MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 19

Intelligence 19 IOCs YARA 5 File information Comments

SHA256 hash:	4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39
SHA3-384 hash:	4368c4cc89917bcfd0ea68acd232ae89e80310bee9689d74509807c9ebb186efaee8c0927823fab6c04cdbb5d21a4c79
SHA1 hash:	456967485f60a81e2d1b34e9992418dffd14752a
MD5 hash:	2872e7b94bd895bbcb1ab90fab498ecc
humanhash:	pluto-october-nuts-jersey
File name:	Tse2E3k.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	1'622'016 bytes
First seen:	2025-08-26 08:01:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1ce39e07a979f0e3da342ee46f74268b (8 x LummaStealer, 2 x Rhadamanthys, 2 x CoinMiner)
ssdeep	24576:2Qb60rv833KVuHQkX4vzSvbneLE99HCsqkYy81RPcubGf0sY:z62v8327k2bLqissyTubEhY
Threatray	694 similar samples on MalwareBazaar
TLSH	T15E75E019E83A91D7FCD300F16B165241B4237D378F285AAB40E89B51256AEED1A3F337
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2025-08-26 07:21:53 UTC

Tags:

python github amadey botnet stealer metasploit backdoor meterpreter payload anti-evasion auto generic evasion banker grandoreiro loader redline powershellempire anydesk tool framework asyncrat rat darkvision remote tinynuke agenttesla smb phishing lumma havoc quasar uac rhadamanthys sliver masslogger pyinstaller koadic ultravnc rmm-tool xtinyloader remcos xworm stealc cobaltstrike formbook njrat nanocore vipkeylogger keylogger valley exfiltration smtp dcrat vidar adware snake gcleaner telegram

Link:

https://app.any.run/tasks/f4e02596-1c32-439f-b34b-65d7253326b4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Stealc

Link:

https://www.capesandbox.com/analysis/23601/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ad6a533e988eb6ab82bc2e

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Connection attempt to an infection source

Sending an HTTP POST request to an infection source

Sending a custom TCP request

Query of malicious DNS domain

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-08-25T11:30:00Z UTC

Last seen:

2025-08-25T11:30:00Z UTC

Hits:

~100

Detections:

VHO:Trojan-Ransom.MSIL.Chaos.gen Trojan-PSW.Win32.Lumma.van Trojan-PSW.Lumma.HTTP.C&C PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/4bbbe070-1985-4012-8300-13c1b94d19a6

Result

Threat name:

Stealc v2

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1765209

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Silenttrinity Stager Msbuild Activity

Writes to foreign memory regions

Yara detected Stealc v2

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/2872e7b94bd895bbcb1ab90fab498ecc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39

Threat name:

Win64.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-08-25 14:53:28 UTC

File Type:

PE+ (Exe)

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jzrww5cjohfxaqrgl3p2klxefoit3bonzpou2h5d36amybiinu4q._file

Verdict:

malicious

Label(s):

stealc

Stealc

1e0889d378a313bb1e9739bc4056ca00cdea277d9239fd319c81f46cd295024b

Stealc

867cf2ae5f9d6a37f0b3e0aae96f762c274c4046ab71c3d2edfa63895621e05a

Stealc

af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a

Stealc

d732e1790747fb55619281b914804c015bc5ca874f4f16083fb18904bcf2d3d9

Stealc

error

Stealc

+ 684 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:logsdillercloud discovery stealer

Link:

https://tria.ge/reports/250826-jyjnasxms7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Stealc

Stealc family

Malware Config

C2 Extraction:

http://chimerasound.shop

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ac8c1d94-a8db-45fa-826c-b0b65269b5f2

Unpacked files

SH256 hash:

4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39

MD5 hash:

2872e7b94bd895bbcb1ab90fab498ecc

SHA1 hash:

456967485f60a81e2d1b34e9992418dffd14752a

Link:

https://www.unpac.me/results/7d0906ba-7714-49d4-a18d-e2010bf72b44/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4e636b744971/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e636b744971cb7042265edfa52ee42b913d85cdcbdd4d1fa3df80cc05086d39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)