MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8d3bcd5cffb3aeb677c57c43240368c39886d19a2b6180cfe9f4cd0ad960b90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8d3bcd5cffb3aeb677c57c43240368c39886d19a2b6180cfe9f4cd0ad960b90
SHA3-384 hash: 2e408ddedc050d8ea1079ebf717f29364a5a89a5254c33df799497b57b2c130fd707da0037230338958f14658d2ce3ac
SHA1 hash: 592732746456fe9a0b6bceb408848cc598001617
MD5 hash: 14b157cd17919b72329ce956ffe3ec78
humanhash: oregon-equal-sierra-high
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:213'504 bytes
First seen:2023-09-20 16:08:30 UTC
Last seen:2023-09-21 12:10:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f441e1f89e815eda74d641cd1f758949 (2 x RedLineStealer, 1 x Stealc, 1 x Backdoor.TeamViewer)
ssdeep 3072:DX23B2yaYWSBD9DMrQxiUfDp16g4L3M5J7+qTf+bif3:7iYqWSBDVCqDruE7+qT/
Threatray 406 similar samples on MalwareBazaar
TLSH T12224DF1135E2C0B2C5B745347870CBA0AABB7C739774894B37642BBEAD307915E66327
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0408021810602000 (1 x Stealc)
Reporter andretavare5
Tags:exe Stealc


Avatar
andretavare5
Sample downloaded from http://christopherantonio.top/calc2.exe

Intelligence

File Origin
# of uploads :
72
# of downloads :
305
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-20 16:10:32 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/4261c8e8-e7fa-4f8e-8395-4d60156a7e26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450081/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/650b19202d5fc006cad71bae/reports/f24bc32c-b8ca-4c42-8abc-71cc247a6056/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f8d3bcd5cffb3aeb677c57c43240368c39886d19a2b6180cfe9f4cd0ad960b90
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2553f810-5d3c-47f6-bb49-ed744fbf7378
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311703
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8d3bcd5cffb3aeb677c57c43240368c39886d19a2b6180cfe9f4cd0ad960b90/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 16:09:07 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
23 of 23 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dj3zvop7m5owz34k7cdeqbwrq4yq3izuk3bqdh6t5gnblmwboia._file
Verdict:
malicious
Similar samples:
106318f8a5c025270e181cf5ca8f39cf6644086b5ff763467ecd318a8fe211af
Stealc
2222d6c0bd11c44cae603fa12fc7dbe54b2495d75131972e155a3c0b4ad3dc95
Stealc
2a29d30d6d6621afde713d8854f19f0887283cb9648f116b73c9966447746fc1
Stealc
4fa066ec21247d30bc4cafba293d36e2a02e5ffc6dd491591dd52fe38e87ec50
Stealc
a5e7f0781b82d2f124bd113e2be8df4e6bdf61b1b25b31ad813b41336a174844
Stealc
ba4bcbdb679b739a34ce15523d1daa5cc41245633de78523b98cf994c073c173
Stealc
bc7bc2e78ad0bbb1be1f4c60f7cc6f2ed639c9d1f6a9a42f6f1497e6a083708b
Stealc
c81fa46b63a77fcabb07e917378f7df25757a771ff3d4d3c2f789d17107836b1
Stealc
eca8f5d25f650cab4032c7aec6c629efa5cf886ff41130acec5cc4c29446a478
Stealc
+ 396 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/230920-tlsesabc93/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://bryanzachary.top
Unpacked files
SH256 hash:
40cf7a0db480dd80e1c2e6f8b6a92eb997a5a318656ef4367832928de11886bc
MD5 hash:
706928d29bf5a9d43ec40fafc73481df
SHA1 hash:
124c272b804865d8e30b8e9716534724a41d02cd
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/42469160-d496-45af-9e3e-546cb76e3d0e/
Parent samples :
2373032b3ba33c3dc22498a3e10da2bd45f0223345495f7d9f76029c855ae492
b895d8570547395831cd65fc56546c0949405581b861c4354c77b82ac990233f
7ead8e741e86da1488da1bc6793807380c26a09518a7532ea1247d4a69e82070
106318f8a5c025270e181cf5ca8f39cf6644086b5ff763467ecd318a8fe211af
046c29b9d4f755cfe374d52418917670c2a076f475269563e7bc69bc4a2a7c96
57c66ca175ccbbd096a82295fa374327b90b7eabebf7c95752d856da92e4a8b7
e1a208a637e5c3f90a1dfe4a15407fb9dd2992a1e45e4160671f2575f3507d39
f53a80d4acd2ade409cac006689dbf86381154579b66705ed237e79613b99f9f
5a1769f623c6ee8b7b7c488ab030752a1234070b0cc2463540de93e9c40eab33
a8f129e213ff60a297ab08e090082a217bbf8a7a0722837d24d8e677e89608c2
da1a209778c07fc37e32841c3b692f446f11181eb76d788f046a4861142086da
1593dc6a32a51ecdb1ace6ce4b4b69e5c102710b802a4c4bee016d3f20635801
a20c54c6dcdf4873685aa12c7810150e190288a99cd363fac321bc49445ff168
be5b835367689df1b7766dea5c2e06c74217b756b350663fb85a48fb998ccc3c
c81fa46b63a77fcabb07e917378f7df25757a771ff3d4d3c2f789d17107836b1
f8d3bcd5cffb3aeb677c57c43240368c39886d19a2b6180cfe9f4cd0ad960b90
6a69d7c2ecf2222ab7f323e08215f324862cf334baf540b8dd52aa031c9cd941
ef3cb6c23d924b3f5d2334948173b46b5ead364d479a934bdcfed9b8f31d8d1a
a67779827175ff427b36cb7300ce48e10a8d714ce3c75e2d2cc2ad69503b7218
f5748244010e9e8c2cf4da8d7916c12b1bc808003d7f9e46da0e2adc85edf90a
945aeed364ed99757a00efd1873e8a1a86361e5cbb500e0590e64ce87619d594
05279302bbe02f362b1ae6fedd0801852cfc6a2cdaf0d79b67332dae99665d1e
4696940104e0afb7e75830241457db1b6f2c9e54b498afb2d3c5f3b0eb0d564b
5194a7881fb7664475387ffa968f52111ff04bec1c9c4c4a3ff3c37a86b0fcc4
063930ca4af89dcbaa0cd81d3c7a909358ca52842d421df5c73cc49fb8e6c5e1
182e4ae0f954779178c609f70c940202bdfadf24417e30f452a6e6b2ef808af7
6de33fc0084b434fb9ff8020c55cd080f6535e455e3b41a7ae7d843f410f8521
f68b8167482d208f65eb3234f3a3e2602cb4801104946061b0be0f3b440e3c5c
7c59665549676d552743527a5a96383abe8605c1e7bb2556ca32013ba9206c16
7ea53efe7909227d8d1c3b96df3f2194947459d09d6168e629dd1d089b3a9c42
2e6a082a870132c3c47e698398dd6fd3d7941d13737f00af1f70b730ef50ad2a
cc51fcc9c41ebae65c0bdcd5e0b0c8558f395c02f43fb848eaa794b246dab004
2970f93fdff86b1cfdce4bee35650f58bb2c8face78c7e9228ad6c697d3d5b40
ad3d0baaaf1aecbff668d96f6b33d13547cdce3f3ac67e438fd91966194128e7
SH256 hash:
f8d3bcd5cffb3aeb677c57c43240368c39886d19a2b6180cfe9f4cd0ad960b90
MD5 hash:
14b157cd17919b72329ce956ffe3ec78
SHA1 hash:
592732746456fe9a0b6bceb408848cc598001617
Link:
https://www.unpac.me/results/42469160-d496-45af-9e3e-546cb76e3d0e/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8d3bcd5cffb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8d3bcd5cffb3aeb677c57c43240368c39886d19a2b6180cfe9f4cd0ad960b90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2712591/
Cape
Cape
https://www.capesandbox.com/analysis/450081/
  
URLhaus
https://urlhaus.abuse.ch/url/2709826/
  
URLhaus
https://urlhaus.abuse.ch/url/2712461/

Comments