MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b
SHA3-384 hash: 12a056bb4538734041d45475f08e62565a1d303f08e864acc7390772d7c7e8e03464b394990e5d166abdff20f20a7819
SHA1 hash: 5426419fbebd92814ed2536aeee47344447733d2
MD5 hash: 2877f3dcc58d4d42dc9f5220a0c910a2
humanhash: louisiana-comet-lithium-cardinal
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:4'184'280 bytes
First seen:2026-01-25 21:12:42 UTC
Last seen:2026-01-26 05:31:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (155 x Vidar, 92 x Rhadamanthys, 74 x Stealc)
ssdeep 49152:JSmoRJKk214X9mRuYRLp4wvAPdK09sj8LqzwWQ71:JJdT8qwWQZ
Threatray 83 similar samples on MalwareBazaar
TLSH T15A164A53EC93896DC4BAA239E9AE11827E703C090B7173D72A507A691E777C4013B7ED
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:a dropped-by-gcleaner exe signed Stealc TWO.file

Code Signing Certificate

Organisation:www.hindustantimes.com
Issuer:DigiCert Global G3 TLS ECC SHA384 2020 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-10T00:00:00Z
Valid to:2026-10-11T23:59:59Z
Serial number: 06647f9f256083d341998ddf0e7a1793
Intelligence: 46 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e3f707d7c97ea4823b18a0ece96a71fe71d9ee718faf49a43de49f3c0a0a36f8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
8
# of downloads :
164
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-25 21:13:43 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/ae37a439-5cb5-4847-9377-7df819277f79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/50076/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697687756fa3eed1652eddfd
Tags:
injection emotet obfusc crypt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypt crypto golang signed
Link:
https://www.filescan.io/uploads/697687705db9ae47709168fa/reports/28051cea-b713-41cb-9f3b-2a0270f4b928/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-25T18:20:00Z UTC
Last seen:
2026-01-25T22:19:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win64.Generic Trojan.MSIL.Agent.sb Trojan-PSW.Win64.StealC.sb Trojan-PSW.Lumma.HTTP.C&C
Link:
https://opentip.kaspersky.com/1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/46cfdf34-a3bd-4036-b89f-6c272642292a
Score:
67%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/2877f3dcc58d4d42dc9f5220a0c910a2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2026-01-25 21:13:43 UTC
File Type:
PE+ (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=duf7qttoe4527poairevf45jkonrq3ur2ewi45bvhsykion3wqfq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
1d0775124c7105ffa48240288987811e07fee52b3472a25504d2706b905ba625
Stealc
40270000aee777f2e04221195bfbf5cec694bd0e54df1897cbc4b16f640cbff0
Stealc
404ad4417ff5283dc1b43cb530403f682c579eab3ba59c200454aa2f04220ec0
Stealc
5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639
Stealc
5cc5e2d2a89be652f7389dd7fe1d824b0f85c078e45f56ff70f8df5515500248
Stealc
b54284da10dac4d3aa020888c775ac90a00ece30853354d7d14e0175aa3c9c5b
Stealc
b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85
Stealc
de1e5a910f9c946c10a912236cd51f12e1d7cc3c280552853059560bc787c309
Stealc
error
Stealc
+ 73 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:dfgwerher discovery spyware stealer
Link:
https://tria.ge/reports/260125-z2wp2agz3a/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Stealc
Stealc family
Malware Config
C2 Extraction:
http://45.93.20.34
Unpacked files
SH256 hash:
1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b
MD5 hash:
2877f3dcc58d4d42dc9f5220a0c910a2
SHA1 hash:
5426419fbebd92814ed2536aeee47344447733d2
Link:
https://www.unpac.me/results/f2994535-183b-4644-bd89-dcf54ccd7ae9/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d0bf84e6e27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 1d0bf84e6e273bafbdc0444952f3a9539b186e91d12c8e74353cb0a439bbb40b

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50076/

Comments