MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0
SHA3-384 hash: 385df11497d460544b25bcf6179cbe9c171e93b5da2c3f8d39dfbafc9674ed654013001dd10f4f8daddfe12219e3f925
SHA1 hash: fb49c22f9a9fa2176ffafcd424fc1a9d47887ff6
MD5 hash: 7b6771b140f8241ea207be008e5638e6
humanhash: undress-venus-london-magazine
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:253'952 bytes
First seen:2026-01-28 12:28:46 UTC
Last seen:2026-01-28 18:56:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (332 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:74vDjIylF3HxOVZYuq/PRom4yLutWKpNFtRlwMd/spTHxK:74vQylBHxKaX/PRN4vWK3FPld/qHx
TLSH T1E044239EE91CC87EC893ECFD23E5941571DAB09033E8F6CD445F82E010EBA676E54829
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 Stealc UPX


Avatar
Bitsight
url: http://130.12.180.43/files/drum/monk.exe
File size (compressed) :253'952 bytes
File size (de-compressed) :607'744 bytes
Format:win32/pe
Unpacked file: 8d1a0d68b7544de045948605b1afca727e2fb0281564c0ed8c10c0989b71f632

Intelligence

File Origin
# of uploads :
34
# of downloads :
141
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
PEPacker Stealc
Details
PEPacker
a UPX version number and an unpacked binary
Stealc
decrypted strings, an RC4 key, c2 url, url paths, and possibly a missionid and a separate network RC4 key
Link:
https://research.acce.ciphertechsolutions.com/results/2aa00335-c07d-45f1-ad1a-08896e743dc2/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-28 12:29:25 UTC
Tags:
stealer stealc upx
Link:
https://app.any.run/tasks/92a350e7-986f-445a-a8b0-55bacdb9be22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/50510/
Detection(s):
Win.Malware.Marte-10045369-0
Create hunting rule

Win.Malware.Generickdz-10058619-0
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697a0130bec9764f452f98de
Tags:
packed crypt hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc packed packed packed swrort upx
Link:
https://www.filescan.io/uploads/697a0129a57b6af70d107b66/reports/c296ba9e-bed0-4f34-a681-5bf3bb2c76a3/overview
Verdict:
Malicious
Labled as:
Shellcode.Loader.Marte.X.Generic
Link:
https://www.hybrid-analysis.com/sample/2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.StealC.v2
Link:
https://opentip.kaspersky.com/2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2bc76116-77f1-486b-9d06-6378fc1ce1ed
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwdnk5snjycosmoazmrcuhdzxqvgee66dua32wfitvwmtjxvltqa._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
error
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:mastest discovery spyware stealer upx
Link:
https://tria.ge/reports/260128-pn52fahv7c/
Behaviour
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Stealc
Stealc family
Malware Config
C2 Extraction:
http://94.26.90.74
Unpacked files
SH256 hash:
2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0
MD5 hash:
7b6771b140f8241ea207be008e5638e6
SHA1 hash:
fb49c22f9a9fa2176ffafcd424fc1a9d47887ff6
Link:
https://www.unpac.me/results/f1f2c1d5-4d3d-4adb-93f1-9ec9d92830a4/
SH256 hash:
cf5d0964c8d78aa7d810e8a08f9a50cf9ff72af8010c8b12e82e11e2ed0bb800
MD5 hash:
02ed571d649308c36aeeb546d9389ec5
SHA1 hash:
f60dca3843be9495d186325cf483b01b8344c897
Detections:
win_stealc_auto
Create hunting rule
Link:
https://www.unpac.me/results/f1f2c1d5-4d3d-4adb-93f1-9ec9d92830a4/
Parent samples :
79be87ad14b473f6ca727969014fa8cc27a8020200cf653096b6f77a0b331502
a280dc5007f3dfbe21960d41c6b126241899021e9a4ae0a2e7b6f5caed8de095
4d60481b15d3c0fe5f925a702fdf67b5efc016dc360407189f3d30429f205c31
8d1a0d68b7544de045948605b1afca727e2fb0281564c0ed8c10c0989b71f632
2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0
SH256 hash:
8d1a0d68b7544de045948605b1afca727e2fb0281564c0ed8c10c0989b71f632
MD5 hash:
d26bf8ace0dbd944e14016f6a1e03c50
SHA1 hash:
b6484623cc91ff7c075bd9e86e9ac81a31489c6e
Detections:
win_stealc_auto
Create hunting rule
stealc
Create hunting rule
Link:
https://www.unpac.me/results/f1f2c1d5-4d3d-4adb-93f1-9ec9d92830a4/
Parent samples :
8d1a0d68b7544de045948605b1afca727e2fb0281564c0ed8c10c0989b71f632
2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d86d5764d4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:StealcV2
Create hunting rule
Author:kevoreilly
Description:Stealc V2 Payload
Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:Windows_Trojan_Stealc_41db1d4d
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stealc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 2d86d5764d4e04e931c0cb222a1c79bc2a6213de1d01bd58a89d6cc9a6f55ce0

(this sample)

Stealc

Executable exe 8d1a0d68b7544de045948605b1afca727e2fb0281564c0ed8c10c0989b71f632

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3765022/
Cape
Cape
https://www.capesandbox.com/analysis/50510/
  
Dropping
SHA256 8d1a0d68b7544de045948605b1afca727e2fb0281564c0ed8c10c0989b71f632
  
Dropping
MD5 d26bf8ace0dbd944e14016f6a1e03c50

Comments