MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca
SHA3-384 hash: 0b0cb2c95fb6552a0208ce82c967c4d0466829c040f938b72ca5beca2fc1e201ffcf372009bb6191ed415b9ff344f3f0
SHA1 hash: cae022f0f97d0603b19f03b20051fa1c965e5955
MD5 hash: c310ac6a7b8f06439364ce1e2e9d5453
humanhash: fillet-thirteen-vermont-muppet
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:16'752 bytes
First seen:2024-01-30 04:01:29 UTC
Last seen:2024-01-30 05:32:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:TKx+LTKhjVBCe9DRJopPGoGCJEF8ZpHtB:TKMCNnxnyEFiRr
Threatray 4 similar samples on MalwareBazaar
TLSH T19B729D907B4C2266D9DA4B754CD3A5224EB2B2D24C408D1F3EE881CD2D43FD42F956BE
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET exe MSIL signed Stealc

Code Signing Certificate

Organisation:installrox inc
Issuer:installrox inc
Algorithm:sha256WithRSAEncryption
Valid from:2024-01-28T02:21:05Z
Valid to:2025-01-28T02:21:05Z
Serial number: 2a892f911c7c1ceca279e64e1fb57085
Thumbprint Algorithm:SHA256
Thumbprint: a22cd9dff9d1ea03a8fa641796bcc3b6b66b7e4faa46af8c05d82fc41771015c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
jstrosch
Found at hxxp://15.204.49[.]148/files/InstallSetup2.exe by #subcrawl

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
US US
Vendor Threat Intelligence
Malware family:
ramnit
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-01-30 00:02:02 UTC
Tags:
hausbomber opendir loader ramnit trojan asyncrat stealer stealc raccoon amadey botnet vidar evasion phorpiex gh0stcringe gh0st remote rat neoreklami kelihos redline miner quasar risepro socks5systemz proxy
Link:
https://app.any.run/tasks/4b10e174-01e2-4229-84ad-218c24ee600b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473541/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.143271.4838.20482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65b874be814c2aeb1484b6a9/reports/3ab38a37-c936-4144-ad39-5db667976e64/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/745b2461-b854-46e9-b9ce-d7e15ff54af7
Result
Threat name:
Glupteba, GuLoader, Socks5Systemz, Steal
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383118
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected GuLoader
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1383118 Sample: file.exe Startdate: 30/01/2024 Architecture: WINDOWS Score: 100 156 Multi AV Scanner detection for domain / URL 2->156 158 Found malware configuration 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 21 other signatures 2->162 10 file.exe 17 4 2->10         started        14 svchost.exe 2->14         started        process3 dnsIp4 154 104.21.50.164 CLOUDFLARENETUS United States 10->154 196 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->196 198 Writes to foreign memory regions 10->198 200 Allocates memory in foreign processes 10->200 202 4 other signatures 10->202 16 CasPol.exe 14 422 10->16         started        21 powershell.exe 22 10->21         started        23 WerFault.exe 14->23         started        25 WerFault.exe 14->25         started        27 WerFault.exe 14->27         started        29 3 other processes 14->29 signatures5 process6 dnsIp7 126 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 16->126 128 107.167.110.216 OPERASOFTWAREUS United States 16->128 130 14 other IPs or domains 16->130 80 C:\Users\...\zBlEGzlvysHzRCE0GiZX2uOf.exe, PE32 16->80 dropped 82 C:\Users\...\xu1OfvMchMXCNZbJGV6s5Gdm.exe, PE32 16->82 dropped 84 C:\Users\...\x2jlBjtorovi9mi987RmGXD9.exe, PE32 16->84 dropped 86 192 other malicious files 16->86 dropped 164 Drops script or batch files to the startup folder 16->164 166 Creates HTML files with .exe extension (expired dropper behavior) 16->166 168 Writes many files with high entropy 16->168 31 9YEhRdtO2OoQD9BL8Fo09zsj.exe 16->31         started        34 0IvHmcerPrUO4ravaVBOU6xA.exe 16->34         started        37 tbZEk2bipPyyVCCPumvtvlAo.exe 16->37         started        44 12 other processes 16->44 40 conhost.exe 21->40         started        42 WmiPrvSE.exe 21->42         started        170 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->170 file8 signatures9 process10 dnsIp11 108 C:\Users\...\9YEhRdtO2OoQD9BL8Fo09zsj.tmp, PE32 31->108 dropped 46 9YEhRdtO2OoQD9BL8Fo09zsj.tmp 31->46         started        134 5.42.64.33 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 34->134 136 185.172.128.90 NADYMSS-ASRU Russian Federation 34->136 110 C:\Users\user\AppData\Local\...\nsu83B4.tmp, PE32 34->110 dropped 112 C:\Users\user\AppData\Local\...\INetC.dll, PE32 34->112 dropped 120 2 other malicious files 34->120 dropped 49 nsu83B4.tmp 34->49         started        53 BroomSetup.exe 34->53         started        138 107.167.110.218 OPERASOFTWAREUS United States 37->138 140 107.167.125.189 OPERASOFTWAREUS United States 37->140 144 5 other IPs or domains 37->144 122 9 other malicious files 37->122 dropped 186 Writes many files with high entropy 37->186 55 tbZEk2bipPyyVCCPumvtvlAo.exe 37->55         started        57 tbZEk2bipPyyVCCPumvtvlAo.exe 37->57         started        59 tbZEk2bipPyyVCCPumvtvlAo.exe 37->59         started        142 107.167.110.217 OPERASOFTWAREUS United States 44->142 146 6 other IPs or domains 44->146 114 C:\Windows\servicingditions\CabPack.dll, PE32+ 44->114 dropped 116 C:\Users\user\AppData\Local\...\nsvA025.tmp, COM 44->116 dropped 118 C:\Users\user\AppData\Local\...\nsm7C90.tmp, COM 44->118 dropped 124 13 other malicious files 44->124 dropped 188 Detected unpacking (changes PE section rights) 44->188 190 Detected unpacking (overwrites its own PE header) 44->190 192 Query firmware table information (likely to detect VMs) 44->192 194 4 other signatures 44->194 61 Install.exe 44->61         started        63 WerFault.exe 44->63         started        65 3 other processes 44->65 file12 signatures13 process14 dnsIp15 90 C:\Users\user\AppData\...\zlib1.dll (copy), PE32 46->90 dropped 92 C:\Users\user\AppData\...\unins000.exe (copy), PE32 46->92 dropped 94 C:\Users\user\...\swresample-3.dll (copy), PE32 46->94 dropped 104 32 other files (29 malicious) 46->104 dropped 67 WMACutterJoiner.exe 46->67         started        71 WMACutterJoiner.exe 46->71         started        132 185.172.128.79 NADYMSS-ASRU Russian Federation 49->132 106 12 other files (8 malicious) 49->106 dropped 172 Detected unpacking (changes PE section rights) 49->172 174 Detected unpacking (overwrites its own PE header) 49->174 176 Tries to harvest and steal ftp login credentials 49->176 178 Tries to harvest and steal browser information (history, passwords, etc) 49->178 180 Multi AV Scanner detection for dropped file 53->180 74 cmd.exe 53->74         started        96 Opera_installer_2401300403221651864.dll, PE32 55->96 dropped 98 Opera_installer_2401300403243086456.dll, PE32 57->98 dropped 100 Opera_installer_2401300403306197352.dll, PE32 59->100 dropped 102 C:\Users\user\AppData\Local\...\Install.exe, PE32 61->102 dropped file16 signatures17 process18 dnsIp19 88 C:\...\Python Config Parser 6.4.exe, PE32 67->88 dropped 182 Detected unpacking (changes PE section rights) 67->182 184 Detected unpacking (overwrites its own PE header) 67->184 148 185.196.8.22 SIMPLECARRER2IT Switzerland 71->148 150 45.155.250.90 MEER-ASmeerfarbigGmbHCoKGDE Germany 71->150 152 176.9.47.240 HETZNER-ASDE Germany 71->152 76 conhost.exe 74->76         started        78 chcp.com 74->78         started        file20 signatures21 process22
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mvtz3to2thde7sx6yy357uc6jcjtknce43r6nivq3nktwjgidfa._file
Verdict:
malicious
Similar samples:
00a8a8cf766ce7534d2a94bd8e8863dfd5b87e930bac3d3171ae58be6846a2a4
Stealc
0d01a9c7bf8858e1bc927a133b35114d58aa3d2a75cf61717377605def49e694
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/240130-elscfsgae7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Registers COM server for autorun
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Checks BIOS information in registry
Checks computer location settings
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Stealc
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://185.172.128.79
Unpacked files
SH256 hash:
fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca
MD5 hash:
c310ac6a7b8f06439364ce1e2e9d5453
SHA1 hash:
cae022f0f97d0603b19f03b20051fa1c965e5955
Link:
https://www.unpac.me/results/c1c8a66b-496a-4442-943c-a4af4563c160/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2743800/
  
URLhaus
https://urlhaus.abuse.ch/url/2738073/
Cape
Cape
https://www.capesandbox.com/analysis/473541/

Comments