MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5
SHA3-384 hash:	d1cabf51dfed734b1d895bd973bb08aa05edf7f21f388854b7c8054fd5efed8085a7de1c6bf47d928f04bff75f2087b1
SHA1 hash:	697e21e6c410d4bb88b265f18ea7643e74a39dfb
MD5 hash:	7d47c01aeaa90c80616c64843f7c404c
humanhash:	west-ohio-michigan-july
File name:	7d47c01aeaa90c80616c64843f7c404c
Download:	download sample
Signature	Stealc Alert Create hunting rule
File size:	370'688 bytes
First seen:	2023-12-22 11:45:26 UTC
Last seen:	2023-12-22 13:14:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	827724b96058b90997eb88175402450d (2 x Stealc, 1 x Smoke Loader, 1 x Amadey)
ssdeep	6144:tT7fMxZHZLYQ/Zr2HQX6bsSdzTjKMrbMfc6r7I7z3hf3prKXqW:57fa5se6QX6ISVoc6r7I7Dov
TLSH	T179748D5172E2D433DAE319348524C7B70A3BB8325929558FAAE42F797F313E1A711F0A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2b1e4c4ecb187f9 (1 x Stealc)
Reporter	zbetcheckin
Tags:	32 exe Stealc

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

332

Origin country :

FR

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/469042/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.32488.32732.UNOFFICIAL

Alert

Create hunting rule

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

packed stealc

Link:

https://www.filescan.io/uploads/658576fef4b6e5e16354b001/reports/50ac2c09-8ad4-46a9-bdc4-cba9d625491e/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/52afb772-8bb7-4f61-9902-4f5bbe55d090

Joe Sandbox Stealc, Vidar

Result

Threat name:

Stealc, Vidar

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1366197

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5

CERT.PL MWDB stealc

Detection:

stealc

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5/

ReversingLabs TitaniumCloud Win32.Spyware.Stealc

Threat name:

Win32.Spyware.Stealc

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-22 11:46:05 UTC

File Type:

PE (Exe)

Extracted files:

71

AV detection:

20 of 23 (86.96%)

Threat level:

  2/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7jv2ig77iyewz4sbaiqxmufxummquw324e7qy2ojnozy64tact2q._file

Threatray malicious

Verdict:

malicious

Hatching Triage stealc

Result

Malware family:

stealc

Alert

Create hunting rule

Score:

  10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/231222-nxaffsbeb3/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://77.91.76.36

UnpacMe stealc win_stealc_auto win_stealc_a0 win_stealc_bytecodes_oct_2023

Unpacked files

SH256 hash:

7fdbfde21e6a9f34966dcbf2c4f008f7c13a52385852aad40e0485c23ec6b614

MD5 hash:

fadec2f496629ad87cfbb9a2a7f5446d

SHA1 hash:

da783e5c9568589655760aea863def2b5df5342a

Detections:

stealc

Alert

Create hunting rule

win_stealc_auto

Alert

Create hunting rule

win_stealc_a0

Alert

Create hunting rule

win_stealc_bytecodes_oct_2023

Alert

Create hunting rule

Link:

https://www.unpac.me/results/07d3e3ee-dd41-4856-88f5-99faf2e1d556/

Parent samples :

e1c6c0f8a949dfee38ebf5013eb26b52e5bb53e7c10fc5a02557230555174683
7eda35b2c10d5bbc286d3f446c142758783aea0535b55c9dd42968d35ca202fa
fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5
81628e4300b6cebde33d6cfbee5f483d230216616b812e6896aa159d77b0c081
bbc7dd5d471b06ed6e6f3ee03bef18e6967cf244bbc1ede6af795de22aaad6a9

SH256 hash:

fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5

MD5 hash:

7d47c01aeaa90c80616c64843f7c404c

SHA1 hash:

697e21e6c410d4bb88b265f18ea7643e74a39dfb

Link:

https://www.unpac.me/results/07d3e3ee-dd41-4856-88f5-99faf2e1d556/

VMRay Stealc

Malware family:

Stealc

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fa6ba41bff46/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe fa6ba41bff46096cf24102217650b7a3190a5b7ae13f0c69c96bb38f726014f5

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2736472/

Cape

https://www.capesandbox.com/analysis/469042/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-22 11:45:27 UTC

url : hxxp://5.42.64.35/syncUpd.exe