MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SantaStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 12 File information Comments

SHA256 hash:	2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f
SHA3-384 hash:	0d78ed024fdaea070c2fc65bf464c0c850f2c6b3541f75afa54afc66b82669942461fd01ed5fde5a01f9650658bcf585
SHA1 hash:	eb8a4c27abbf526ee88d6780b0c0758847e1f6f8
MD5 hash:	e8eb6cb596e6c89e2f64d258d92706d5
humanhash:	sink-social-rugby-nineteen
File name:	2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f
Download:	download sample
Signature	SantaStealer Create hunting rule
File size:	4'469'760 bytes
First seen:	2026-03-27 20:54:13 UTC
Last seen:	2026-03-31 05:01:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	706cbcaa5f85f4fbb9221e2958d5bf6d (1 x SantaStealer)
ssdeep	98304:T4u/dBp6QRmDXMlSjHPOn3RxjHNqJUjv:TZFCDPQtqOv
TLSH	T16E268D27E2A360FCC56BC1709747A632FA31B8490534BDAF4694CB313F62E605B6DB64
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Neiki
Tags:	ClickFix exe SantaStealer stealer

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

https://github.app916842.com/

Verdict:

Malicious activity

Analysis date:

2026-03-27 20:45:15 UTC

Tags:

susp-clipboard clickfix stealer santastealer loader telegram

Link:

https://app.any.run/tasks/648420fc-7024-4819-9a2c-4e013c4a61c8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/59555/

Detection(s):

YARA.RUSSIANPANDA_Win_Mal_Chromium_App_Bound_Encryption_Decrypter.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69c6edb5390b996474145a50

Tags:

infosteal phishing emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending an HTTP GET request

Connection attempt to an infection source

Sending an HTTP POST request to an infection source

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching a process

Creating a file in the %AppData% subdirectories

Creating a process with a hidden window

Loading a suspicious library

Creating a window

Reading critical registry keys

Changing a file

DNS request

Connection attempt

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug base64 crypto crypto expand fingerprint hacktool infostealer krypt lolbin overlay packed packed rundll32

Link:

https://www.filescan.io/uploads/69c6eeb7e2df9aa488bb37dc/reports/63f0958b-bceb-406b-a766-1ef84a890799/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-03-21T14:10:00Z UTC

Last seen:

2026-03-29T17:29:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.Win32.SpyEyes Trojan-PSW.Win32.Vidar.sb VHO:Trojan-Banker.Win32.ClipBanker.gen Trojan-PSW.Win32.Pycoon.sb Trojan-PSW.MSIL.Stealer.sb Trojan-Dropper.Win32.Injector.sb VHO:Trojan-Banker.Win32.ClipBanker.ahxr Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Lumma.sb Trojan-Banker.Win32.ClipBanker.sb Trojan.Win64.Agent.sb Trojan.Win32.Udochka.sb Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.sb Trojan-PSW.Win32.Lumma.abug Trojan-Banker.Win32.ClipBanker.ahxr Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Stealer.HTTP.C&C Trojan.Win32.DLLhijack.sb Trojan-PSW.Win32.Coins.sb

Link:

https://opentip.kaspersky.com/2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5921e094-ba95-4db3-8722-c84a5719fb13

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f/

Verdict:

Malicious

Threat:

Family.SANTASTEALER

Link:

https://tip.neiki.dev/file/2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f

Threat name:

Win64.Hacktool.PSWDump

Status:

Malicious

First seen:

2026-03-22 01:30:26 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f46yx6axibclksdbou3msuxvzdwznclpy4ssv2h5eybhttfii4pq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

credential_access discovery persistence spyware stealer

Link:

https://tria.ge/reports/260327-zqk46adz31/

Behaviour

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Browser Information Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Loads dropped DLL

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f

MD5 hash:

e8eb6cb596e6c89e2f64d258d92706d5

SHA1 hash:

eb8a4c27abbf526ee88d6780b0c0758847e1f6f8

Link:

https://www.unpac.me/results/712db6bd-3978-4af3-bacf-43d422a4e32c/

SH256 hash:

cf0c14da713bd05284beb4aec55498c7e38425dc53f36963cd6fdbc21626c9ba

MD5 hash:

883cb0af93a2cec29c9500c2cc9cdd85

SHA1 hash:

71f2edec1eda8271f3b2f896de556bbdc176d0b3

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Link:

https://www.unpac.me/results/712db6bd-3978-4af3-bacf-43d422a4e32c/

Parent samples :

2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f
cf0c14da713bd05284beb4aec55498c7e38425dc53f36963cd6fdbc21626c9ba

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2f3d8bf81740/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.threat.rip/file/2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f

Cape

https://www.capesandbox.com/analysis/59555/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample