MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs YARA 20 File information Comments

SHA256 hash:	25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435
SHA3-384 hash:	aabd157440dd81cdb1982e634ccf8f4963c2dd950346c63de0cb8e9dac4bd876f938e317129dad33fcf895b263bd88e6
SHA1 hash:	c9cd38ee6bda9b1b90349e71899b867b135d803e
MD5 hash:	92992ba222c052e96af7eb1c365917cb
humanhash:	hotel-fourteen-sink-ack
File name:	cx-programmer 9.1 free download full.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	12'523'008 bytes
First seen:	2025-12-26 20:22:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep	49152:Cf10+/wrb/TWvO90dL3BmAFd4A64nsfJqCQDvpBhrlOlAjBEcfpFEs8EJFJe7Onz:Cf+A7bLgA8xnpsLofT
TLSH	T160C61992FE441319DB9BE27AD5B1A2953230B048033519D7FAE846A54D1FAC8173FB2F
gimphash	c0e0d2c8cca78241a6fe976d2441d08b32fbaef5ab26f61c00bb8b2a0faed6d9
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	de-pumped exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Going

Details

Link:

https://research.acce.ciphertechsolutions.com/results/5d3c0af9-a63e-4e4a-b3c2-7eab3d14be0a/

Malware family:

n/a

ID:

File name:

_25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435.exe

Verdict:

Malicious activity

Analysis date:

2025-12-26 20:40:14 UTC

Tags:

stealer stealc golang loader arch-exec

Link:

https://app.any.run/tasks/f6f5f3d6-5d63-407a-957f-63fa602e5652

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46192/

Detection(s):

Win.Malware.Wingo-9956994-0

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694eeeb501c7b4a8fe565231

Tags:

phishing cobalt mint

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435

Result

Verdict:

MALICIOUS

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-26T17:46:00Z UTC

Last seen:

2025-12-26T20:11:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.Lumma.zhu Trojan-PSW.Lumma.HTTP.C&C Trojan.Win64.Agent.sb

Link:

https://opentip.kaspersky.com/25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bf60c456-211b-406e-b605-7b702fb992d0

Result

Threat name:

Stealc v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1840034

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Early bird code injection technique detected

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Unusual module load detection (module proxying)

Writes to foreign memory regions

Yara detected Stealc v2

Behaviour

Behavior Graph:

Download SVG

Score:

61%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/92992ba222c052e96af7eb1c365917cb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-12-26 20:23:17 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eweywdoa6u2hje2dsciibt5np4dmgqshjeawkkrvtdpk7ej4iq2q._file

Verdict:

malicious

Label(s):

stealc

Similar samples:

error

Stealc

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:stealc family:xmrig botnet:test1 defense_evasion discovery execution miner persistence spyware stealer upx

Link:

https://tria.ge/reports/251226-y58ckaxkbp/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Creates new service(s)

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

XMRig Miner payload

Stealc

Stealc family

Xmrig family

xmrig

Malware Config

C2 Extraction:

http://217.156.122.82

Verdict:

Malicious

Tags:

Win.Malware.Wingo-9956994-0

YARA:

n/a

Link:

https://app.threat.zone/submission/913472df-fb10-4cef-8670-1abcb1631dca

Unpacked files

SH256 hash:

25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435

MD5 hash:

92992ba222c052e96af7eb1c365917cb

SHA1 hash:

c9cd38ee6bda9b1b90349e71899b867b135d803e

Link:

https://www.unpac.me/results/da7dc3b7-e6c8-4028-b534-2bb6aee46417/

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/25898b0dc0f5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.46

Link:

https://yomi.yoroi.company/submissions/25898b0dc0f534749343909080cfad7f06c342474901652a3598deaf913c4435

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)