MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 19


Intelligence 19 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725
SHA3-384 hash: 225a5baa5ba9687582e8d6d2d001fb215a30e979ab181afce36197fd85abc2c426f2e3dd9bbfe8ccebf5f476cb4289a1
SHA1 hash: 715190879d70812e9f31c5025dba33a06a46eb24
MD5 hash: 37007c2c69626bc48c162e36d699a1bb
humanhash: september-edward-green-orange
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:254'464 bytes
First seen:2025-12-15 22:13:36 UTC
Last seen:2025-12-15 23:18:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (337 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:O4PbJ2tlpEFWQ4i7rzz6TRy28VUMPDYORLZ0ElF/CPFALt:O4PbMcYarzCRd8VUMPMOVymYF+t
Threatray 107 similar samples on MalwareBazaar
TLSH T1F34423E16C2E853DDA243AFA823954E1FCF77A392EEBC8051F3D8510207A44E56F5958
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 Stealc UPX


Avatar
Bitsight
url: http://178.16.55.189/files/come/random.exe
File size (compressed) :254'464 bytes
File size (de-compressed) :610'304 bytes
Format:win32/pe
Unpacked file: e227b9cdc0a443d25aa19acd194d1a580adb678ea0ac80a0628c378e209100ab

Intelligence

File Origin
# of uploads :
3
# of downloads :
105
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
PEPacker Stealc
Details
PEPacker
a UPX version number and an unpacked binary
Stealc
decrypted strings, an RC4 key, c2 url, and url paths
Link:
https://research.acce.ciphertechsolutions.com/results/6314082b-c875-4778-8c76-179d75b8db6a/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-12-15 22:14:36 UTC
Tags:
stealer stealc upx
Link:
https://app.any.run/tasks/075c6dcb-643f-4d1e-a06b-b2a8631b4231

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45157/
Detection(s):
Win.Malware.Marte-10045369-0
Create hunting rule

Win.Malware.Generickdz-10058619-0
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69408838ad11cfef330d866f
Tags:
cobalt packed crypt virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending an HTTP POST request
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc packed packed packed swrort upx
Link:
https://www.filescan.io/uploads/69408836e126b9ff43814946/reports/f731915f-66a7-4348-9ea3-f942e2d13899/overview
Verdict:
Malicious
Labled as:
Shellcode.Loader.Marte.X.Generic
Link:
https://www.hybrid-analysis.com/sample/335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-15T19:28:00Z UTC
Last seen:
2025-12-16T12:08:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Lumma.yzi Trojan-PSW.Lumma.HTTP.C&C Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.StealC.v2
Link:
https://opentip.kaspersky.com/335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f81c1b2-fff2-4a93-82ee-619f6b5c39cf
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/37007c2c69626bc48c162e36d699a1bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725
Threat name:
Win32.Trojan.ShellCodeRunner
Create hunting rule
Status:
Malicious
First seen:
2025-12-15 22:14:17 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnluljrkdj3aafkdszh7xysh5nryqfmavrgnuewynkgfgy5zg4sq._file
Verdict:
malicious
Label(s):
shellcode_loader_007
Create hunting rule
stealc
Create hunting rule
Similar samples:
20291af59067a9886fa2c749d711adc8c2ecf687a48611cbdfefe6b5ca0f583f
Stealc
2f977b90f9a83a87a6ce2f911abcba241de57757a862a1bd06b523e51a6bee08
Stealc
598ffd82d04b569216f966118d2674619d220d5240b491180f0b883f352c3519
Stealc
5f14beaba244bd8335e26210102783ffc5d7d49cae2a870342e9e911c26d0da8
Stealc
70dfe5d54ffa3a00287da91d36a9d1a3a19520276816505fa08875c14d8759c7
Stealc
73420694fb8c75bed7825d4074c596e681f36aa287efaddd60d7370e98abd740
Stealc
83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6
Stealc
b38e57dc8a718b9b9ecb84b8ad7c8fc11c5028e7b9f0eafc1591d5b58c9de9c2
Stealc
b95e69a846b41f56eb8e746b56dc85a98da5ed989411579bcda5af0b959f07e1
Stealc
bf9bb4e96fcb905e1a90c89388bf931829282ec8dffab7f7adeaff850940eab0
Stealc
error
Stealc
+ 97 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:111 discovery spyware stealer upx
Link:
https://tria.ge/reports/251215-15q5ds1kdm/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Stealc
Stealc family
Malware Config
C2 Extraction:
http://5.101.83.50
Verdict:
Malicious
Tags:
trojan Win.Malware.Marte-10045369-0
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/f44894a7-9d85-442b-acba-8de85c134774
Unpacked files
SH256 hash:
335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725
MD5 hash:
37007c2c69626bc48c162e36d699a1bb
SHA1 hash:
715190879d70812e9f31c5025dba33a06a46eb24
Link:
https://www.unpac.me/results/cea0971e-9c2c-484d-8cf6-0bd385390ed1/
SH256 hash:
a66055a1590c0531819a987b2b6e648e04e9611be34b172eeecfcc2b0f3a8b83
MD5 hash:
7d35d6a446d95fe0b0bccbfa03d73a1e
SHA1 hash:
bdc371c1cb59d1aeee486744985391b86deab09d
Link:
https://www.unpac.me/results/cea0971e-9c2c-484d-8cf6-0bd385390ed1/
Parent samples :
1d8cc65d36b53e94dff26e579d690b5a788393c96026a8689657de510ada2b81
dde0d05aa7f0843b643d6168f71881a7e7e4f0fa747ce6c09c25791ae60d30a9
c92d3b7961692f031863195786b6dbd7daff071635fc4622be6d50d6970ac531
83f96ebb903ce23ef34f3ad69ae98686d69153b3ca58baa197d728d63a14fc27
b554667949dc3847c3f04642b6c7b8d24948b72d5d3f0ee4ac656aa34a3dc8ed
26a730271fc63e71097339ae35df04983b59f8323136bd28e5dc58f1f5c2f64a
de0e5d92c8315b68338c60c01187cd7417f087bd64de4edfc4bf0bde605a5787
ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582
9b5a5c4b0f2fbb96698f76bb460eaa61cd7d49ebb1323fb149b54988c80ed725
6671046420956036fa3864b4fe5c85fb90be5b734eb76e01bf78d2aa7432ee06
dab139351043378ac9480e3498d90010c1c1feaff18e8475444f7c3bfdf30d9a
ff7a2d70fce940f6373c1647728386f390487797254d7bea8401dfadfd799c19
aeefae9a5162091ca000675cf8397bb7f4abc2e2589e6e2ae1f9f414c6a70bca
fadf382f638ed35457af48119e77e5da958463a31949b94a445f6548ef85f8bd
SH256 hash:
e227b9cdc0a443d25aa19acd194d1a580adb678ea0ac80a0628c378e209100ab
MD5 hash:
85c2c9e778a8860cf72623a4af0deb98
SHA1 hash:
75d6046211abd5bf8279905b7adb0b82923c0dd3
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/cea0971e-9c2c-484d-8cf6-0bd385390ed1/
Parent samples :
e227b9cdc0a443d25aa19acd194d1a580adb678ea0ac80a0628c378e209100ab
335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/335745a62a1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:StealcV2
Create hunting rule
Author:kevoreilly
Description:Stealc V2 Payload
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 335745a62a1a76001543964ffbe247eb63881580ac4cda12d86a8c5363b93725

(this sample)

Stealc

Executable exe e227b9cdc0a443d25aa19acd194d1a580adb678ea0ac80a0628c378e209100ab

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3734302/
Cape
Cape
https://www.capesandbox.com/analysis/45157/
  
Dropping
SHA256 e227b9cdc0a443d25aa19acd194d1a580adb678ea0ac80a0628c378e209100ab
  
Dropping
MD5 85c2c9e778a8860cf72623a4af0deb98

Comments