MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 398f1498fb4f6a3d5d6f78f36ccefeb5ecf8031b83ba6e89a84274e2b504822e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FrostStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 398f1498fb4f6a3d5d6f78f36ccefeb5ecf8031b83ba6e89a84274e2b504822e
SHA3-384 hash: 4b8f652873fce562b083c13850b8799f54e29f7c4867031eda74d3b890a057b8837b37287e241b11eaf527ba17340668
SHA1 hash: b6b66d24cb794e4cf857f4e11afc13867df47fca
MD5 hash: aa9698432a220ef4bcbfeff597a98479
humanhash: tango-friend-spring-idaho
File name:discordidtools.exe
Download: download sample
Signature FrostStealer
Create hunting rule
File size:95'853'113 bytes
First seen:2026-03-16 13:35:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9eba512b03d8cac8a6c4424e25e9f06e (5 x FrostStealer, 2 x MythStealer)
ssdeep 1572864:lVDG5MiP2aVxUXcg/2KD/VJQ0gN1+BTrDudzaixe:lVDG5NVycgLbQ0gN1hdxo
TLSH T1E128E01663E112A6D577D138C79BA203EB72B40723309BDF729C03652F63AE45E7A760
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter burger
Tags:exe FrostStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/7d60515b-949b-41d5-8126-93e70468b603/
Malware family:
n/a
ID:
1
File name:
discordidtools.exe
Verdict:
Malicious activity
Analysis date:
2026-03-16 13:35:30 UTC
Tags:
nodejs
Link:
https://app.any.run/tasks/ec8b7873-40dc-4bca-bd43-cfe4eae2826e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b8072893b644ca466a9655
Tags:
shell virus sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc overlay packed packed pkg
Link:
https://www.filescan.io/uploads/69b80765493cb7d62d000081/reports/5fe603bb-e08b-4ceb-852d-04440ba661c4/overview
Verdict:
Malicious
Labled as:
Trojan.Win64.GenPsw
Link:
https://www.hybrid-analysis.com/sample/398f1498fb4f6a3d5d6f78f36ccefeb5ecf8031b83ba6e89a84274e2b504822e
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan.Win64.Agentb.lhnm
Link:
https://opentip.kaspersky.com/398f1498fb4f6a3d5d6f78f36ccefeb5ecf8031b83ba6e89a84274e2b504822e/results?tab=lookup
Result
Threat name:
Frost Stealer
Create hunting rule
Detection:
malicious
Classification:
expl.evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1884270
Signature
Bypasses PowerShell execution policy
Excessive usage of taskkill to terminate processes
Gathers network related connection and port information
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive system registry key value via command line tool
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential WinAPI Calls Via CommandLine
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected Frost Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1884270 Sample: discordidtools.exe Startdate: 16/03/2026 Architecture: WINDOWS Score: 100 59 c42m1ebfwkrgc7gd.frostapiv2.com 2->59 61 www.myexternalip.com 2->61 63 ip-api.com 2->63 71 Suricata IDS alerts for network traffic 2->71 73 Yara detected Frost Stealer 2->73 75 Sigma detected: Dot net compiler compiles file from suspicious location 2->75 77 Sigma detected: Potential WinAPI Calls Via CommandLine 2->77 10 discordidtools.exe 1002 2->10         started        signatures3 process4 dnsIp5 65 c42m1ebfwkrgc7gd.frostapiv2.com 104.21.25.174, 443, 49698, 49701 CLOUDFLARENETUS United States 10->65 67 ip-api.com 208.95.112.1, 49700, 80 TUT-ASUS United States 10->67 69 www.myexternalip.com 34.160.111.145, 443, 49697, 49699 ATGS-MMD-ASUS United States 10->69 51 ddb3bc82f27aee8989...ae76b36a2d3c33a2842, PE32 10->51 dropped 53 c1aac5adba9aae89ea...f03b6d49a8d52d82b2b, PE32+ 10->53 dropped 55 b9a7b76665d92af2d9...0bd1f83c4c4449cd442, PE32+ 10->55 dropped 57 66 other files (none is malicious) 10->57 dropped 81 Suspicious powershell command line found 10->81 83 Uses cmd line tools excessively to alter registry or file data 10->83 85 Excessive usage of taskkill to terminate processes 10->85 87 3 other signatures 10->87 15 cmd.exe 10->15         started        18 cmd.exe 10->18         started        20 cmd.exe 10->20         started        22 77 other processes 10->22 file6 signatures7 process8 signatures9 89 Uses cmd line tools excessively to alter registry or file data 15->89 91 Bypasses PowerShell execution policy 15->91 93 Uses netstat to query active network connections and open ports 15->93 103 3 other signatures 15->103 24 powershell.exe 15->24         started        95 Queries sensitive system registry key value via command line tool 18->95 28 conhost.exe 18->28         started        30 reg.exe 18->30         started        97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->97 99 Excessive usage of taskkill to terminate processes 20->99 32 taskkill.exe 20->32         started        101 Loading BitLocker PowerShell Module 22->101 34 conhost.exe 22->34         started        36 chcp.com 22->36         started        38 conhost.exe 22->38         started        40 99 other processes 22->40 process10 file11 47 C:\Users\user\AppData\...\ngg32wwy.cmdline, Unicode 24->47 dropped 79 Queries memory information (via WMI often done to detect virtual machines) 24->79 42 csc.exe 24->42         started        signatures12 process13 file14 49 C:\Users\user\AppData\Local\...\ngg32wwy.dll, PE32 42->49 dropped 45 cvtres.exe 42->45         started        process15
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/398f1498fb4f6a3d5d6f78f36ccefeb5ecf8031b83ba6e89a84274e2b504822e
Gathering data
Verdict:
Malicious
Threat:
Family.DOENERIUM
Link:
https://tip.neiki.dev/file/398f1498fb4f6a3d5d6f78f36ccefeb5ecf8031b83ba6e89a84274e2b504822e
Threat name:
Win64.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2026-03-15 10:13:19 UTC
File Type:
PE+ (Exe)
Extracted files:
8
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hghrjgh3j5vd2xlppdzwztx6wxwpqay3qo5g5cniij2ofnieqixa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260316-qwkadaay4r/
Behaviour
Checks processor information in registry
Gathers network information
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Hide Artifacts: Ignore Process Interrupts
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments