2d094c09e40b35e014d8c87c9a3
Stealc
e7d6fc3e8c20d867d0f36ea1f614881a748db6fd4cdd42c5dc98a4a0c2790792
Stealc
error
Stealc
+ 264 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:stealc family:xmrig botnet:logsdiller credential_access discovery evasion execution miner persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/241025-t63q9ashlq/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Power Settings
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Stealc
Stealc family
Xmrig family
xmrig
Malware Config
C2 Extraction:
http://185.241.61.210
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d09fce13-e325-4211-ba1c-845784a800dd
Unpacked files
SH256 hash:
9b2188cf15a7411aecdc039074369aa0a37f265b75585de89f93b23fd755bfc0
MD5 hash:
629a4efd68850a5770cf6b80533ff551
SHA1 hash:
010ef34816bc38a8d88f9c8d41b226d0cc5edecc
Detections:
stealc
Create hunting rule
detect_Mars_Stealer
Create hunting rule
Link:
https://www.unpac.me/results/d0686239-257a-41b2-b9c6-45b6d5e64d60/
Parent samples :
2818498f5686279b9a8ed4e58a6e7106364c28048c218f4b31bc7c6e2f0ddb17
5fd4b6c1b58ff9016562ab9ec9020461fe2452b389e360dd83cbe2ab2eb30fae
5dffe3668ba7b8a66c24d5941411986adc79331598e84a3152a41f1c487be2ff
f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb
d4fb1d477d76d59c6fe2c4fada775618f998010ea7a81e07533d3c80ae57c903
SH256 hash:
29e7e1c1e1a7e5f26f6961d8036cdd04ee4557dec0a7dcadcd8e7651f5e53f43
MD5 hash:
2ec23e83e2f63ab27c25741b1f4d7f49
SHA1 hash:
bb231b274bd66393fa830a44e6d4447d4399eeb9
Link:
https://www.unpac.me/results/d0686239-257a-41b2-b9c6-45b6d5e64d60/
SH256 hash:
f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb
MD5 hash:
4ceec32c4addd2c0f6894d0cc1234771
SHA1 hash:
4c2af518ec4d2e2c65d6b6bda8327a6d76f89a49
Link:
https://www.unpac.me/results/d0686239-257a-41b2-b9c6-45b6d5e64d60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe f86f8946cd8542658cae08d7fd9664c5896c767f6854bdbf249cdc503c71baeb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3243375/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::DeleteVolumeMountPointW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::ReadConsoleOutputCharacterW
KERNEL32.dll::SetConsoleTitleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleAliasW
KERNEL32.dll::GetConsoleFontSize
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::GetSystemWow64DirectoryW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpOpenRequest
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::QueryServiceLockStatusW

Comments