SemanticsAV Intelligence Report

Generated on 2025-10-24T17:14:21.146133

Detection Summary

File Hashes
MD5
f5f9ea2006f686c30fd441e8e43914a3
SHA1
6eda5129ad0024b8fd6d7bb096c044132e6d1dd0
SHA256
c37d93385f10213d3059eac34996e589f415458989499fd281fdef5b7d929986
Verdict (Confidence)
malicious (100.0%)
File Type
pe
Signature
N/A
Tags
N/A

Intelligence Statistics

Label Distribution

Total Samples
5
Malicious
5
Max: 90.3% | Avg: 85.1%
Suspicious
0
Clean
0
Unknown
0

Top Signatures

4
Samples
Stealc
Max Similarity
90.3%
Avg Similarity
86.0%
1
Samples
Amadey
Max Similarity
81.3%
Avg Similarity
81.3%

Attribute Comparison Matrix

Compare static attributes between the target file and 5 similar samples from our threat intelligence database.

Legend:
* = Predicted label (suspicious/unknown or not in intelligence database)
Attribute
Target
Baseline
MALICIOUS* 100.0%
N/A
Sample #1
90.3%
MALICIOUS
Stealc
exe
Sample #2
88.0%
MALICIOUS
Stealc
dropped-by-Amadey exe
Sample #3
85.9%
MALICIOUS
Stealc
exe
Sample #4
81.3%
MALICIOUS
Amadey
32 exe signed trojan
Sample #5
80.0%
MALICIOUS
Stealc
dropped-by-Amadey exe
compilation_datetime 2025-10-12 2025-09-16 2025-10-12 2025-09-16 2023-11-04 2025-09-16
Target Sample #1 (90.3%) Sample #2 (88.0%) Sample #3 (85.9%) Sample #4 (81.3%) Sample #5 (80.0%) 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "CERTIFICATE_TABLE",
  "BASE_RELOCATION_TABLE",
  "TLS_TABLE"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "CERTIFICATE_TABLE",
  "BASE_RELOCATION_TABLE",
  "TLS_TABLE"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "CERTIFICATE_TABLE",
  "BASE_RELOCATION_TABLE",
  "TLS_TABLE"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "CERTIFICATE_TABLE",
  "BASE_RELOCATION_TABLE",
  "TLS_TABLE"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "CERTIFICATE_TABLE",
  "BASE_RELOCATION_TABLE",
  "TLS_TABLE"
]
 
[
  "IMPORT_TABLE",
  "RESOURCE_TABLE",
  "EXCEPTION_TABLE",
  "CERTIFICATE_TABLE",
  "BASE_RELOCATION_TABLE",
  "TLS_TABLE"
]
debug.entries_count 0 0 0 0 0 0
delay_imports.dll_count 0 0 0 0 0 0
delay_imports.total_functions 0 0 0 0 0 0
dll_characteristics.HIGH_ENTROPY_VA Yes Yes Yes Yes N/A Yes
dll_characteristics.TERMINAL_SERVER_AWARE Yes Yes Yes Yes Yes Yes
entry_point 6365272 4919384 4919384 5328984 5005216 5124184
exports N/A N/A N/A N/A N/A N/A
file_size 3624384 2900560 2862160 3378256 3147408 3007056
image_size 9437184 7294976 7254016 8183808 7815168 7606272
Target Sample #1 (90.3%) Sample #2 (88.0%) Sample #3 (85.9%) Sample #4 (81.3%) Sample #5 (80.0%) 
[
  {
    "name": "kernel32.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "kernel32.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "kernel32.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "kernel32.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "kernel32.dll",
    "number_of_functions": 1
  },
  {
    "name": "ADVAPI32.dll",
    "number_of_functions": 1
  },
  {
    "name": "SHELL32.dll",
    "number_of_functions": 1
  },
  {
    "name": "WININET.dll",
    "number_of_functions": 1
  },
  {
    "name": "WS2_32.dll",
    "number_of_functions": 1
  }
]
 
[
  {
    "name": "kernel32.dll",
    "number_of_functions": 1
  }
]
is_dll No No No No No No
linker_version 14.43 14.43 14.43 14.43 14.24 14.43
load_configuration.present No No No No No No
machine AMD64 AMD64 AMD64 AMD64 I386 AMD64
relocations.by_type.ABS 1 1 1 1 1 1
relocations.by_type.DIR64 3 3 3 3 N/A 3
relocations.total_blocks 1 1 1 1 1 1
relocations.total_entries 4 4 4 4 4 4
resources.has_manifest Yes No Yes No Yes No
resources.has_version_info Yes Yes Yes Yes Yes Yes
resources.number_of_dialogs 0 0 0 0 0 0
resources.number_of_icons 9 9 9 9 5 9
resources.number_of_string_tables 0 0 0 0 0 0
rich_header_present Yes Yes Yes Yes Yes Yes
Target Sample #1 (90.3%) Sample #2 (88.0%) Sample #3 (85.9%) Sample #4 (81.3%) Sample #5 (80.0%) 
[
  "        ",
  "        ",
  "        ",
  "        ",
  "        ",
  ".rsrc",
  ".idata",
  ".tls",
  ".themida",
  ".boot",
  ".reloc"
]
 
[
  "        ",
  "        ",
  "        ",
  "        ",
  "        ",
  ".rsrc",
  ".idata",
  ".tls",
  ".themida",
  ".boot",
  ".reloc"
]
 
[
  "        ",
  "        ",
  "        ",
  "        ",
  "        ",
  ".rsrc",
  ".idata",
  ".tls",
  ".themida",
  ".boot",
  ".reloc"
]
 
[
  "        ",
  "        ",
  "        ",
  "        ",
  "        ",
  ".rsrc",
  ".idata",
  ".tls",
  ".themida",
  ".boot",
  ".reloc"
]
 
[
  "        ",
  "        ",
  "        ",
  "        ",
  "        ",
  ".idata",
  ".tls",
  ".rsrc",
  ".themida",
  ".boot",
  ".reloc"
]
 
[
  "        ",
  "        ",
  "        ",
  "        ",
  "        ",
  ".rsrc",
  ".idata",
  ".tls",
  ".themida",
  ".boot",
  ".reloc"
]
signature.number_of_signatures 1 1 1 1 1 1
signature.signed Yes Yes Yes Yes Yes Yes
Target Sample #1 (90.3%) Sample #2 (88.0%) Sample #3 (85.9%) Sample #4 (81.3%) Sample #5 (80.0%) 
[
  "C=US, O=DigiCert\\, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1"
]
 
[
  "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011"
]
 
[
  "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011"
]
 
[
  "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011"
]
 
[
  "CN=Hewlett-Packard Company"
]
 
[
  "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011"
]
subsystem WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI WINDOWS_GUI
symbols.total_count 0 0 0 0 0 0
tls.callbacks_count 0 0 0 0 0 0
tls.present Yes Yes Yes Yes Yes Yes
version_info.file_type APP APP APP APP APP APP
version_info.file_version 1.0.46.420 14.2.2.0 5.3.14.506 5.13.1.221 3.52.1.6833 5.13.1.221
version_info.product_version 1.0.46.420 14.2.2.0 5.3.14.506 5.13.1.221 3.52.1.6833 5.13.1.221
version_info.strings.CompanyName Simutronics Corporation OGRE Team Summit Tech Crytek GmbH A2SOFTIN Ltd. Crytek GmbH
version_info.strings.FileDescription Titan Solution Platform Object-Oriented Graphics Rendering Engine Elite Development Environment CryEngine 5 Runtime B052 Configuration Utility CryEngine 5 Runtime
version_info.strings.FileVersion 1.0.46 14.2.2 5.3.14 5.13.1 3.52.1.6833 5.13.1
version_info.strings.InternalName nebulaplatform ogre3d summitengine cryengine B052Configurator cryengine
version_info.strings.LegalCopyright © 2020 Simutronics Corporation. © 2000-2025 The OGRE Team © 2002 Summit Tech. © 2001-2025 Crytek GmbH. All rights reserved. Copyright (C) 2013-2019 A2SOFTIN Ltd. © 2001-2025 Crytek GmbH. All rights reserved.
version_info.strings.OriginalFilename fusionengine.exe ogre3d.exe vanguardplatform.exe cryengine.exe B052Configurator.exe cryengine.exe
version_info.strings.ProductName Nebula Platform OGRE3D VisionForge CryEngine U-Prox IP CryEngine
version_info.strings.ProductVersion 1.0.46 14.2.2 5.3.14 5.13.1 3.52.1.6833 5.13.1
Natural Language Report

Executive Verdict Summary

The detection assessment for this file is MALICIOUS with 100.0% certainty. Analysis reveals significant structural similarities to the Stealc malware family, indicating a likely genetic relationship and a high probability of this sample also belonging to or being derived from the Stealc lineage.

Technical Analysis

The target sample exhibits numerous structural indicators consistent with sophisticated malware. Notably, the presence of a TLS callback and the HIGH_ENTROPY_VA and TERMINAL_SERVER_AWARE characteristics in its DLL characteristics suggest advanced evasion and operational design. The file's compilation date and the specific sections present, including .rsrc, .idata, .tls, .themida, .boot, and .reloc, align with patterns observed in custom-developed or heavily obfuscated binaries. The presence of version information attributing the file to "Simutronics Corporation" with a description of "Titan Solution Platform" and internal name "nebulaplatform" suggests a potential attempt to masquerade as legitimate software.

The analysis of similar samples from our intelligence database reveals a strong genetic link to the Stealc malware family. Four out of the five most similar samples (90.3% similarity to reference #1) are classified as Stealc. These shared structural patterns, such as the specific data directories present, the arrangement of sections, and the typical use of kernel32.dll imports with a single function, strongly suggest a common development origin or shared codebase evolution. The divergence in compilation dates and minor variations in version information strings across these similar Stealc samples point towards ongoing development and potential polymorphism within the family.

Furthermore, the presence of one sample classified as Amadey (81.3% similarity to reference #4) in proximity to the Stealc samples is noteworthy. While the structural similarity is lower, the Amadey sample shares some architectural choices, such as the presence of a TLS callback and similar section structures. This suggests a potential, albeit indirect, relationship or the utilization of overlapping tooling or techniques between Stealc and Amadey operations, possibly indicating Amadey's role as a dropper or facilitator for Stealc payloads.

Threat Intelligence Context

The structural analysis strongly suggests that this sample is a variant of the Stealc malware family, with a geometric similarity of up to 90.3% to known Stealc samples. Stealc is a sophisticated information stealer known for its ability to exfiltrate credentials from various applications, including web browsers, cryptocurrency wallets, and FTP clients. It often employs obfuscation techniques and packing to evade detection. Its typical objectives revolve around financial gain through credential theft and espionage.

The presence of a single Amadey sample (81.3% similarity) in the proximity of Stealc samples warrants further attention. Amadey is a well-documented malware loader and downloader often used to deliver secondary payloads, including stealer malware. The association suggests that Stealc may be distributed or deployed via Amadey campaigns. This cross-family attribution indicates a layered attack infrastructure, where Amadey acts as the initial point of compromise or delivery mechanism, followed by the execution of Stealc to achieve its data exfiltration objectives.

The convergence of structural patterns across multiple Stealc variants, compiled at different times and exhibiting slightly varied legitimate-sounding version information, highlights the dynamic nature of this threat. The reuse of common structural elements and potentially shared codebases across these samples underscores the importance of recognizing the genetic lineage of Stealc, even when presented with polymorphic variations or attempts at masquerading.

Recommendations and Response Strategy

Based on the high certainty of this sample being a Stealc variant, potentially delivered by Amadey, immediate response actions should focus on identifying and removing both types of malware. Prioritize endpoint detection and response (EDR) solutions capable of identifying process injection and unusual network communications, as Stealc is known to exhibit such behaviors. Implement network-level blocking for known Amadey and Stealc command-and-control infrastructure. Conduct a comprehensive scan of the environment using signatures and behavioral detection rules targeting Stealc's credential harvesting capabilities and Amadey's known distribution vectors. Advise users to reset credentials for critical applications and services compromised by Stealc. Monitor for the presence of suspicious executables in temporary directories or uncommon startup locations, as Amadey often drops payloads there.

File Hashes