MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SVCStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 19 File information Comments

SHA256 hash:	423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38
SHA3-384 hash:	94838d87e7ba59edd7c395e3f253bdbebd2e8243031e6a5e04acb93f8cc7248b6f9f84736068b0d7c4e0e1f8017194f2
SHA1 hash:	ed6a71bbc4b6d745e56ad2654ada27af3bda8cd9
MD5 hash:	0ccecc187c92f73839897b0f48c68ecd
humanhash:	quebec-mango-river-orange
File name:	TikTok Bot 1.2.exe
Download:	download sample
Signature	SVCStealer Create hunting rule
File size:	3'066'880 bytes
First seen:	2025-12-31 02:31:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5175da4b99d292f751a152b8e78310d6 (1 x SVCStealer)
ssdeep	49152:FQ8FDjWJAfPVHCpheENndry4dAgbWZ4dAgbJ16OkGxmz7EA:PeBmNOo
TLSH	T114E56C5AA6A500F8D1A7C178CA52C927E7B27C1617709ADB03D08E573F27BE15E3E720
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	BastianHein
Tags:	exe SVCStealer

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Stealc SvcStealer

Details

Stealc

decrypted strings, an RC4 key, c2 url, and url paths

Link:

https://research.acce.ciphertechsolutions.com/results/bfe2f231-f741-4232-961c-d694fe0030d3/

Malware family:

n/a

ID:

File name:

_423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38.exe

Verdict:

Malicious activity

Analysis date:

2025-12-31 02:31:34 UTC

Tags:

stealer stealc arch-doc auto-sch auto-reg svcstealer crypto-regex loader

Link:

https://app.any.run/tasks/e42a7a88-3871-4c24-9a1a-16f26cdbdd45

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Stealc

Link:

https://www.capesandbox.com/analysis/46625/

Detection(s):

Win.Malware.Marte-10045369-0

Win.Malware.Phil-10045361-0

Win.Malware.Generickdz-10058619-0

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69548afae148d42004de0a66

Tags:

autorun emotet

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 clipbanker cmd evasive explorer fingerprint hacktool infostealer keylogger lolbin meterpreter microsoft_visual_cc neshta schtasks stealc stealer unsafe virus windows

Link:

https://www.filescan.io/uploads/69548af77d55b68cb20c917b/reports/2a6193ef-119a-49e9-b530-9c1444df45a7/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-29T13:33:00Z UTC

Last seen:

2025-12-30T17:07:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Banker.Win32.ClipBanker.gen HEUR:HackTool.Win32.Inject.heur Backdoor.Win32.Androm Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.Stealer.sb VHO:Trojan-PSW.Win32.StealC.gen Trojan-Spy.Stealer.TCP.C&C Trojan-Spy.Agent.HTTP.C&C Trojan-Banker.Win32.ClipBanker.sb Trojan.Gatak.TCP.C&C Trojan.Win32.Vimditator.sb Trojan-PSW.Win32.Pycoon.sb Trojan-PSW.Lumma.HTTP.C&C Trojan-Banker.Win32.ClipBanker.agqq Trojan.Win32.Gatak.gog VHO:Trojan-PSW.Win32.Convagent.gen Trojan-Spy.Stealer.HTTP.C&C Trojan-Dropper.Win32.Injector.sb Trojan-PSW.Win32.StealC.v2 Trojan.Win32.Agent.sb Trojan-Dropper.Win32.Dapato.sb PDM:Trojan.Win32.Generic MEM:Trojan.Win32.Cometer.gen

Link:

https://opentip.kaspersky.com/423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38/results?tab=lookup

Malware family:

SvcStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6a72e91-37e8-4136-ba30-7b412acd6fa8

Score:

88%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/0ccecc187c92f73839897b0f48c68ecd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

Threat name:

Win64.Trojan.StealC

Status:

Malicious

First seen:

2025-12-29 19:21:45 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ii5r3o3w4otvr2qk6bzjy5b7g43zx2moaxs4yxtzxh5jpnwijy4a._file

Verdict:

malicious

Label(s):

stealc

Similar samples:

error

SVCStealer

Gathering data

Verdict:

Malicious

Tags:

red_team_tool meterpreter Win.Malware.Marte-10045369-0

YARA:

HKTL_Meterpreter_inMemory

Link:

https://app.threat.zone/submission/75e3df16-3709-4fac-be85-52f20b54c768

Unpacked files

SH256 hash:

f4bb5c357a626d4ceb939ab31b2768bcdc2b56f73ad90ce1202cb1ac699d5847

MD5 hash:

12bf7b851ac14dbf9f693f280058ded6

SHA1 hash:

5ba33045ab201e90086b30da870d31a482c6f2e7

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/23f3e176-0a74-4742-815e-e0f67f0b9d77/

Parent samples :

13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d
423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

SH256 hash:

db97469f188030406f4923ff6303d8398b88db40e0c735abe79e03bc3b1d5ee2

MD5 hash:

e3dbac3ce13574235cb6d0ea96b89587

SHA1 hash:

50c2f7edaadd28229909b76bf5d2148af1c60370

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/23f3e176-0a74-4742-815e-e0f67f0b9d77/

SH256 hash:

423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

MD5 hash:

0ccecc187c92f73839897b0f48c68ecd

SHA1 hash:

ed6a71bbc4b6d745e56ad2654ada27af3bda8cd9

Link:

https://www.unpac.me/results/23f3e176-0a74-4742-815e-e0f67f0b9d77/

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/423b1dbb76e3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Dlls Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	Heuristics_ChromeABE Create hunting rule
Author:	Still
Description:	attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	StealcV2 Create hunting rule
Author:	Still
Description:	attempts to match the instructions found in StealcV2

Rule name:	StealcV2 Create hunting rule
Author:	kevoreilly
Description:	Stealc V2 Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/46625/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample