MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe6856277fcc9a0a01800e69ddcefc09c72bb4fab3f5e4aeec3ab3918fadc1dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe6856277fcc9a0a01800e69ddcefc09c72bb4fab3f5e4aeec3ab3918fadc1dd
SHA3-384 hash: cbffc285e8ac58bbb03553234f75ad73949a8856ecccf58669d15a1836c6c0571bda6efba617e86f2ee356514014d227
SHA1 hash: 9136b48388668e3970fe983c5445de080b6669e3
MD5 hash: 759fbd89231d2e97242f37e0266663f7
humanhash: shade-ack-pennsylvania-skylark
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'768'960 bytes
First seen:2024-11-19 01:15:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:+RzYfWqI9zJ9mcDlFkQK9ZKTJdz3+qBBJzUMSlDQEVB2KsYZw2olUUzVodYtD:+RSsNFQg/nm3iCBRsDr7
TLSH T1918533A7695E2B91D1764CB5D33F6585FD302FFB4F0B4170698B68A047C82BB22F2602
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-19 01:16:19 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/baa6a74c-5b7a-461e-bada-2bce038763ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.8036.31367.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673be7cc80d21948b032b490
Tags:
vmdetect spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/673be6d4823321d628c1ba20/reports/e54c4aa0-2c6e-4541-a3a8-0bcf8ad3335a/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/fe6856277fcc9a0a01800e69ddcefc09c72bb4fab3f5e4aeec3ab3918fadc1dd
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/df7d7db1-ae21-4503-b5b1-be14d84062ef
Result
Threat name:
LummaC, Amadey, Credential Flusher, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558127
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Modifies windows update settings
Monitors registry run keys for changes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558127 Sample: file.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 97 peepburry828.sbs 2->97 99 p3ar11fter.sbs 2->99 101 23 other IPs or domains 2->101 131 Multi AV Scanner detection for domain / URL 2->131 133 Suricata IDS alerts for network traffic 2->133 135 Found malware configuration 2->135 137 15 other signatures 2->137 9 skotes.exe 2->9         started        14 file.exe 37 2->14         started        16 de1c440526.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 117 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 9->117 119 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 9->119 79 C:\Users\user\AppData\...\3ec1be623e.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\be503e2209.exe, PE32 9->81 dropped 83 C:\Users\user\AppData\...\c7e6988861.exe, PE32 9->83 dropped 91 6 other malicious files 9->91 dropped 173 Creates multiple autostart registry keys 9->173 175 Hides threads from debuggers 9->175 177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->177 20 3ec1be623e.exe 9->20         started        23 de1c440526.exe 9->23         started        26 c7e6988861.exe 9->26         started        37 2 other processes 9->37 121 185.215.113.16, 49862, 80 WHOLESALECONNECTIONSNL Portugal 14->121 123 185.215.113.206, 49704, 49723, 49772 WHOLESALECONNECTIONSNL Portugal 14->123 125 127.0.0.1 unknown unknown 14->125 85 C:\Users\user\DocumentsAAKKFHCFIE.exe, PE32 14->85 dropped 87 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->87 dropped 89 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->89 dropped 93 12 other files (1 malicious) 14->93 dropped 179 Detected unpacking (changes PE section rights) 14->179 181 Attempt to bypass Chrome Application-Bound Encryption 14->181 183 Drops PE files to the document folder of the user 14->183 187 9 other signatures 14->187 28 cmd.exe 14->28         started        30 msedge.exe 2 10 14->30         started        32 chrome.exe 8 14->32         started        127 p10tgrace.sbs 104.21.0.92 CLOUDFLARENETUS United States 16->127 129 3 other IPs or domains 16->129 185 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->185 34 firefox.exe 18->34         started        39 5 other processes 18->39 file6 signatures7 process8 dnsIp9 139 Multi AV Scanner detection for dropped file 20->139 141 Detected unpacking (changes PE section rights) 20->141 143 Modifies windows update settings 20->143 163 3 other signatures 20->163 103 librari-night.sbs 104.21.85.146 CLOUDFLARENETUS United States 23->103 111 2 other IPs or domains 23->111 145 Query firmware table information (likely to detect VMs) 23->145 147 Tries to evade debugger and weak emulator (self modifying code) 23->147 149 Hides threads from debuggers 23->149 151 LummaC encrypted strings found 23->151 153 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->153 155 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->155 157 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 26->157 41 DocumentsAAKKFHCFIE.exe 28->41         started        45 conhost.exe 28->45         started        159 Monitors registry run keys for changes 30->159 47 msedge.exe 30->47         started        105 192.168.2.5, 443, 49703, 49704 unknown unknown 32->105 107 239.255.255.250 unknown Reserved 32->107 49 chrome.exe 32->49         started        113 6 other IPs or domains 34->113 75 C:\Users\user\AppData\...\places.sqlite-wal, SQLite 34->75 dropped 58 2 other processes 34->58 109 home.fvtejj5vs.top 62.76.234.151 SUPERSERVERSDATACENTERRU Russian Federation 37->109 161 Binary is likely a compiled AutoIt script file 37->161 52 taskkill.exe 37->52         started        54 taskkill.exe 37->54         started        60 4 other processes 37->60 115 8 other IPs or domains 39->115 56 conhost.exe 39->56         started        file10 signatures11 process12 dnsIp13 77 C:\Users\user\AppData\Local\...\skotes.exe, PE32 41->77 dropped 165 Detected unpacking (changes PE section rights) 41->165 167 Tries to evade debugger and weak emulator (self modifying code) 41->167 169 Tries to detect virtualization through RDTSC time measurements 41->169 171 4 other signatures 41->171 62 skotes.exe 41->62         started        95 www.google.com 142.250.186.68, 443, 49706, 49707 GOOGLEUS United States 49->95 65 conhost.exe 52->65         started        67 conhost.exe 54->67         started        69 conhost.exe 60->69         started        71 conhost.exe 60->71         started        73 conhost.exe 60->73         started        file14 signatures15 process16 signatures17 189 Detected unpacking (changes PE section rights) 62->189 191 Tries to evade debugger and weak emulator (self modifying code) 62->191 193 Hides threads from debuggers 62->193 195 2 other signatures 62->195
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fe6856277fcc9a0a01800e69ddcefc09c72bb4fab3f5e4aeec3ab3918fadc1dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe6856277fcc9a0a01800e69ddcefc09c72bb4fab3f5e4aeec3ab3918fadc1dd/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 01:16:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 38 (57.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zufmj37zsnauamabzu53tx4bhdsxnh2wp26jlxmhkzzdd5nyhoq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:mars discovery evasion stealer
Link:
https://tria.ge/reports/241119-bms4layalc/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/32629c30-9971-4844-b63c-a1927cb27982
Unpacked files
SH256 hash:
c469c2231db0579808854a38834f0d624176b4dbbfc4325a2b8cefe45aa7ab4a
MD5 hash:
faa4c782582ea03d3abb20362611c653
SHA1 hash:
16db6d247633f2e67b4ad078e25c3dbd521a53d3
Detections:
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/3f9d8824-75b6-46a2-bfb2-1dcc1cbe6b84/
SH256 hash:
fe6856277fcc9a0a01800e69ddcefc09c72bb4fab3f5e4aeec3ab3918fadc1dd
MD5 hash:
759fbd89231d2e97242f37e0266663f7
SHA1 hash:
9136b48388668e3970fe983c5445de080b6669e3
Link:
https://www.unpac.me/results/3f9d8824-75b6-46a2-bfb2-1dcc1cbe6b84/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe6856277fcc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe fe6856277fcc9a0a01800e69ddcefc09c72bb4fab3f5e4aeec3ab3918fadc1dd

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3273391/
  
URLhaus
https://urlhaus.abuse.ch/url/3279845/
  
URLhaus
https://urlhaus.abuse.ch/url/3284801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments