MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WallStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0
SHA3-384 hash: 914714aa11c00a921c31764f566d5ec765f7a246342557b52e929e7a1cc98e72e909d9b20b4ce06e3d073ed136e5274f
SHA1 hash: 80a4488db652d1da4a55a9fe3ef33dbb44b08675
MD5 hash: e76586ffea5c92002e4a8edf60b64bfe
humanhash: idaho-oregon-two-red
File name:babi.exe
Download: download sample
Signature WallStealer
Create hunting rule
File size:649'216 bytes
First seen:2026-02-28 12:33:44 UTC
Last seen:2026-03-01 09:46:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a330d858063c312aaac6d9eaeb29a36b (2 x WallStealer)
ssdeep 6144:6/FAnFeGb74gQ/Dmeqxt8UDRiiVxdB8+CbTrK9ZgnRs1VzYXWjPJAWzfO6rn:WA0sJQ/Zqb8RaxXaYQRkVkUTHrn
TLSH T112D47B0DA7A581F9D1B7D0B4CD038517EB72FC564732669B43E04A862F2BAA49F3DB10
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter burger
Tags:exe WallStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
117
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
babi.exe
Verdict:
Malicious activity
Analysis date:
2026-02-28 10:38:39 UTC
Tags:
stealer wallstealer
Link:
https://app.any.run/tasks/f2b04b4b-e92a-42c9-a156-ac86c546a80d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55002/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a2c5ae8fffa866e3b33af6
Tags:
phishing cobalt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 crypto evasive fingerprint hacktool krypt microsoft_visual_cc stealer
Link:
https://www.filescan.io/uploads/69a2e0c510e80629d4f6891a/reports/49b00924-3def-4ce6-b423-9d043c7d3394/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-PSW.Vidar.HTTP.C&C Trojan-PSW.Stealer.TCP.C&C Trojan-PSW.Stealer.HTTP.C&C Trojan-PSW.Lumma.TCP.C&C Trojan-PSW.Win32.Vidar.hxs
Link:
https://opentip.kaspersky.com/0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8ffd2fff-9ed0-4db1-97b0-c65677b46ed2
Result
Threat name:
WallStealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876351
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected WallStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876351 Sample: babi.exe Startdate: 28/02/2026 Architecture: WINDOWS Score: 100 64 interactiom.top 2->64 66 steamcommunity.com 2->66 68 fg.microsoft.map.fastly.net 2->68 88 Suricata IDS alerts for network traffic 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected WallStealer 2->92 94 Joe Sandbox ML detected suspicious sample 2->94 8 babi.exe 2->8         started        12 msedge.exe 2->12         started        14 msedge.exe 2->14         started        signatures3 process4 dnsIp5 82 interactiom.top 151.243.113.70, 443, 49711, 49723 RASANAIR Iran (ISLAMIC Republic Of) 8->82 84 steamcommunity.com 23.222.161.105, 443, 49710 AKAMAI-ASUS United States 8->84 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->96 98 Hijacks the control flow in another process 8->98 100 Found many strings related to Crypto-Wallets (likely being stolen) 8->100 102 6 other signatures 8->102 16 msedge.exe 12 226 8->16         started        21 chrome.exe 8->21         started        23 msedge.exe 11 8->23         started        25 msedge.exe 12->25         started        27 msedge.exe 12->27         started        29 identity_helper.exe 12->29         started        31 identity_helper.exe 12->31         started        33 msedge.exe 14->33         started        signatures6 process7 dnsIp8 54 192.168.2.4, 138, 443, 49446 unknown unknown 16->54 56 239.255.255.250 unknown Reserved 16->56 50 C:\Users\user\AppData\Local\...\Login Data, SQLite 16->50 dropped 52 C:\Users\user\AppData\Local\...\History, SQLite 16->52 dropped 86 Found strings related to Crypto-Mining 16->86 35 msedge.exe 16->35         started        38 msedge.exe 16->38         started        40 msedge.exe 16->40         started        48 3 other processes 16->48 42 chrome.exe 21->42         started        44 WerFault.exe 16 21->44         started        46 msedge.exe 23->46         started        58 150.171.28.11, 443, 49793, 49794 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->58 60 teams-mrc-ww-perf.tm-4.office.com 52.123.241.42, 443, 49791 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->60 62 4 other IPs or domains 25->62 file9 signatures10 process11 dnsIp12 70 part-0041.t-0009.t-msedge.net 13.107.213.69, 443, 49771 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->70 72 13.107.246.69, 443, 49725, 49781 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->72 78 29 other IPs or domains 35->78 74 www.google.com 142.251.32.164, 443, 49730, 49731 GOOGLEUS United States 42->74 76 play.google.com 172.217.14.110, 443, 49757 GOOGLEUS United States 42->76 80 3 other IPs or domains 42->80
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0/
Verdict:
Malicious
Threat:
Family.WALLSTEALER
Link:
https://tip.neiki.dev/file/0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0
Threat name:
Win64.Infostealer.WallStealer
Create hunting rule
Status:
Malicious
First seen:
2026-02-26 04:07:24 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvnsdrikz2bzjxle5g7injayonron7qhv5f6hhvf5wgb237jg7ia._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/260228-prvpwagt9h/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Time Discovery
Drops file in Windows directory
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0
MD5 hash:
e76586ffea5c92002e4a8edf60b64bfe
SHA1 hash:
80a4488db652d1da4a55a9fe3ef33dbb44b08675
Link:
https://www.unpac.me/results/eeb9d6d1-68ca-496c-9134-9234cdd93270/
Malware family:
WallStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d5b21c50ace/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

WallStealer

Executable exe e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77

WallStealer

Executable exe 0d5b21c50ace8394dd64e9be86a4187362e6fe07af4be39ea5ed8c1d6fe937d0

(this sample)

  
Dropped by
SHA256 e694f26b249050dc0001e48911c1381ebe9308a85e86afce1699d730eaac7b77
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55002/
  
Dropped by
MD5 4cd375e418630fe4d3ff7caf08a15788
  
URLhaus
https://urlhaus.abuse.ch/url/3787676/

Comments