MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77
SHA3-384 hash: 7047adf89325d44262453b12823d20cefa77a35ffddaa518658d3f2126e99ba0c219678da8f81248ae9aa0287918626f
SHA1 hash: e6edbf519c314805ac107bee190195fcf1902f18
MD5 hash: 20d35681bf6271bfbc5e9ebd58be5c15
humanhash: london-carpet-uniform-hamper
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:8'301'436 bytes
First seen:2026-03-13 03:25:07 UTC
Last seen:2026-03-13 04:49:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (9 x OffLoader, 9 x HijackLoader, 8 x ValleyRAT)
ssdeep 196608:rDbt814oKAoPjEb7ztQZao5h1Qw0ppKSca8:rD5XjAXqZaoepp98
TLSH T170862313F14E633EE46A5A3A49729A00953FBA50641A8CA3D6EC3E4CCE3E4501D7FE57
TrID 50.8% (.EXE) Inno Setup installer (107240/4/30)
20.4% (.EXE) InstallShield setup (43053/19/16)
19.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.0% (.EXE) Win64 Executable (generic) (6522/11/2)
2.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (112 x Adware.Generic, 70 x OffLoader, 43 x LummaStealer)
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 Stealc


Avatar
Bitsight
url: https://s3.g.s4.mega.io/aileqac3yep7oqdhygjpberqqnk2zrnhck2lx/busket/2/03x12x26/01/OHKSFJCE.exe

Intelligence

File Origin
# of uploads :
25
# of downloads :
250
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/95231ef2-a29f-4b79-bf19-9d1c9af5403d/
Malware family:
n/a
ID:
1
File name:
_5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77.exe
Verdict:
Malicious activity
Analysis date:
2026-03-13 03:25:47 UTC
Tags:
delphi hijackloader loader amsi-bypass
Link:
https://app.any.run/tasks/bb661737-2ef6-46c3-8e87-be1b720f8a19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HijackLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/57269/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.36889764.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b383ac9872190419bfd197
Tags:
ransomware shellcode dropper
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/69b383a14678eefbc7aaee73/reports/6c96620c-aa7f-4c16-83b8-d0fee68ad959/overview
Verdict:
Malicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan.Win32.Penguish.sb Trojan-Spy.Win32.Stealer.sb Trojan-PSW.Win32.Pycoon.sb Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.gsx Trojan.Win32.Inject.sb Trojan.Win32.Delf.sb Trojan-PSW.Win64.StealC.sb
Link:
https://opentip.kaspersky.com/5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6fd5d7ae-aa8f-49bb-999e-aba6389f186c
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjz7zh24lr2ux434lcrzd7u6u7my3zdq6bbner4nhpvqw4mdrn3q._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:stealc botnet:simbapartner2 credential_access discovery installer loader spyware stealer
Link:
https://tria.ge/reports/260313-dysnbaa16r/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Detects HijackLoader (aka IDAT Loader)
Detects Stealc stealer Version 2
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Stealc
Stealc family
Malware Config
C2 Extraction:
https://storage.onedrive.ug
Unpacked files
SH256 hash:
5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77
MD5 hash:
20d35681bf6271bfbc5e9ebd58be5c15
SHA1 hash:
e6edbf519c314805ac107bee190195fcf1902f18
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
be048c6b611482f1631597fbc69b2c5f91c394f655fdb728eda00a5c2fe3ef4e
MD5 hash:
cafc05985a84f1a61aecf990077bc057
SHA1 hash:
52a658adf3ff230c31b891a104d55f841b6da71e
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
7f1f9c5558b54410a4a394b1ecff63d6bf1cdc827c0702d7fd0bc549bcd8f50b
MD5 hash:
cd567e4d4fa1ccec19c14d9246d6394e
SHA1 hash:
14c9e5da923f754505fa9e94b4b76f9f8078e3dd
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
b3df75cd313145ec7b7989ea888974fd37aac78438535ac5a6692a4773366e87
MD5 hash:
928c9c0144deca8130b59cd94b3def87
SHA1 hash:
4c8f4977ceb66165db47c4cccabb88117870a8b9
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
0bb2b288cdfc3d726abe2ced369e95a697edfdd9f0df5edaf5c8d312f4e5807f
MD5 hash:
8220dbd8460bcf017a7fe11768c5f607
SHA1 hash:
52998fd7caa20fc260d00c00aaa5d7f464d1949b
Detections:
win_samsam_auto
Create hunting rule
win_get2_a0
Create hunting rule
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
9f926424d2352cd65499e9f909c1b61d7f986fd0a0c578c12b4e68c77982392c
MD5 hash:
02a6628e2f289a993d39375f9c059ff4
SHA1 hash:
5a345eea120263699f094abc68942f5268cd0b60
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
b54016ef57f9ded843d2e685481a2b6ccb9aeccf3f061a07b4a6fc4bee4ca8f9
MD5 hash:
13896ed2817ad0e2921cbefc4feb539f
SHA1 hash:
65f4f01a2441ea10b13076ab0ffa04c614a26475
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
d21f96be2240b3d3bf5c54ac9c3b7707d14791e985aa7b5c442faf998e411fe8
MD5 hash:
e9c7b9e22bd1f0083c586102bd632fad
SHA1 hash:
68ec541814e820b8291d9f6fdb16964f441b6491
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
06cd591e1b20e0125adb6773080ad05016655e485bc9895a75f6858e6072014c
MD5 hash:
44480f49ed9141eb16615507a74adce0
SHA1 hash:
ae6e5eddb1591142e803ae9e8786540a34af798a
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
f1d0d5e2a6c482f4e02b69810ee0f7392fb7bd5339ff6c2da55548573af23b4b
MD5 hash:
d013ba0137465d81cfb3e425774e409b
SHA1 hash:
d275a0f11221e23359b62f9ef25da0183993a01b
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
SH256 hash:
4875e07924dda7b1fafd8835437016500f09e83833af724e21af0a275b2941f7
MD5 hash:
8293bbe85bd415f792bc36ec20164234
SHA1 hash:
c4eec41b78e5824dbe1836daa698ecc8d8fddb63
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/6b52be85-f824-405c-87b2-18546f48f4c5/
Malware family:
SHADOWLADDER
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5273fc9f5c5c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57269/
  
URLhaus
https://urlhaus.abuse.ch/url/3794990/
  
URLhaus
https://urlhaus.abuse.ch/url/3795013/

Comments