MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dc3ce7e513db3c3adba74b09d9894411eb98f05eb994d26a9e8ddc3381e5fa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PerionStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	3dc3ce7e513db3c3adba74b09d9894411eb98f05eb994d26a9e8ddc3381e5fa5
SHA3-384 hash:	bdb74566143a8e4d4df591a26465cbec68f6663c06fc9aab7dd3dc51b415eca4e9165b9874760b5ddeba03c7f0cd8e5d
SHA1 hash:	f950fa3ee7519796f081cfdd5cb57ff00a6d5f51
MD5 hash:	0587d81e599766600c95cf484effd684
humanhash:	gee-alaska-don-march
File name:	MyApp_1763304496248.exe
Download:	download sample
Signature	PerionStealer Create hunting rule
File size:	92'722'441 bytes
First seen:	2025-11-16 15:00:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1f23f452093b5c1ff091a2f9fb4fa3e9 (282 x GuLoader, 37 x RemcosRAT, 27 x VIPKeylogger)
ssdeep	1572864:VMcWl6joKX0rWup6yVsMwsunY0XY1wMHrnq57lWRi1WNgfJENMxgvv2aL6SESay:Vm6jdUWu8BM5QYPtLnq14iaNwgvaSEc
TLSH	T10B1833CAB671EA9DD1EE062442F214A9C14FC49B04C9AF778975627F49B8E09CC4F837
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	gta
Tags:	discord-grabber exe nodejs perion PerionStealer Rust

gta

Turkish new stealer (open 11/16/2025 )

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MyApp_1763304496248.exe

Verdict:

Malicious activity

Analysis date:

2025-11-16 14:53:23 UTC

Tags:

anti-evasion crypto-regex generic stealer ims-api nodejs rust

Link:

https://app.any.run/tasks/c2535154-972c-4f8b-8fcb-d7731f7133cb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6919e564434cd67b17c2160f

Tags:

extens shell sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Searching for the window

Creating a process from a recently created file

Searching for synchronization primitives

Unauthorized injection to a recently created process

Loading a suspicious library

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole fingerprint installer installer installer-heuristic microsoft_visual_cc nsis overlay

Link:

https://www.filescan.io/uploads/6919e8eea130a437f88eedfb/reports/20af7435-c137-4c51-bddd-ffb5fe076854/overview

Verdict:

Malicious

Labled as:

Malware_56.8

Link:

https://www.hybrid-analysis.com/sample/3dc3ce7e513db3c3adba74b09d9894411eb98f05eb994d26a9e8ddc3381e5fa5

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-16T12:11:00Z UTC

Last seen:

2025-11-16T14:49:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-GameThief.Win32.Steam.gen HEUR:Trojan-GameThief.JS.Steam.gen HEUR:Trojan.JS.KillProc.gen HEUR:HackTool.Win32.Injecter.gen HEUR:Trojan-PSW.Win32.Stealer.gen HEUR:Trojan-PSW.JS.Stealer.gen

Link:

https://opentip.kaspersky.com/3dc3ce7e513db3c3adba74b09d9894411eb98f05eb994d26a9e8ddc3381e5fa5/results?tab=lookup

Score:

81%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3dc3ce7e513db3c3adba74b09d9894411eb98f05eb994d26a9e8ddc3381e5fa5

Gathering data

Verdict:

Malicious

Threat:

Trojan-PSW.JS.Stealer

Link:

https://tip.neiki.dev/file/3dc3ce7e513db3c3adba74b09d9894411eb98f05eb994d26a9e8ddc3381e5fa5

Threat name:

Win32.Trojan.ChromElevator

Status:

Malicious

First seen:

2025-11-16 14:53:24 UTC

File Type:

PE (Exe)

Extracted files:

5283

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hxb447srhwz4hln2osyj3geuiepltdyf5omu2jvj5do4goa6l6sq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/251116-sh5ehayrhn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates processes with tasklist

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ac1ece8d-b7f1-4f35-a2e5-d7f6b9df10e8

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/c2535154-972c-4f8b-8fcb-d7731f7133cb

Dropping

PerionMalware

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample