Sample name: | KEQprG0zDB.exerenamed because original name is a hash value |
Original sample name: | 2bef62a4bc86df703a49213669930fdd.exe |
Analysis ID: | 1486292 |
MD5: | 2bef62a4bc86df703a49213669930fdd |
SHA1: | 324765a6ccfb701f000ff5c18f2ca2bb854cd56c |
SHA256: | efdeaa058c81942dcc35baea02ca59df41043d6fab19b8a5d26c3bacc584a2d3 |
Tags: | exeStealc |
Infos: | |
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
|
AV Detection |
---|
Source: |
Avira: |
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
||
Source: |
Avira URL Cloud: |
Source: |
Malware Configuration Extractor: |
Source: |
ReversingLabs: |
Source: |
Integrated Neural Analysis Model: |
Source: |
Joe Sandbox ML: |
Source: |
Code function: |
5_2_00409BB0 | |
Source: |
Code function: |
5_2_00418940 | |
Source: |
Code function: |
5_2_0040C660 | |
Source: |
Code function: |
5_2_00407280 | |
Source: |
Code function: |
5_2_00409B10 |
Source: |
Static PE information: |
Source: |
HTTPS traffic detected: |
Source: |
Static PE information: |
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
Source: |
Code function: |
5_2_0040BCB0 | |
Source: |
Code function: |
5_2_0040E270 | |
Source: |
Code function: |
5_2_0040DC50 | |
Source: |
Code function: |
5_2_00414050 | |
Source: |
Code function: |
5_2_0040D8C0 | |
Source: |
Code function: |
5_2_0040F4F0 | |
Source: |
Code function: |
5_2_004139B0 | |
Source: |
Code function: |
5_2_0040EB60 | |
Source: |
Code function: |
5_2_00401710 | |
Source: |
Code function: |
5_2_004133C0 | |
Source: |
Code function: |
5_2_004143F0 |
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior | ||
Source: |
File opened: |
Jump to behavior |
Source: |
Code function: |
0_2_05E78540 | |
Source: |
Code function: |
0_2_05E7CF00 | |
Source: |
Code function: |
0_2_05E775D1 | |
Source: |
Code function: |
0_2_05E775D8 | |
Source: |
Code function: |
0_2_05E78530 | |
Source: |
Code function: |
0_2_05E786E4 | |
Source: |
Code function: |
0_2_05E7CF00 | |
Source: |
Code function: |
0_2_05E8F4C0 | |
Source: |
Code function: |
0_2_05E8F4D0 | |
Source: |
Code function: |
0_2_05E8E988 | |
Source: |
Code function: |
0_2_05E8E998 | |
Source: |
Code function: |
0_2_0606D490 |
Networking |
---|
Source: |
URLs: |
Source: |
HTTP traffic detected: |