MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ScarfaceStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2
SHA3-384 hash:	3ad2083f02cf96faf33602ba6f086cde6f0f2ee82ffc531522eecd21ed2b069945842f6f5a89a262eb056ede65577408
SHA1 hash:	bffc4dab7ddcd97b40214c95046233800145c16c
MD5 hash:	79baab919a15c78b2a21854089dd8d18
humanhash:	magazine-montana-illinois-magnesium
File name:	program.exe
Download:	download sample
Signature	ScarfaceStealer Create hunting rule
File size:	13'651'456 bytes
First seen:	2025-12-20 21:35:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6d17b587a24f5693a2bc089c25ef8794 (2 x ScarfaceStealer)
ssdeep	196608:0fmKrlgndnXCTtvlRCIp3+houZ3mPFopKcf83YGgxdc39FX5/TW5P8HePbeY1fQ:MmmlItCTFCU3+hTBZjnxu39n+SYNQ
TLSH	T15ED623D3DCC816D5C8D34A70668A278D71E1B1169EBA6B2D3BCA1C039E30E97814BD77
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	burger
Tags:	exe ScarfaceStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

https://www.mediafire.com/file/v5xdl3ocdkwgx8l/bild.rar/file

Verdict:

Suspicious activity

Analysis date:

2025-12-20 18:47:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c2aa118e-4c0f-42b7-ae41-a140dd869209

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45622/

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694716a756a871e6bb7f2a2a

Tags:

virus

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

anti-debug crypto installer-heuristic obfuscated packed packed vmprotect

Link:

https://www.filescan.io/uploads/694716d0a7163552ba033fc3/reports/c8da69df-5aba-4e4d-a752-c483cdb5b305/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-20T16:29:00Z UTC

Last seen:

2025-12-21T02:00:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.Win64.ChromeInject.wj Trojan-PSW.Win64.ChromeInject.sb

Link:

https://opentip.kaspersky.com/4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ed3203d6-6d8e-4ae7-b37e-b46ab781aac7

Result

Threat name:

Scarface Stealer, EICAR, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1836846

Signature

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Writes to foreign memory regions

Yara detected Scarface Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/79baab919a15c78b2a21854089dd8d18

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2/

Verdict:

Malicious

Threat:

Trojan-PSW.Win64.ChromeInject

Link:

https://tip.neiki.dev/file/4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2

Threat name:

Win64.Trojan.Hack

Status:

Malicious

First seen:

2025-12-20 21:35:37 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iocmcfg724pxuteufjys4xnq2jad77wndfyk72btkpdkfbih4tra._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig collection defense_evasion discovery execution exploit impact miner persistence ransomware spyware stealer trojan

Link:

https://tria.ge/reports/251223-nw1agswmex/

Behaviour

Delays execution with timeout.exe

Interacts with shadow copies

Modifies data under HKEY_USERS

Runs net.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

outlook_office_path

outlook_win_path

Browser Information Discovery

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Indicator Removal: File Deletion

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Power Settings

Cryptocurrency Miner

Disables service(s)

Executes dropped EXE

Modifies file permissions

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Possible privilege escalation attempt

Deletes shadow copies

XMRig Miner payload

Modifies Windows Defender notification settings

Xmrig family

xmrig

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a62a6939-9005-4e17-a40e-c02a78a9b76e

Unpacked files

SH256 hash:

4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2

MD5 hash:

79baab919a15c78b2a21854089dd8d18

SHA1 hash:

bffc4dab7ddcd97b40214c95046233800145c16c

Link:

https://www.unpac.me/results/fb2cb0b2-1f2f-4499-be6e-2870530255e4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4384c114dfd7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/4384c114dfd71f7a4c942a712e5db0d2403ffecd1970afe83353c6a28507e4e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45622/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample