MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1
SHA3-384 hash:	59aec02d4011914f76a63311dc0f2258588e208a207f6a06cbfc93e2dec1218fa8e724333834bfca88d0d0a5cf63345b
SHA1 hash:	d309b0c8e75607227ecec54751d2d39fc28a53f6
MD5 hash:	f6ff71e3e89cec658f861cabe1b8c70b
humanhash:	princess-delaware-six-texas
File name:	file
Download:	download sample
Signature	Stealc Create hunting rule
File size:	505'344 bytes
First seen:	2024-10-07 15:21:08 UTC
Last seen:	2024-10-07 16:22:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d10af643340e1121562abe3e6bd5b0e1 (14 x Stealc, 13 x LummaStealer, 9 x Vidar)
ssdeep	12288:Gtl9sitPVqzv/PvoezVVUXDF2tSoa8hQavVKI4S:GGitIPFzIFRoa87MJ
TLSH	T162B4F11571C1C072D973153257F0DAB89A3EBCB14F96AEDF63841BAE4F30290DA219A7
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	exe Stealc

Bitsight

url: http://nsdm.cumpar-auto-orice-tip.ro/ldms/956d73b7f041.exe#default15st

Intelligence

File Origin

# of uploads :

# of downloads :

356

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-10-07 15:26:19 UTC

Tags:

stealer stealc

Link:

https://app.any.run/tasks/3239258e-d974-4281-bdab-2196a94dfe0d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19877.25178.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6703fc9bebeac9e680513ab7

Tags:

Malware

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed stealc

Link:

https://www.filescan.io/uploads/6703fc9b06f0c2314b42b082/reports/e54e209d-365f-4813-aaaa-30c59bb1678f/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4e0f6b41-c4c4-4997-9740-c5585307ff2b

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1/

Threat name:

Win32.Spyware.Marsstealer

Status:

Malicious

First seen:

2024-10-07 15:22:08 UTC

File Type:

PE (Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=75pjsxy4era2374xlg4o4we6sb2eowh5yqhrxdwm6aswf23qrsyq._file

Verdict:

malicious

Label(s):

stealc

Similar samples:

error

Stealc

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:default6_doz credential_access discovery spyware stealer

Link:

https://tria.ge/reports/241007-srwtqazbkq/

Behaviour

Checks processor information in registry

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://62.204.41.150

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/27e2df6a-564a-4d90-905b-91592bbae67e

Unpacked files

SH256 hash:

29e7e1c1e1a7e5f26f6961d8036cdd04ee4557dec0a7dcadcd8e7651f5e53f43

MD5 hash:

2ec23e83e2f63ab27c25741b1f4d7f49

SHA1 hash:

bb231b274bd66393fa830a44e6d4447d4399eeb9

Link:

https://www.unpac.me/results/a4b583f8-1e94-4523-8b8e-4da49a864e04/

SH256 hash:

d74a0b6cfe6826f29ed8ecc849927fbe89a9063b03f8482a8cdbdaa9ec49b1d8

MD5 hash:

ed0268f707a1c27d8001d81364ea112e

SHA1 hash:

b4d5b6752545a12cf119cb12def209c0f269cb3c

Detections:

stealc

Link:

https://www.unpac.me/results/a4b583f8-1e94-4523-8b8e-4da49a864e04/

Parent samples :

ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1
548617ec6305c654f71be990786ad737c3fce173e319c78f78d074589f72dbdc
5501120627d6aa86b043d6ca51b3bb2dffeb44a8c0cf6f153d6fdf550d76690f
11cb48154b2285d427e5f3bff51c1dde9f59a8b8cfd04fa4d3d3f6e4b0124d44
f2f1a93d30d38fbe7b271d9c9b173b18b98e32c3424e62808112411fb05c32b7
483630a3d6adf62dde884e2480de1c5e939e8f070c0f734149957be4a17b460f

SH256 hash:

ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1

MD5 hash:

f6ff71e3e89cec658f861cabe1b8c70b

SHA1 hash:

d309b0c8e75607227ecec54751d2d39fc28a53f6

Link:

https://www.unpac.me/results/a4b583f8-1e94-4523-8b8e-4da49a864e04/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe ff5e995f1c2441adff9759b8ee589e90744758fdc40f1b8eccf02562eb708cb1

(this sample)

Dropped by

Privateloader

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3219205/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample