MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 432d81eea7e758df49927049f0e059fffd3a9188f94da3e1f0a49efdf7190ae7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash: 432d81eea7e758df49927049f0e059fffd3a9188f94da3e1f0a49efdf7190ae7
SHA3-384 hash: 4f33b2f425c3949649c4932f6e25d78c205bdcc1d9cb9a7935f16be4d59d425bc874db6d5085f5e0c161678fa0c656ef
SHA1 hash: 927512fd2f2987fca542035009d301ef91c1aa73
MD5 hash: 69cd45bf76f04b12e08d5856f0a53d8a
humanhash: single-glucose-cola-don
File name:SecuriteInfo.com.Win32.Malware-gen.58858636
Download: download sample
Signature Stealc
File size:8'040'290 bytes
First seen:2026-04-13 16:46:56 UTC
Last seen:2026-05-08 12:45:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac4ded70f85ef621e5f8917b250855be (82 x OffLoader, 7 x Gh0stRAT, 6 x Tofsee)
ssdeep 98304:nN66et4PxxFDWasVmtn2XwDIreeq6bRdkgguvqP6N1:fLZxF6auEn2Y2eCRnNbP
Threatray 1'215 similar samples on MalwareBazaar
TLSH T1E0860233B289A73EF16E1A3759B6D2508C3B6A11651B4C16DAF84C4CCF2D2602E7F647
TrID 63.8% (.EXE) Inno Setup installer (107240/4/30)
24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (6522/11/2)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon c8b46661a5b198e4 (2 x Stealc)
Reporter SecuriteInfoCom
Tags:exe Stealc

Intelligence


File Origin
# of uploads :
3
# of downloads :
126
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2026-02-04_b245384d0ea4fa15c7a20e58d771f2a0_amadey_elex_smoke-loader_stealc.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 12:50:20 UTC
Tags:
auto-sch stealer stealc anti-evasion delphi inno installer sainbox rat upx

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Tags:
dropper virus sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-09T05:14:00Z UTC
Last seen:
2026-04-14T07:27:00Z UTC
Hits:
~100
Gathering data
Threat name:
Win32.Trojan.Ravartar
Status:
Malicious
First seen:
2026-04-09 11:26:25 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery installer privilege_escalation spyware stealer upx
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Access Token Manipulation: Create Process with Token
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
432d81eea7e758df49927049f0e059fffd3a9188f94da3e1f0a49efdf7190ae7
MD5 hash:
69cd45bf76f04b12e08d5856f0a53d8a
SHA1 hash:
927512fd2f2987fca542035009d301ef91c1aa73
SH256 hash:
3187a247e16ab84259820e3f312cff5610284bc30fdb5adebf2cbe33b59fb132
MD5 hash:
6649858884e0ca9e5a85489a52865164
SHA1 hash:
1dc9a3fb30a0a3cc41e8b8bdd9b899d258690bc9
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 432d81eea7e758df49927049f0e059fffd3a9188f94da3e1f0a49efdf7190ae7

(this sample)

  
Delivery method
Distributed via web download

Comments