MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 05e997f99cb9347fb32dee57502e0dfc3a906b0bdda7501092e48d2689e72fdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ScarfaceStealer
Vendor detections: 9
| SHA256 hash: | 05e997f99cb9347fb32dee57502e0dfc3a906b0bdda7501092e48d2689e72fdb |
|---|---|
| SHA3-384 hash: | 79c70195ef97453e4058151860898da3266a07c0bca93a338c1fffdd5b835441bc109b53ae6eb2d7eae5df23f32de576 |
| SHA1 hash: | 68a3c7d2f80f833db6323c2e6beb3f5b8b68f3f2 |
| MD5 hash: | 5bf8bb5a01e14c89a9e31845f9353b4b |
| humanhash: | vermont-oscar-virginia-five |
| File name: | 05e997f99cb9347fb32dee57502e0dfc3a906b0bdda7501092e48d2689e72fdb |
| Download: | download sample |
| Signature | ScarfaceStealer |
| File size: | 90'270'720 bytes |
| First seen: | 2026-06-08 09:32:41 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 9bf3f5698d1c8e5d8bbe8d194ac5d544 (46 x ScarfaceStealer) |
| ssdeep | 786432:QAZqtFi3zQzwBs6vNtcZY5Dfw3pgPVlcmXW:QAZui3zQz2jOZKft |
| TLSH | T1B2187D03B3A705D5E8F7DA3196E65223A932BC066F3085DF324C17262F73AE05A76B51 |
| TrID | 51.9% (.EXE) Win64 Executable (generic) (6522/11/2) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.9% (.EXE) Generic Win/DOS Executable (2002/3) 15.9% (.EXE) DOS Executable (generic) (2000/1) |
| Magika | pebin |
| dhash icon | e1f87cdce0e03870 (1 x ScarfaceStealer) |
| Reporter |  adrian__luca |
| Tags: | exe ScarfaceStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
55
Origin country :
HUVendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
93.3%
Tags:
virus shell sage
Result
Verdict:
Malware
Maliciousness:
Behaviour
Restart of the analyzed sample
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Connection attempt to an infection source
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Moving a recently created file
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a service
Launching a service
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint microsoft_visual_cc packed reconnaissance
Verdict:
Malicious
Labled as:
TrojanDownloader_Win32_Paph_pve
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-05-24T06:18:00Z UTC
Last seen:
2026-05-24T08:41:00Z UTC
Hits:
~1000
Score:
96%
Verdict:
Malware
File Type:
PE
Gathering data
Threat name:
Win64.Trojan.Generic
Status:
Suspicious
First seen:
2026-05-16 15:59:37 UTC
AV detection:
8 of 37 (21.62%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
discovery execution
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.