MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136
SHA3-384 hash: d4d1473e6ca4f3971ed5d1036df66a213a1d88dad808a8c48d31e889d632ab321754b7d9b3272405d4020ed345b7a9eb
SHA1 hash: 71089ead6d39b056cfc71ad83932b1129df7fabc
MD5 hash: d6dac6e34fd6e2a1669885a58675dfad
humanhash: moon-glucose-winter-london
File name:FreeFiles_20251223151217.zip
Download: download sample
Signature Stealc
Create hunting rule
File size:9'842'382 bytes
First seen:2025-12-23 15:03:13 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:R11GeA+L1HHbfnCGOTfz72ZT7Qwz65ZgzP60yWpucws0rtqUru:R79A+VbqGODzCxHzQZehyvAeqUru
TLSH T1FAA6330BFFE3900D0E6D48E8C355B988141FCE6DBE4749929FD782AAF793B4109E9056
TrID 66.6% (.FB2K-COMPONENT) foobar2000 component (8000/1/2)
33.3% (.ZIP) ZIP compressed archive (4000/1)
Magika zip
Reporter aachum
Tags:146-103-104-211 Stealc zip


Avatar
iamaachum
https://182164372183.com/idown.php

Stealc C2: http://146.103.104.211/f999fb4b778f4b7a.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://146.103.104.211/f999fb4b778f4b7a.php https://threatfox.abuse.ch/ioc/1685149/

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
ES ES
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:WindowsCodecs.dll
File size:10'691'584 bytes
SHA256 hash: 59bcd32fd2003da92903196294d604047d2fe7384a194a95b4d4e6fc1fe20203
MD5 hash: 7fdd5cd187158d5e471eeaee8918cb47
MIME type:application/x-dosexec
Signature Stealc
File name:ExtractAll.exe
File size:3'286'680 bytes
SHA256 hash: 3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3
MD5 hash: 53cf9bacc49c034e9e947d75ffab9224
MIME type:application/x-dosexec
Signature Stealc
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d1769f45-0be3-44cf-bbb0-9ae066b84caa/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690a12f59942f1282ecbf5ee
Tags:
dropper virus blic
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm evasive explorer fingerprint installer-heuristic lolbin microsoft_visual_cc mpcmdrun packed regedit signed
Link:
https://www.filescan.io/uploads/694aaf3884afa5547b5cdc1a/reports/d839c860-fd44-48c1-8698-ac1a44a8816d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
First seen:
2025-12-23T12:55:00Z UTC
Last seen:
2025-12-23T16:11:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136/results?tab=lookup
Score:
73%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.52 Zip Archive
Link:
https://app.malva.re/file/d6dac6e34fd6e2a1669885a58675dfad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gg46dgcu4md5fkwvilg7ockddgyn7rt3h4o2tlrsax5uhjscee3a._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:t1 stealer
Link:
https://tria.ge/reports/251223-t15cwswqgx/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Stealc
Stealc family
Malware Config
C2 Extraction:
http://146.103.104.211
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

zip 31b9e19854e307d2aad542cdf7094319b0dfc67b3f1da9ae3205fb43a6422136

(this sample)

Stealc

Executable exe 59bcd32fd2003da92903196294d604047d2fe7384a194a95b4d4e6fc1fe20203

  
Link
https://tria.ge/251223-r4j51stlb1/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 59bcd32fd2003da92903196294d604047d2fe7384a194a95b4d4e6fc1fe20203
  
Dropping
MD5 7fdd5cd187158d5e471eeaee8918cb47

Comments