MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 485c72adfc4641b73adde7c3e9c998cedb18871710aeadfe561eb7625cb6dece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 485c72adfc4641b73adde7c3e9c998cedb18871710aeadfe561eb7625cb6dece
SHA3-384 hash: fdaabd63fb56e320b75cc2402e55dae97eff1e7db97533d842fad6c26bd29a832d1615093417b5108a1bb888af9c4b67
SHA1 hash: 154d2c7d96ac91122f7acd94b16b5af66aeebdcd
MD5 hash: 0bc75a8f0876338dc038a218c0937e83
humanhash: may-quebec-sad-island
File name:0bc75a8f0876338dc038a218c0937e83.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:7'898'760 bytes
First seen:2025-12-16 18:05:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbb30b604f391c11f7f0aad6186d9b86 (1 x Stealc)
ssdeep 196608:oFKRNxHiouWJysVYvsOaoyMxxvjDDAxSSEoXjdESNh5:6+zHi9WJdoyMxtDDAxPRX5Ei
Threatray 42 similar samples on MalwareBazaar
TLSH T1BF86125572A402F9F5B7913CC8A28E02E776B416077197DF03A0477A1F236E1AE3EB61
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10522/11/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://196.251.107.23/7ffc7a279c17c091.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://196.251.107.23/7ffc7a279c17c091.php https://threatfox.abuse.ch/ioc/1681017/

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Amadey LocalBinder TinyLoader
Details
TinyLoader
xor decoded strings including cryptocurrency addresses and a c2 url
Link:
https://research.acce.ciphertechsolutions.com/results/5a356aac-d90e-44ba-9e3c-cd73677e1691/
Malware family:
n/a
ID:
1
File name:
0bc75a8f0876338dc038a218c0937e83.exe
Verdict:
Malicious activity
Analysis date:
2025-12-16 18:07:10 UTC
Tags:
stealer stealc auto-sch auto-reg python crypto-regex
Link:
https://app.any.run/tasks/65c36fcd-560a-41fa-a3e7-992f694167b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45262/
Detection(s):
SecuriteInfo.com.Python.Muldrop.16.25653.2991.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69419f764d2b81828c3b51ee
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Сreating synchronization primitives
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %temp% subdirectories
Changing a file
DNS request
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Unauthorized injection to a browser process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 clipbanker expand explorer fingerprint fingerprint krypt lolbin meterpreter microsoft_visual_cc netsh obfuscated packed schtasks stealer
Link:
https://www.filescan.io/uploads/69419f64e126b9ff43833841/reports/17667e01-4ad5-49dd-bdf0-fac5e139bc27/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/485c72adfc4641b73adde7c3e9c998cedb18871710aeadfe561eb7625cb6dece
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-14T11:32:00Z UTC
Last seen:
2025-12-18T02:22:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/485c72adfc4641b73adde7c3e9c998cedb18871710aeadfe561eb7625cb6dece/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/782e574f-d392-43f2-b4c5-a1fc3f3fdd02
Result
Threat name:
Amadey, Clipboard Hijacker, MaskGram Ste
Create hunting rule
Detection:
malicious
Classification:
rans.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1834229
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Checks if browser processes are running
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Leaks process information
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Clipboard Hijacker
Yara detected MaskGram Stealer
Yara detected MicroClip
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1834229 Sample: v1PxWA0K2J.exe Startdate: 16/12/2025 Architecture: WINDOWS Score: 100 132 158.94.208.102 JANETJiscServicesLimitedGB United Kingdom 2->132 134 sleepyfur2017.top 2->134 136 8 other IPs or domains 2->136 172 Suricata IDS alerts for network traffic 2->172 174 Found malware configuration 2->174 176 Malicious sample detected (through community Yara rule) 2->176 178 18 other signatures 2->178 11 v1PxWA0K2J.exe 1 7 2->11         started        signatures3 process4 file5 124 C:\Users\user\AppData\Roaming\syshost.exe, PE32+ 11->124 dropped 126 C:\Users\user\AppData\Roaming\sycuvhost.exe, PE32 11->126 dropped 128 C:\Users\user\AppData\Roaming\msnetwork.exe, PE32+ 11->128 dropped 130 3 other malicious files 11->130 dropped 214 Contains functionality to start a terminal service 11->214 216 Creates multiple autostart registry keys 11->216 15 msnetwork.exe 11->15         started        20 defconsys.exe 1 11->20         started        22 cftuniv.exe 11->22         started        24 3 other processes 11->24 signatures6 process7 dnsIp8 144 62.60.226.159, 49723, 49724, 49744 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 15->144 146 196.251.107.61, 49718, 49719, 49721 ANGANI-ASKE Seychelles 15->146 82 C:\Users\user\AppData\Local\...\TZRNDCFX.exe, PE32+ 15->82 dropped 84 C:\Users\user\AppData\Local\...\RYKBZXKQ.exe, PE32 15->84 dropped 94 3 other malicious files 15->94 dropped 150 Multi AV Scanner detection for dropped file 15->150 152 Injects code into the Windows Explorer (explorer.exe) 15->152 154 Writes to foreign memory regions 15->154 156 Found direct / indirect Syscall (likely to bypass EDR) 15->156 26 RYKBZXKQ.exe 15->26         started        30 TZRNDCFX.exe 15->30         started        33 PWDRAPJH.exe 15->33         started        41 2 other processes 15->41 158 Allocates memory in foreign processes 20->158 160 Creates a thread in another existing process (thread injection) 20->160 162 Injects a PE file into a foreign processes 20->162 35 explorer.exe 60 22 20->35 injected 43 2 other processes 20->43 86 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 22->86 dropped 88 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 22->88 dropped 90 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 22->90 dropped 96 47 other malicious files 22->96 dropped 37 cftuniv.exe 22->37         started        148 196.251.107.23, 49720, 49766, 49799 ANGANI-ASKE Seychelles 24->148 92 C:\Users\user\AppData\...\kh4LJZz355Fo.exe, PE32+ 24->92 dropped 98 2 other malicious files 24->98 dropped 164 Early bird code injection technique detected 24->164 166 Contains functionality to start a terminal service 24->166 168 Found many strings related to Crypto-Wallets (likely being stolen) 24->168 170 5 other signatures 24->170 39 WerFault.exe 24->39         started        45 2 other processes 24->45 file9 signatures10 process11 dnsIp12 106 C:\Users\user\Videos\Update.exe, PE32 26->106 dropped 108 C:\Users\user\Update.exe, PE32 26->108 dropped 110 C:\Users\user\Searches\Update.exe, PE32 26->110 dropped 120 49 other malicious files 26->120 dropped 188 Antivirus detection for dropped file 26->188 190 Multi AV Scanner detection for dropped file 26->190 192 Drops PE files to the document folder of the user 26->192 194 Drops PE files to the user root directory 26->194 47 1_5340437.exe 26->47         started        50 2_5344562.exe 26->50         started        138 sleepyfur2017.top 104.21.21.180, 49758, 49762, 80 CLOUDFLARENETUS United States 30->138 140 t.me 149.154.167.99, 443, 49751, 49756 TELEGRAMRU United Kingdom 30->140 142 3 other IPs or domains 30->142 196 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->196 210 9 other signatures 30->210 112 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 33->112 dropped 198 Creates autostart registry keys with suspicious names 33->198 200 Creates multiple autostart registry keys 33->200 202 Injects code into the Windows Explorer (explorer.exe) 33->202 114 C:\Users\user\AppData\Local\...\F633.tmp.exe, PE32+ 35->114 dropped 122 5 other malicious files 35->122 dropped 204 System process connects to network (likely due to code injection or exploit) 35->204 206 Benign windows process drops PE files 35->206 208 Checks if browser processes are running 35->208 212 3 other signatures 35->212 52 F633.tmp.exe 35->52         started        55 4704.tmp.exe 35->55         started        57 458C.tmp.exe 35->57         started        65 3 other processes 35->65 116 C:\ProgramData\Microsoft\...\Report.wer, Unicode 39->116 dropped 118 C:\Users\user\AppData\Local\...\JQDYBBWJ.tmp, PE32 41->118 dropped 59 JQDYBBWJ.tmp 41->59         started        61 conhost.exe 43->61         started        63 conhost.exe 43->63         started        file13 signatures14 process15 file16 100 C:\Users\user\...\247C174A832E438408725.exe, PE32+ 52->100 dropped 218 Multi AV Scanner detection for dropped file 52->218 220 Creates multiple autostart registry keys 52->220 222 Writes to foreign memory regions 52->222 242 3 other signatures 52->242 67 audiodg.exe 52->67         started        224 Injects code into the Windows Explorer (explorer.exe) 55->224 226 Uses schtasks.exe or at.exe to add and modify task schedules 55->226 228 Allocates memory in foreign processes 55->228 230 Creates a thread in another existing process (thread injection) 55->230 70 schtasks.exe 55->70         started        72 schtasks.exe 55->72         started        232 Antivirus detection for dropped file 57->232 234 Unusual module load detection (module proxying) 57->234 236 Found direct / indirect Syscall (likely to bypass EDR) 57->236 102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 59->102 dropped 104 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 59->104 dropped 238 Tries to harvest and steal browser information (history, passwords, etc) 65->238 240 Tries to steal Crypto Currency Wallets 65->240 74 syshost.exe 65->74         started        76 Conhost.exe 65->76         started        signatures17 process18 signatures19 180 Changes the view of files in windows explorer (hidden files and folders) 67->180 182 Injects code into the Windows Explorer (explorer.exe) 67->182 184 Writes to foreign memory regions 67->184 186 2 other signatures 67->186 78 conhost.exe 70->78         started        80 conhost.exe 72->80         started        process20
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/485c72adfc4641b73adde7c3e9c998cedb18871710aeadfe561eb7625cb6dece
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/0bc75a8f0876338dc038a218c0937e83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/485c72adfc4641b73adde7c3e9c998cedb18871710aeadfe561eb7625cb6dece/
Threat name:
Win64.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-12-14 20:18:00 UTC
File Type:
PE+ (Exe)
Extracted files:
23
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jbohflp4iza3oow547b6tsmyz3nrrbyxccxk37swd23wexfw33ha._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
unc_loader_073
Create hunting rule
Similar samples:
20bd5bae45ebfc4edd91ff2385dd191a1ccfd07853c00c6671d107e86fc8f4a3
Stealc
60acc48765bbe492e56f8e1665bf041973f23501422a73fd87dd2b79922246b6
Stealc
811471a5b0b641fb1f8e9e077f54f9f631022cb1f8372f2daca3323c7e7128d6
Stealc
b5588ea2f98d661192c901a59bfad2975d1a1ead2e45eaadbf7815892fc009a6
Stealc
bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773
Stealc
error
Stealc
f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90
Stealc
+ 32 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:stealc family:svcstealer botnet:06x12x2025 discovery execution persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/251216-wpcjvatpcn/
Behaviour
Checks processor information in registry
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Stealc family
Malware Config
C2 Extraction:
http://196.251.107.23
Verdict:
Malicious
Tags:
red_team_tool meterpreter
YARA:
HKTL_Meterpreter_inMemory
Link:
https://app.threat.zone/submission/511da1ac-a98c-4afe-8389-302e516c889f
Unpacked files
SH256 hash:
485c72adfc4641b73adde7c3e9c998cedb18871710aeadfe561eb7625cb6dece
MD5 hash:
0bc75a8f0876338dc038a218c0937e83
SHA1 hash:
154d2c7d96ac91122f7acd94b16b5af66aeebdcd
Link:
https://www.unpac.me/results/73a35e46-99dc-4ac9-a239-6690ab98755f/
SH256 hash:
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
MD5 hash:
bf83f8ad60cb9db462ce62c73208a30d
SHA1 hash:
f1bc7dbc1e5b00426a51878719196d78981674c4
Link:
https://www.unpac.me/results/73a35e46-99dc-4ac9-a239-6690ab98755f/
SH256 hash:
1405942fec35f9435048d7b5ddeb2ec8482c3702fdf564ef5d5de31805dbe1a8
MD5 hash:
a87284da9db1804ac385cde8c1f5a19e
SHA1 hash:
36b3ba427e4157cc42214798fea68886461c7b25
Link:
https://www.unpac.me/results/73a35e46-99dc-4ac9-a239-6690ab98755f/
SH256 hash:
c06a4062d7ca0689a607d1ae847f5f11750ffb599dc41232c6f3b3eccc1a1045
MD5 hash:
b2a1b08ff37e845d8a96a22680dce74f
SHA1 hash:
f788068fe1413f5ba83a1cbe31accf95b9f569a2
Link:
https://www.unpac.me/results/73a35e46-99dc-4ac9-a239-6690ab98755f/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/485c72adfc46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/485c72adfc4641b73adde7c3e9c998cedb18871710aeadfe561eb7625cb6dece

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45262/

Comments