stealc | 9d385acb88418f0b5e28ac0ff023700355d29841efb02e67c47ce96882a87f11 | Triage

Submit
Reports

Overview

overview

Static

static

3

EaseUSData...or.exe

windows7-x64

EaseUSData...or.exe

windows10-2004-x64

Sharing

General

Target

EaseUSDataRecoveryWizardActivator.exe
Size

2.4MB
Sample

250109-xdnneazkdr
MD5

5b6a5176c441f4241780d4d3dede7b65
SHA1

02c1d8cc96e2898510737e48f573214355d96c7e
SHA256

9d385acb88418f0b5e28ac0ff023700355d29841efb02e67c47ce96882a87f11
SHA512

2a91d5a83011a739853d6617b50a2354945ea0d59f7679feee088fd6e007448bb423266cedb51efb92203bc39203cb8091d33d95b03fcaf42dc571e9cdb53a00
SSDEEP

49152:MDkUrkydBe7+nHcKlc2mZb5hOQYzpsc9FAXiBlYQQCXizyjW9NUKW+SGf5s8ZPn:M4UF8KlJm15h+lz9qmlY0iuy/7WlGfWO

Score

10^/10

stealc default discovery evasion stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

EaseUSDataRecoveryWizardActivator.exe

Resource

win7-20240903-en

stealc default discovery evasion stealer themida trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

EaseUSDataRecoveryWizardActivator.exe

Resource

win10v2004-20241007-en

stealc default discovery evasion stealer themida trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://212.118.37.224

Attributes

url_path
/bad9416e2db99d17.php

rc4.plain

Targets

- Target
  
  EaseUSDataRecoveryWizardActivator.exe
- Size
  
  2.4MB
- MD5
  
  5b6a5176c441f4241780d4d3dede7b65
- SHA1
  
  02c1d8cc96e2898510737e48f573214355d96c7e
- SHA256
  
  9d385acb88418f0b5e28ac0ff023700355d29841efb02e67c47ce96882a87f11
- SHA512
  
  2a91d5a83011a739853d6617b50a2354945ea0d59f7679feee088fd6e007448bb423266cedb51efb92203bc39203cb8091d33d95b03fcaf42dc571e9cdb53a00
- SSDEEP
  
  49152:MDkUrkydBe7+nHcKlc2mZb5hOQYzpsc9FAXiBlYQQCXizyjW9NUKW+SGf5s8ZPn:M4UF8KlJm15h+lz9qmlY0iuy/7WlGfWO
Score

10^/10

stealc default discovery evasion stealer themida trojan
- Detects Stealc stealer
  stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

stealcdefaultdiscoveryevasionstealerthemidatrojan

behavioral2

stealcdefaultdiscoveryevasionstealerthemidatrojan

© 2018-2025

Terms | Privacy