The detection identifies potential Creal Stealer malware activity through known IOCs, indicating an adversary may be exfiltrating sensitive data from the network. SOC teams should proactively hunt for this behavior to detect and mitigate data theft early in the attack lifecycle.
IOC Summary
Malware Family: Creal Stealer Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | c2fd87e0a14baa16be23ea3b40b42eee | payload | 2026-06-17 | 95% |
| sha256_hash | e6085af9fdabb1a5cec731cf03a1da9cf8aa01163baf414cf03cc174616e1c09 | payload | 2026-06-17 | 95% |
| sha1_hash | 4d87853447b486c8f62cc67b22d8cac7eef3965b | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Creal Stealer
let malicious_hashes = dynamic(["c2fd87e0a14baa16be23ea3b40b42eee", "e6085af9fdabb1a5cec731cf03a1da9cf8aa01163baf414cf03cc174616e1c09", "4d87853447b486c8f62cc67b22d8cac7eef3965b"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance scripts
Filter/Exclusion: Exclude processes where the command line includes /usr/bin/crontab or /etc/crontab, or where the user is a system admin (e.g., root, sysadmin).
Scenario: System update or patching using yum or apt with cron job
Filter/Exclusion: Exclude processes where the command line includes yum update or apt upgrade, or where the user is a system admin (e.g., root, sysadmin).
Scenario: Admin task using ps or top to monitor system processes
Filter/Exclusion: Exclude processes where the command line includes ps -ef or top -b, and the user is a system admin (e.g., root, sysadmin).
Scenario: Legitimate use of wget or curl for software deployment
Filter/Exclusion: Exclude processes where the command line includes wget or curl with URLs from known internal or trusted repositories (e.g., internal-repo.example.com, artifactory.example.com).
Scenario: Use of tar or gzip for archiving logs or backups
Filter/Exclusion: Exclude processes where the command line includes tar -czf or gzip -c, and the user is a system admin (e.g., root, sysadmin) or the file path is within a known backup directory (e.g., /var/backups/).