File name:

file

Full analysis: https://app.any.run/tasks/9291418b-25f7-4463-b6f9-971fcadc6570
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: October 07, 2023, 02:23:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
stealc
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B8C27F896C4241196C357B8AAD465EA5

SHA1:

245ECB42A5834D2271D40832D911228E8D9DB132

SHA256:

545DFA973A3C7308627B21D1C230D58323BF08FDF8E0A31FDF4EFAEFD5F2FA12

SSDEEP:

49152:eLnemIiqMiEMvtHmfNQ9hVTOY3VOiRjrrywta7k11ia6w6BWziTQlpgCvFB999sL:Cn2cAtHmfNQ9hVTrFB/ywtsev8BWziTh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • file.exe (PID: 2964)
      • Vk7ut40.exe (PID: 3052)
      • xP7iJ64.exe (PID: 2688)
      • qA1pq51.exe (PID: 460)

    • Application was dropped or rewritten from another process

      • qA1pq51.exe (PID: 460)
      • xP7iJ64.exe (PID: 2688)
      • Vk7ut40.exe (PID: 3052)
      • 2GF7617.exe (PID: 416)
      • 1Nj33Fh2.exe (PID: 2728)

    • Connects to the CnC server

      • AppLaunch.exe (PID: 2972)

    • STEALC was detected

      • AppLaunch.exe (PID: 2972)

    • STEALC has been detected (YARA)

      • 2GF7617.exe (PID: 416)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • file.exe (PID: 2964)
      • qA1pq51.exe (PID: 460)
      • xP7iJ64.exe (PID: 2688)

    • Connects to the server without a host name

      • AppLaunch.exe (PID: 2972)

    • Reads the Internet Settings

      • AppLaunch.exe (PID: 2972)

  • INFO

    • Create files in a temporary directory

      • file.exe (PID: 2964)
      • qA1pq51.exe (PID: 460)
      • Vk7ut40.exe (PID: 3052)
      • AppLaunch.exe (PID: 2972)
      • xP7iJ64.exe (PID: 2688)

    • Checks supported languages

      • file.exe (PID: 2964)
      • qA1pq51.exe (PID: 460)
      • Vk7ut40.exe (PID: 3052)
      • 1Nj33Fh2.exe (PID: 2728)
      • 2GF7617.exe (PID: 416)
      • AppLaunch.exe (PID: 2972)
      • xP7iJ64.exe (PID: 2688)

    • Reads the computer name

      • 1Nj33Fh2.exe (PID: 2728)
      • AppLaunch.exe (PID: 2972)

    • Reads the machine GUID from the registry

      • 1Nj33Fh2.exe (PID: 2728)
      • AppLaunch.exe (PID: 2972)

    • Checks proxy server information

      • AppLaunch.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Stealc

(PID) Process(416) 2GF7617.exe
C2http://5.42.92.211/
Strings (158)#"
x32
x64
%ix%i
%ls
%ls/%ls
%ls\%ls
%ls\%ls\Local State
%ls\*
%ls\History
%ls\Local Extension Settings\%ls
%ls\Login Data
%ls\Web Data
%ls\cookies.sqlite
%ls\formhistory.sqlite
%ls\places.sqlite
%s%s
%s/%s
--%sContent-Disposition: form-data; name="%s"
..\stealer\chromiumbrowsers.cpp
..\stealer\filesgrabber.cpp
..\stealer\httpclient.cpp
..\stealer\loader.cpp
..\stealer\sqlite3.cpp
..\stealer\stealer.cpp
.dll
.exe
9375CFF0413111d3B88A00104B2A6676
=============
===============
Ablmhkr(elXel'mqm
Advapi32.dll
Autofills/%ls_%ls.txt
Available KeyboardLayouts:
Build mark:
Chromium browsers paths were retrieved
ComSpec
Command line: %ls
Config retrieved: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
Content-Type: multipart/form-data; boundary=%sContent-Length: %d
Cookies
Cookies/%ls_%ls.txt
CreditCards/%ls_%ls.txt
Current language:
DISPLAY
Default
Email
Email/Credentials.txt
Email:
EnterCritic6lSection
Expand path: %ls
Extensions were retrieved
Failed to connect to %s
Failed to download sqlite3.dll
Failed to export functions from sqlite3.dll
Failed to retrieve chromium browsers paths
Failed to retrieve files grabber paths
Files grabber paths were retrieved
FilesGrabber: Sent %ls
Find chromium cookies db %ls
Find chromium extension %ls with id %ls
Find chromium history db %ls
Find chromium login data db %ls
Find chromium web data db %ls
Find gecko autofills db %ls
Find gecko cookies db %ls
Find gecko file %ls
Find gecko history db %ls
Find steam data, path %ls
GPU:
Gdi32.dll
Gecko/%ls/%ls/%ls
Gonna gather system information
Gonna grab ChromiumBrowsers
Gonna grab files
Gonna grab steam
Gonna take screenshot
GrabFiles
HandleChromiumBrowsers
Hardwares: CPU:
History/%ls_%ls.txt
Holder:
Host:
HttpQueryInfo fails; last error: %x
IMAP Password
IP: {ip}File Location:
Init
InitializeCriticalSection
Kernel32.dll
Key:
LeaveCriticalSectin
LoadLibraryA
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Name:
Network\Cookies
Ntdll.dll
Ole32.dll
Operation System:
POST
Passwords.txt
ProductName
QBJM
RAM: %ull
Request
Retrieve rule FilesGrabber, server side path: %ls
Rstrtmgr.dll
SELECT fieldname, value FROM moz_formhistory
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
SELECT title, url FROM moz_places
SELECT url, title FROM urls
ScreenSize:
Screenshot.jpeg
Sent log. Gonna send done message
Sent system information
SrartLoader
Start
Steam/%ls
SteamPath
Successfully connected to %s
Successfully start process
TRUE
Telegram/%ls
There's file to load. Gonna load it
Title:
Token retrieved: %s
Trying to connect to %s
User32.dll
UserName:
Wallets/%ls_%ls_%ls
Wininet.dll
Write file content in %ls
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
build
computername
encrypted_key
file
filename
hwid
image/jpeg
kernel32.dll
key3.db
key4.db
loader
log9ns.json
loghub/master
msg
sqlite3
sqlite3_close{f
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_text
sqlite3_open
sqlite3_open_v2
sqlite3_prepare_v2
sqlite3_step
token
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:25 00:49:06+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.13
CodeSize: 25600
InitializedDataSize: 1137664
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start file.exe no specs qa1pq51.exe no specs xp7ij64.exe no specs vk7ut40.exe no specs 1nj33fh2.exe no specs #STEALC 2gf7617.exe #STEALC applaunch.exe

Process information

PID
CMD
Path
Indicators
Parent process
416C:\Users\admin\AppData\Local\Temp\IXP003.TMP\2GF7617.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\2GF7617.exe
Vk7ut40.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Stealc
(PID) Process(416) 2GF7617.exe
C2http://5.42.92.211/
Strings (158)#"
x32
x64
%ix%i
%ls
%ls/%ls
%ls\%ls
%ls\%ls\Local State
%ls\*
%ls\History
%ls\Local Extension Settings\%ls
%ls\Login Data
%ls\Web Data
%ls\cookies.sqlite
%ls\formhistory.sqlite
%ls\places.sqlite
%s%s
%s/%s
--%sContent-Disposition: form-data; name="%s"
..\stealer\chromiumbrowsers.cpp
..\stealer\filesgrabber.cpp
..\stealer\httpclient.cpp
..\stealer\loader.cpp
..\stealer\sqlite3.cpp
..\stealer\stealer.cpp
.dll
.exe
9375CFF0413111d3B88A00104B2A6676
=============
===============
Ablmhkr(elXel'mqm
Advapi32.dll
Autofills/%ls_%ls.txt
Available KeyboardLayouts:
Build mark:
Chromium browsers paths were retrieved
ComSpec
Command line: %ls
Config retrieved: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
Content-Type: multipart/form-data; boundary=%sContent-Length: %d
Cookies
Cookies/%ls_%ls.txt
CreditCards/%ls_%ls.txt
Current language:
DISPLAY
Default
Email
Email/Credentials.txt
Email:
EnterCritic6lSection
Expand path: %ls
Extensions were retrieved
Failed to connect to %s
Failed to download sqlite3.dll
Failed to export functions from sqlite3.dll
Failed to retrieve chromium browsers paths
Failed to retrieve files grabber paths
Files grabber paths were retrieved
FilesGrabber: Sent %ls
Find chromium cookies db %ls
Find chromium extension %ls with id %ls
Find chromium history db %ls
Find chromium login data db %ls
Find chromium web data db %ls
Find gecko autofills db %ls
Find gecko cookies db %ls
Find gecko file %ls
Find gecko history db %ls
Find steam data, path %ls
GPU:
Gdi32.dll
Gecko/%ls/%ls/%ls
Gonna gather system information
Gonna grab ChromiumBrowsers
Gonna grab files
Gonna grab steam
Gonna take screenshot
GrabFiles
HandleChromiumBrowsers
Hardwares: CPU:
History/%ls_%ls.txt
Holder:
Host:
HttpQueryInfo fails; last error: %x
IMAP Password
IP: {ip}File Location:
Init
InitializeCriticalSection
Kernel32.dll
Key:
LeaveCriticalSectin
LoadLibraryA
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Name:
Network\Cookies
Ntdll.dll
Ole32.dll
Operation System:
POST
Passwords.txt
ProductName
QBJM
RAM: %ull
Request
Retrieve rule FilesGrabber, server side path: %ls
Rstrtmgr.dll
SELECT fieldname, value FROM moz_formhistory
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT name, value FROM autofill
SELECT origin_url, username_value, password_value FROM logins
SELECT title, url FROM moz_places
SELECT url, title FROM urls
ScreenSize:
Screenshot.jpeg
Sent log. Gonna send done message
Sent system information
SrartLoader
Start
Steam/%ls
SteamPath
Successfully connected to %s
Successfully start process
TRUE
Telegram/%ls
There's file to load. Gonna load it
Title:
Token retrieved: %s
Trying to connect to %s
User32.dll
UserName:
Wallets/%ls_%ls_%ls
Wininet.dll
Write file content in %ls
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
build
computername
encrypted_key
file
filename
hwid
image/jpeg
kernel32.dll
key3.db
key4.db
loader
log9ns.json
loghub/master
msg
sqlite3
sqlite3_close{f
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_text
sqlite3_open
sqlite3_open_v2
sqlite3_prepare_v2
sqlite3_step
token
460C:\Users\admin\AppData\Local\Temp\IXP000.TMP\qA1pq51.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\qA1pq51.exefile.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.17763.1 (WinBuild.160101.0800)
2688C:\Users\admin\AppData\Local\Temp\IXP001.TMP\xP7iJ64.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\xP7iJ64.exeqA1pq51.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.17763.1 (WinBuild.160101.0800)
2728C:\Users\admin\AppData\Local\Temp\IXP003.TMP\1Nj33Fh2.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\1Nj33Fh2.exeVk7ut40.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Healer
Exit code:
0
Version:
1.0.0.0
2964"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.17763.1 (WinBuild.160101.0800)
2972"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
2GF7617.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
1
Version:
4.7.2558.0 built by: NET471REL1
3052C:\Users\admin\AppData\Local\Temp\IXP002.TMP\Vk7ut40.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\Vk7ut40.exexP7iJ64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.17763.1 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2964file.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\5CW9Ll9.exeexecutable
MD5:EC861951D3EA867605AFAEC4B868D911
SHA256:38C9BFF92645DF776DE8F959348E85C6B0325AF36C4BD4C8B5B01E99346697CA
2688xP7iJ64.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\Vk7ut40.exeexecutable
MD5:EDEBA4EC99FDE7061A3C3022538D27A8
SHA256:D7133C202FE9BD99340BD91F225D24450216820A69BE59DBF2E137B45FF78DBE
460qA1pq51.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\4GJ045mb.exeexecutable
MD5:A38CE3E2DC246D8E40F95186737C588F
SHA256:C42EFCD5F53C75F36A6ED5C8F8BE82359B848285FFB0FC5ACC12FBD625C7028E
2688xP7iJ64.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\3wx83AB.exeexecutable
MD5:F09B788BFB242F8EDCB4B4AB2BD0275A
SHA256:F291D8694F3198B824474D57A18792218A5D622F2F59370EFE6679563DB87521
2964file.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\qA1pq51.exeexecutable
MD5:C6936AE9C85F345AFDEA3E4DDABA3086
SHA256:B9372FDE0FEF14ACEC185A83C944C46C9CCAEFA2CCF8A61F4369FA593E460CFF
460qA1pq51.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\xP7iJ64.exeexecutable
MD5:12A376D4EDFBF0143D2313962FF10433
SHA256:C47E82546C9F8CBA335722B257F801C1D4F4232D1D02BE45BDB9738912D1CFBE
3052Vk7ut40.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\1Nj33Fh2.exeexecutable
MD5:8904F85ABD522C7D0CB5789D9583CCFF
SHA256:7624B62FE97C8E370C82BC86F69C2F627328E701CE1F3D9BED92A1E5FE11FD7F
2972AppLaunch.exeC:\Users\admin\AppData\Local\Temp\4375vtb45tv8225nv4285n2.txttext
MD5:E563079567A0C446790637EE26CFA4CE
SHA256:99F4379E25640E94EB4B757C441BE7AA591DC056A1CB488E5B8A5CFA5D4201C1
3052Vk7ut40.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\2GF7617.exeexecutable
MD5:F0831F173733DE08511F3A0739F278A6
SHA256:8B00F9DCE8CEB2123FBA3BC9F88419960D1E661B6287EAFEBA4F0A2EE4BE3D27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
0
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
AppLaunch.exe
POST
200
5.42.92.211:80
http://5.42.92.211/loghub/master
unknown
text
8 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
2972
AppLaunch.exe
5.42.92.211:80
CJSC Kolomna-Sviaz TV
RU
unknown
324
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
2972
AppLaunch.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
2972
AppLaunch.exe
A Network Trojan was detected
STEALER [ANY.RUN] Win32/Stealc (Check-In)
2972
AppLaunch.exe
Potentially Bad Traffic
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
Process
Message
AppLaunch.exe
2023-10-07 02:24:06 [AppLaunch.exe 2972] Trying to connect to http://5.42.92.211/
AppLaunch.exe
2023-10-07 02:24:07 [AppLaunch.exe 2972] ERROR in ..\stealer\stealer.cpp, line 156, function Start. Failed to connect to http://5.42.92.211/
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file