MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f
SHA3-384 hash:	7649af8f8ec70f20390fe2c8dc7bcc8228f45e368f897d504467dad9934c3645106e2a77e2a23c9cd81458f131792c34
SHA1 hash:	80ffea60e935e7f005ff86b42e089e54ab140b98
MD5 hash:	4f0a47b73d5b4d0ab40cea37ed246345
humanhash:	apart-speaker-xray-quebec
File name:	file
Download:	download sample
File size:	202'240 bytes
First seen:	2025-11-20 23:39:36 UTC
Last seen:	2025-11-21 02:13:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9d20241135260a6283527b95f11fc551 (1 x Amadey)
ssdeep	3072:+LkiHgZn7CNFBneOI7Aeq63oNZ4rKypSiDX9I24+lgNd+f0PWMelS:+LkiHC7JOI7+5Z4rWk9IHDd+fUK
TLSH	T101148C243680C072E4B7027145FC9B32597DBE620BB156DBB3E80F9D8AB45D26B31767
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey e3db0b exe

Bitsight

url: http://178.16.53.7/x.exe

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-11-20 23:41:49 UTC

Tags:

stealer stealc loader auto generic crypto-regex python upx

Link:

https://app.any.run/tasks/599457bd-48fb-46b8-9a02-efd04f542aae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38905/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691fa6ee4917b5d23dafdbf4

Tags:

ransomware emotet trojan extens

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Connection attempt to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug autorun fingerprint lolbin microsoft_visual_cc update zusy

Link:

https://www.filescan.io/uploads/691fa6ebf96b58f0dc7e4903/reports/29f44293-a0cc-4ec4-bdcb-a45845b0d73e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f

Result

Gathering data

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d514bf98-4b15-4579-a319-b0f684f0f98d

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2025-11-20 23:40:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=egz4uhbg2kddbidgd6m4af5f4p6be4c7rwc5v2dkwe4wejzieupq._file

Verdict:

malicious

Label(s):

stealc

Similar samples:

error

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence pyinstaller spyware stealer upx

Link:

https://tria.ge/reports/251120-3n3szagy6f/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Detects Pyinstaller

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops autorun.inf file

Drops file in System32 directory

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Verdict:

Malicious

Tags:

JS_Nemucod

YARA:

n/a

Link:

https://app.threat.zone/submission/38bc956c-b2c2-4a82-bb68-43b3e1ac0ef0

Unpacked files

SH256 hash:

21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f

MD5 hash:

4f0a47b73d5b4d0ab40cea37ed246345

SHA1 hash:

80ffea60e935e7f005ff86b42e089e54ab140b98

Link:

https://www.unpac.me/results/dd09ee1e-f11e-4831-977e-0624355615fe/

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/21b3ca1c26d2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/38905/

URLhaus

https://urlhaus.abuse.ch/url/3713182/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample