MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897
SHA3-384 hash: 7c5ce08b347688262079d09eb9c47d45e0c4e0d55bdd30e362fc7dbc25579310e755791348af5eeb25e8cb4a9f3d6520
SHA1 hash: b463a00ffc61764a1d56f8246f17d61dbabcdc1a
MD5 hash: fd2aeca06b98f0ace7e801f7c3d7e31a
humanhash: july-beer-fix-beryllium
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'699'448 bytes
First seen:2025-09-04 11:13:27 UTC
Last seen:2025-09-04 11:46:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 24576:vP7kASe2Cc5Omk9UrueoLWErdJryg3kYoaIQFWCdhuF1r7TsdBIe1sQ+YxxrpHne:3lOlg/dJxR5IQJurEJqQ+F
Threatray 20 similar samples on MalwareBazaar
TLSH T12C757DD1FCCB60F1E51606324AB7A2AF3731F10A0731ADC3D944AEBEB9575D2192621E
gimphash f1083d4e7a502ff842543921ab1d12d7b2fcada2ea4398c65dc5fdd7e10a905f
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Stealc


Avatar
Bitsight
url: http://178.16.55.189/files/8061402479/xO50QoO.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
83
Origin country :
PT PT
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
446da5a8447634fd4d4f8660253353f77c2c31a9e9ea6ad46b1bcedd39f70f95.exe
Verdict:
Malicious activity
Analysis date:
2025-09-04 10:19:59 UTC
Tags:
lumma stealer amadey auto redline botnet themida arch-exec auto-startup stealc vidar telegram rdp coinminer miner purelogs gcleaner loader autoit auto-reg
Link:
https://app.any.run/tasks/3e31972b-6190-45d5-90d3-f02f502f4863

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25028/
Detection(s):
Win.Exploit.Deepscan-9951944-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b97467eb163e0ec18450d6
Tags:
emotet crypt virus core
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang invalid-signature mingw obfuscated signed threat
Link:
https://www.filescan.io/uploads/68b974641c81c34281de5a2b/reports/126a9bc4-3786-4dda-81aa-1aa93ab1b008/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897
Verdict:
Unknown
File Type:
exe x32
First seen:
2025-09-04T07:26:00Z UTC
Last seen:
2025-09-04T07:26:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d39ca9f9-218f-4cc5-b8ec-c686632e6aaf
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/fd2aeca06b98f0ace7e801f7c3d7e31a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 11:14:30 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=geuuma5iq52wvf6r7cz3l6fa6pwoaoihishkof67zc2naf56lclq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
244807fd2a661a53498aff35f940dea0caea6dcc8d1244af8c5cce268d23c117
Stealc
4915ca57422d37e562a3e6daa22fd83b82df90032358e28552f56776ce5fce00
Stealc
4bef6f8cef8f5d75ead900b2ea1a3c8fd39aa705a9bb8a66e4e0229ccdcdd5cb
Stealc
70ae293eb1c023d40a8a48d6109a1bf792e1877a72433bcc89613461cffc7b61
Stealc
97c8d58eeef8b92cfee45f5b4a048b827cd94766ab3c96845cb54a109842137c
Stealc
b3fe4cebd7999dfe15f9469154add7ebfc7e4fad581b85a3d0364b54175cbdf3
Stealc
error
Stealc
f524e296af6c4b3344c749efe2afb6be33701942e78228c6ae45acd8e4a6237d
Stealc
+ 10 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:prol discovery spyware stealer
Link:
https://tria.ge/reports/250904-nbpy1s1jz5/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Stealc
Stealc family
Malware Config
C2 Extraction:
http://80.253.249.225
Verdict:
Malicious
Tags:
Win.Exploit.Deepscan-9951944-0
YARA:
n/a
Link:
https://app.threat.zone/submission/a6f9fcb6-37b0-49a1-b170-62dfa7746df5
Unpacked files
SH256 hash:
31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897
MD5 hash:
fd2aeca06b98f0ace7e801f7c3d7e31a
SHA1 hash:
b463a00ffc61764a1d56f8246f17d61dbabcdc1a
Link:
https://www.unpac.me/results/2d302306-dbfa-4ca2-9ee1-d1f99cd7e22e/
SH256 hash:
d5d2051b36a0428dec7b77feff62d95f488b6ea2fa752ab81c71c8837dababd6
MD5 hash:
07a5033927d3c293cf743117c8a54b93
SHA1 hash:
3bece93e777f7763f1ddb606b54df787b7662524
Link:
https://www.unpac.me/results/2d302306-dbfa-4ca2-9ee1-d1f99cd7e22e/
SH256 hash:
2c4651a093a276841935a5b85856ee323d618a60d02162517c9f828c5e3e686d
MD5 hash:
fc1c04e172f708bcfdcaac1d723703bc
SHA1 hash:
12b2a6fc9e88ceba38c90d3a39e09315f1ab93a7
Link:
https://www.unpac.me/results/2d302306-dbfa-4ca2-9ee1-d1f99cd7e22e/
SH256 hash:
8be0e424a0cfd53bbc45056cf5ae85457f088fe68fc6c243b296c6ac19f7ecc3
MD5 hash:
2b1fcc019f60f98903e201d5f16f815e
SHA1 hash:
8343ffe13ef1f35b035dbe65074fe3a330d022e9
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/2d302306-dbfa-4ca2-9ee1-d1f99cd7e22e/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31294603a887/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/25028/
  
URLhaus
https://urlhaus.abuse.ch/url/3615935/

Comments