MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fc7359e91781e8f18968a923e54e44265e9ea9d984af99e5320a5f341ec3d34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ScarfaceStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	2fc7359e91781e8f18968a923e54e44265e9ea9d984af99e5320a5f341ec3d34
SHA3-384 hash:	d3c7f7db9e70323bedf95580287189f21e69e3199afa2d450b3da41cd759498778ef2754e240e2e20657a99c4dbc27ba
SHA1 hash:	7082e7f4a9e7708808a791e69b5f3218ec688f26
MD5 hash:	4b5a1b05c70bf2e63e03e037e6718ec1
humanhash:	eight-harry-foxtrot-maine
File name:	Xeno.exe
Download:	download sample
Signature	ScarfaceStealer Create hunting rule
File size:	90'260'480 bytes
First seen:	2026-03-14 16:24:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9bf3f5698d1c8e5d8bbe8d194ac5d544 (41 x ScarfaceStealer)
ssdeep	786432:hAZqtFi3zQzwBs6vNtcZY5Dfw3pgPVlcmXW:hAZui3zQz2jOZKft
TLSH	T12B187D03B3A705D5E8F7DA3196E65223A932BC066F3085DF324C17262F73AE05A76B51
TrID	51.9% (.EXE) Win64 Executable (generic) (6522/11/2) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.9% (.EXE) Generic Win/DOS Executable (2002/3) 15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
dhash icon	484cd9989818e9e6 (1 x ScarfaceStealer)
Reporter	tcains1
Tags:	exe ScarfaceStealer

Intelligence

File Origin

# of uploads :

# of downloads :

540

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/194e7ce7-53b9-4da6-ab73-b2b5cb45e740/

Malware family:

n/a

ID:

File name:

Xeno.exe

Verdict:

Suspicious activity

Analysis date:

2026-03-14 16:29:08 UTC

Tags:

susp-powershell

Link:

https://app.any.run/tasks/5af4dbc7-70b6-4674-b987-d86fcc6a6af8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b58c1c93b644ca466a028c

Tags:

xtreme shell sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug crypto fingerprint microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/69b58bfe677ac46843a50f95/reports/0f6aca97-e13b-43f5-bb92-7cad9801288d/overview

Verdict:

Malicious

Labled as:

Trojan.Win64.Downloader.oa

Link:

https://www.hybrid-analysis.com/sample/2fc7359e91781e8f18968a923e54e44265e9ea9d984af99e5320a5f341ec3d34

Verdict:

Malicious

File Type:

exe x64

Detections:

Trojan-Downloader.Win32.Paph.phe PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/2fc7359e91781e8f18968a923e54e44265e9ea9d984af99e5320a5f341ec3d34/results?tab=lookup

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/2fc7359e91781e8f18968a923e54e44265e9ea9d984af99e5320a5f341ec3d34

Gathering data

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/2fc7359e91781e8f18968a923e54e44265e9ea9d984af99e5320a5f341ec3d34

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2026-03-14 16:26:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f7dtlhurpapi6gewrkjd4vheijs6t2u5tbfpthstecs7gqpmhu2a._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery execution

Link:

https://tria.ge/reports/260314-txbamsax4n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ScarfaceStealer

exe 2fc7359e91781e8f18968a923e54e44265e9ea9d984af99e5320a5f341ec3d34

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample