Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1522474 |
| MD5: | 1bec0616f2e4dc133175566d1c6bd6dd |
| SHA1: | 1db3b4a88ebc6bf86669f24020b425d0b257f48f |
| SHA256: | 8ffc2aa27b84ed0736d57be8b45dcc56c817d404b8c4904e795dc51861d281f4 |
| Tags: | exeuser-Bitsight |
| Infos: |   |
 | |
Detection
Stealc
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Classification
- System is w10x64
file.exe (PID: 6784 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 1BEC0616F2E4DC133175566D1C6BD6DD) 
cmd.exe (PID: 1908 cmdline: "C:\Window s\System32 \cmd.exe" /c move Ta ken Taken. bat & Take n.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 5496 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 480 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 6452 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 5444 cmdline:
findstr /I "avastui avgui bdse rvicehost nswscsvc s ophoshealt h" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 5344 cmdline:
cmd /c md 87551 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 3300 cmdline:
findstr /V "developm entplainti ffdisturbe dconstruct ion" Flesh MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 5472 cmdline:
cmd /c cop y /b ..\Ho rizontal + ..\Compar isons + .. \Evolution + ..\Frog + ..\Coul d + ..\Pro fessor + . .\Prospect p MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Milfs.pif (PID: 6524 cmdline: Milfs.pif p MD5: 18CE19B57F43CE0A5AF149C96AECC685) - cmd.exe (PID: 6744 cmdline:
"C:\Window s\system32 \cmd.exe" /c start " " "C:\User s\user\Doc umentsFCFB GIDAEH.exe " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5912 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - DocumentsFCFBGIDAEH.exe (PID: 4852 cmdline:
"C:\Users\ user\Docum entsFCFBGI DAEH.exe" MD5: C52E326B3E71B7930CF6B314D1FA1CFF) - cmd.exe (PID: 6216 cmdline:
"C:\Window s\System32 \cmd.exe" /C ping 2. 2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\ user\Docum entsFCFBGI DAEH.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 6440 cmdline:
ping 2.2.2 .2 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12) - choice.exe (PID: 5480 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc_1 | Yara detected Stealc | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security |
| Source: | Author: Max Altgelt (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-30T08:19:15.402650+0200 | 2044245 | 1 | Malware Command and Control Activity Detected | 62.204.41.159 | 80 | 192.168.2.4 | 49737 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-30T08:19:15.396317+0200 | 2044244 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-30T08:19:15.622416+0200 | 2044246 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-30T08:19:27.851134+0200 | 2044249 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-30T08:19:16.401883+0200 | 2044248 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-30T08:19:15.676224+0200 | 2044247 | 1 | Malware Command and Control Activity Detected | 62.204.41.159 | 80 | 192.168.2.4 | 49737 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-30T08:19:15.171978+0200 | 2044243 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-30T08:19:16.623240+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| 2024-09-30T08:19:20.585409+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| 2024-09-30T08:19:21.781113+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| 2024-09-30T08:19:22.459923+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| 2024-09-30T08:19:22.984351+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| 2024-09-30T08:19:24.973056+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| 2024-09-30T08:19:25.826327+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 62.204.41.159 | 80 | TCP |
| 2024-09-30T08:19:27.487622+0200 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 176.113.115.187 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Process created: | ||
| Source: | HTTP traffic detected: | ||