MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 17

Intelligence 17 IOCs YARA 9 File information Comments

SHA256 hash:	fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
SHA3-384 hash:	e840db1f32dbe74b28999a58677cf11f33a62de2f903ab4b3c71d14b85a93c22d364f91b2d492d9419c9077726ccebf7
SHA1 hash:	c03af31d714b26d2bf254dd986208f20b37885dd
MD5 hash:	23b163180bc13aa5f430c2cf0413da12
humanhash:	michigan-mirror-grey-king
File name:	ZCYxSCA9cbn8voXjBSQrPnD8.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	2'645'256 bytes
First seen:	2025-01-23 17:35:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	49152:1XaijDDioKqQCOlNBSVPtiCdCLBHkJ2MHjFVWquPgmNW5klRBIdltPAFEP:nDHKRstiCdGHHIjFVWhjNW5uQo6P
TLSH	T17CC533326681C9A7E4F1497050A1E33EDCE8DEF49F572E62B800FE6E16A1715A5C34CB
TrID	25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.1% (.EXE) Win32 Executable (generic) (4504/4/1) 7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	fcf8f8f8e8dcc4d4 (1 x Stealc)
Reporter	MrMalware
Tags:	exe signed Stealc

Code Signing Certificate

Organisation:	Acer Quik AP527-57 [AN527-27-77M3]
Issuer:	Acer Quik AP527-57 [AN527-27-77M3]
Algorithm:	sha1WithRSAEncryption
Valid from:	2023-04-06T15:02:29Z
Valid to:	2033-04-07T15:02:29Z
Serial number:	74576a91b177ddb94a15a1491a4da1d2
Intelligence:	11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	49d83b0bced6cedbc8e75cfc39f6f9f4288354859c37132c5123c5ad84d96fc7
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

477

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ZCYxSCA9cbn8voXjBSQrPnD8.exe

Verdict:

Malicious activity

Analysis date:

2025-01-23 17:39:49 UTC

Tags:

themida stealc stealer

Link:

https://app.any.run/tasks/5a173031-ca46-41f9-b370-8ac5b25236bb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67927ee1e708b6e7a3b07cab

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Launching a process

Сreating synchronization primitives

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4b3bbcb4-8bce-4fe2-8e12-2a8e1cde4fbe

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1597893

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after checking computer name)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d

Detection:

stealc

Link:

https://mwdb.cert.pl/sample/fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d/

Threat name:

Win32.Trojan.Vidar

Status:

Malicious

First seen:

2023-07-24 21:42:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7miqwhnxyatslvwlbfj46fj2fnpbldjvrwytnlwoscwanv44wb6q._file

Verdict:

malicious

Label(s):

stealc

Similar samples:

error

Stealc

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc defense_evasion discovery stealer themida trojan

Link:

https://tria.ge/reports/250123-v6kfcaxlbs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Checks BIOS information in registry

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stealc

Stealc family

Malware Config

C2 Extraction:

http://stair585.com

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/88675418-fade-479e-9152-ccced36bfcfa

Unpacked files

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/a8bb0280-87cd-4991-a414-54bb1d588ad8/

SH256 hash:

a040e9685037642952dc33e3e7c691e7d9bc3cf77d4b27fcc224d6830f66238a

MD5 hash:

7e8db8ccd802df0abd040b3d856c73ff

SHA1 hash:

809eacf454f918e78f84585982b45f2e23e61b43

Detections:

win_stealc_auto

win_stealc_a0

detect_Mars_Stealer

win_stealc_bytecodes_oct_2023

Link:

https://www.unpac.me/results/a8bb0280-87cd-4991-a414-54bb1d588ad8/

SH256 hash:

bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808

MD5 hash:

7a7927bac28be846b2fd2a5d10ba0676

SHA1 hash:

67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a8bb0280-87cd-4991-a414-54bb1d588ad8/

Parent samples :

fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f

SH256 hash:

fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d

MD5 hash:

23b163180bc13aa5f430c2cf0413da12

SHA1 hash:

c03af31d714b26d2bf254dd986208f20b37885dd

Link:

https://www.unpac.me/results/a8bb0280-87cd-4991-a414-54bb1d588ad8/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fb110b1db7c0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_TRUST_INFO	Requires Elevated Execution (Unrestricted:true)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample