MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9
SHA3-384 hash: 22c9655acd8efed07af62cc6bd0d6ed727f303c2d92b98bfd40270e87bb04dd0f3a9425363e36d7389ec0724d5b6c2fa
SHA1 hash: 7b3a38f9c9147777d8eb4fcd7e2a4ee9f1ed603b
MD5 hash: 18c080da924c7c61a4fc41c49d8424e4
humanhash: batman-illinois-angel-zebra
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'122'304 bytes
First seen:2023-11-02 01:17:30 UTC
Last seen:2023-11-02 11:54:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:Xl15z+hCSWMpBFmVQ8vYdfuDcBP2/nYDOQDW7MF4:XCT9BGY4gBP2/2vW7MF4
Threatray 1 similar samples on MalwareBazaar
TLSH T1F2352335EAF86646C15886F44D28A7B42B7BB0331513FB5E8C8DF1C4747A3968EC25A3
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe Stealc


Avatar
andretavare5
Sample downloaded from http://171.22.28.221/files/Ads.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
340
Origin country :
US US
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-11-02 01:34:21 UTC
Tags:
loader stealer arkei vidar privateloader evasion opendir risepro stealc redline ransomware stop smoke sinkhole
Link:
https://app.any.run/tasks/a5a21a3f-99ef-4dde-af46-0e5b06541c53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457728/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2509.27514.23337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Launching the process to interact with network services
Running batch commands
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6542f8cd798f2840e4d2f703/reports/146cb4fc-9d8c-4f00-b0e0-5ca19e0fb9d3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d3d9167-0e04-4c57-bd57-45b632b04c78
Result
Threat name:
Amadey, Glupteba, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335790
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1335790 Sample: file.exe Startdate: 02/11/2023 Architecture: WINDOWS Score: 100 209 Multi AV Scanner detection for domain / URL 2->209 211 Found malware configuration 2->211 213 Malicious sample detected (through community Yara rule) 2->213 215 17 other signatures 2->215 12 file.exe 2 4 2->12         started        15 svchost.exe 1 1 2->15         started        18 powershell.exe 2->18         started        process3 dnsIp4 251 Adds a directory exclusion to Windows Defender 12->251 253 Disables UAC (registry) 12->253 20 AddInProcess32.exe 15 189 12->20         started        25 powershell.exe 23 12->25         started        27 CasPol.exe 12->27         started        169 2.17.5.164 AKAMAI-ASUS European Union 15->169 171 127.0.0.1 unknown unknown 15->171 29 conhost.exe 18->29         started        signatures5 process6 dnsIp7 163 95.214.26.28 CMCSUS Germany 20->163 165 107.167.110.216 OPERASOFTWAREUS United States 20->165 167 16 other IPs or domains 20->167 131 C:\Users\...\yq2KcLZPhQNyls3qnVpCId7N.exe, PE32 20->131 dropped 133 C:\Users\...\xo8fK67g6W3HkbTeHwB1dhMj.exe, PE32 20->133 dropped 135 C:\Users\...\wzeVf5ChRqwTJfrot4SowdNh.exe, PE32 20->135 dropped 137 145 other malicious files 20->137 dropped 241 Drops script or batch files to the startup folder 20->241 243 Creates HTML files with .exe extension (expired dropper behavior) 20->243 245 Writes many files with high entropy 20->245 31 0u61pw6tfl952CvBXC1sDhpE.exe 20->31         started        36 pgRYbSAwi2iy3krNaeXfuh4S.exe 20->36         started        38 Dosk1av7oMOEvfVbFFJCIhps.exe 20->38         started        42 11 other processes 20->42 40 conhost.exe 25->40         started        file8 signatures9 process10 dnsIp11 173 107.167.110.211 OPERASOFTWAREUS United States 31->173 175 107.167.110.217 OPERASOFTWAREUS United States 31->175 181 6 other IPs or domains 31->181 99 Opera_installer_2311020118585177724.dll, PE32 31->99 dropped 101 C:\Users\user\AppData\Local\...\opera_package, PE32 31->101 dropped 113 5 other malicious files 31->113 dropped 191 Writes many files with high entropy 31->191 193 Found evasive API chain checking for user administrative privileges 31->193 44 0u61pw6tfl952CvBXC1sDhpE.exe 31->44         started        47 0u61pw6tfl952CvBXC1sDhpE.exe 31->47         started        49 0u61pw6tfl952CvBXC1sDhpE.exe 31->49         started        195 Detected unpacking (changes PE section rights) 36->195 197 Contains functionality to inject code into remote processes 36->197 199 Injects a PE file into a foreign processes 36->199 51 pgRYbSAwi2iy3krNaeXfuh4S.exe 36->51         started        103 C:\Users\user\AppData\Local\...\Install.exe, PE32 38->103 dropped 105 C:\Users\user\AppData\Local\...\config.txt, data 38->105 dropped 54 Install.exe 38->54         started        177 107.167.110.218 OPERASOFTWAREUS United States 42->177 179 104.21.38.126 CLOUDFLARENETUS United States 42->179 107 Opera_installer_2311020119117797536.dll, PE32 42->107 dropped 109 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 42->109 dropped 111 C:\Users\user\AppData\Local\...\Install.exe, PE32 42->111 dropped 115 6 other malicious files 42->115 dropped 201 Detected unpacking (overwrites its own PE header) 42->201 203 Found Tor onion address 42->203 205 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->205 207 2 other signatures 42->207 56 Broom.exe 42->56         started        58 vegL1Dwq8q5mesGrruc2REHh.exe 42->58         started        60 vegL1Dwq8q5mesGrruc2REHh.exe 42->60         started        62 2 other processes 42->62 file12 signatures13 process14 file15 139 Opera_installer_2311020119014348148.dll, PE32 44->139 dropped 141 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 44->141 dropped 143 C:\Users\user\...\win10_share_handler.dll, PE32+ 44->143 dropped 155 19 other malicious files 44->155 dropped 64 0u61pw6tfl952CvBXC1sDhpE.exe 44->64         started        145 Opera_installer_2311020118593137848.dll, PE32 47->145 dropped 147 Opera_installer_2311020119001378048.dll, PE32 49->147 dropped 217 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->217 219 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->219 221 Maps a DLL or memory area into another process 51->221 225 2 other signatures 51->225 67 explorer.exe 51->67 injected 149 C:\Users\user\AppData\Local\...\Install.exe, PE32 54->149 dropped 71 Install.exe 54->71         started        223 Multi AV Scanner detection for dropped file 56->223 151 Opera_installer_2311020119131827664.dll, PE32 58->151 dropped 153 Opera_installer_2311020119159338268.dll, PE32 60->153 dropped signatures16 process17 dnsIp18 117 Opera_installer_2311020119025627380.dll, PE32 64->117 dropped 157 190.139.250.133 TelecomArgentinaSAAR Argentina 67->157 159 103.152.79.123 TWIDC-AS-APTWIDCLimitedHK unknown 67->159 161 185.196.9.171 SIMPLECARRIERCH Switzerland 67->161 119 C:\Users\user\AppData\Roaming\jgfgrer, PE32 67->119 dropped 121 C:\Users\user\AppData\Local\Temp389.exe, PE32 67->121 dropped 123 C:\Users\user\AppData\Local\Temp\76C4.exe, PE32 67->123 dropped 129 2 other malicious files 67->129 dropped 227 System process connects to network (likely due to code injection or exploit) 67->227 229 Benign windows process drops PE files 67->229 231 Hides that the sample has been downloaded from the Internet (zone.identifier) 67->231 73 cmd.exe 67->73         started        125 C:\Users\user\AppData\Local\...\pYKpwPa.exe, PE32 71->125 dropped 127 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 71->127 dropped 233 Multi AV Scanner detection for dropped file 71->233 235 Modifies Windows Defender protection settings 71->235 237 Adds extensions / path to Windows Defender exclusion list 71->237 239 Modifies Group Policy settings 71->239 75 forfiles.exe 71->75         started        78 forfiles.exe 71->78         started        file19 signatures20 process21 signatures22 80 GpKou4dtvWXA7J2MVim5mWKi.exe 73->80         started        83 conhost.exe 73->83         started        247 Modifies Windows Defender protection settings 75->247 249 Adds extensions / path to Windows Defender exclusion list 75->249 85 cmd.exe 75->85         started        87 conhost.exe 75->87         started        89 cmd.exe 78->89         started        91 conhost.exe 78->91         started        process23 signatures24 183 Detected unpacking (changes PE section rights) 80->183 185 Detected unpacking (overwrites its own PE header) 80->185 187 Machine Learning detection for dropped file 80->187 93 reg.exe 85->93         started        189 Uses cmd line tools excessively to alter registry or file data 89->189 95 reg.exe 89->95         started        97 reg.exe 89->97         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-02 01:18:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qdeqnc6jpqgd72oycgxfrzbbl5abkh7hreq3uhe6aruotuhx34q._file
Verdict:
unknown
Similar samples:
c77aeea8df56c68cf64ac5486a0d5774a1bd8dc6f94e3fa8ae447ff78ec12ace
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:glupteba family:smokeloader family:stealc botnet:pub1 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/231102-bnyepseh3v/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
DcRat
Glupteba
Glupteba payload
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9
MD5 hash:
18c080da924c7c61a4fc41c49d8424e4
SHA1 hash:
7b3a38f9c9147777d8eb4fcd7e2a4ee9f1ed603b
Link:
https://www.unpac.me/results/3d9d1579-6730-4c47-af38-3bb2e3aca090/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc0648345e4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2721934/
Cape
Cape
https://www.capesandbox.com/analysis/457728/

Comments