MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639
SHA3-384 hash: 6868b42c2de6737c9c58f1cd2bd5e64b9044996ca8df38d88026ec63dbe1a418be258055031f3fc31784b4b508bd8c73
SHA1 hash: 14cba04971ad2398c24e3d940744df6ada2eff3f
MD5 hash: de9bd25b8185a04ba6ac06b66b168294
humanhash: robin-king-hot-quiet
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:2'608'856 bytes
First seen:2026-01-22 08:45:43 UTC
Last seen:2026-01-23 10:44:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (155 x Vidar, 92 x Rhadamanthys, 74 x Stealc)
ssdeep 49152:5kksbirKC6enwxpBVZUncHPQ4sY7Q/siHml9DliKMdltq:5FKsYk/siHml9DlibU
Threatray 76 similar samples on MalwareBazaar
TLSH T103C54A426CA549E5C46AA23ABFB221927773B8040B3233E32F5076752F367D45D7DB28
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:a dropped-by-gcleaner exe signed Stealc TWO.file

Code Signing Certificate

Organisation:www.hindustantimes.com
Issuer:DigiCert Global G3 TLS ECC SHA384 2020 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-10T00:00:00Z
Valid to:2026-10-11T23:59:59Z
Serial number: 06647f9f256083d341998ddf0e7a1793
Intelligence: 46 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a679318c754c0f01c9da745cdad58e5257ece29a34660fefedfc64b25fe6d7ff
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
22
# of downloads :
167
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Going Stealc
Details
Going
a sub-decoded component
Stealc
decrypted strings, an RC4 key, c2 url, and url paths
Link:
https://research.acce.ciphertechsolutions.com/results/e38838b9-32cc-4d16-8b9f-4624240285c1/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-22 08:46:50 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/bbc474cf-21cf-4501-83eb-0621b8ffdbc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49708/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6971e3ebbcad3327ec07893e
Tags:
injection emotet obfusc virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypt golang signed
Link:
https://www.filescan.io/uploads/6971e3e6a9d5ec2c54cf67aa/reports/a5771cdd-45c3-4f73-aadf-99a0a31edcab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-21T17:21:00Z UTC
Last seen:
2026-01-24T02:21:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Agent.sb Trojan.Win32.Inject.sb Trojan.MSIL.Agent.sb HEUR:Trojan.Win64.Generic VHO:Trojan.Win64.Kryptik.gen Trojan-PSW.Win64.StealC.sb Trojan-PSW.Lumma.HTTP.C&C
Link:
https://opentip.kaspersky.com/5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d00eba98-3886-4d8d-b448-30e602554154
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/de9bd25b8185a04ba6ac06b66b168294
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2026-01-22 01:49:00 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 36 (47.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=laqnai6ayoblchqxmypy4kjxsl73q2vc6vg2fsysb2jwklaoiy4q._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
28df48dc92fe19a9d0948e31cc86c97157034b1e314a75f2294c0ea4f34548a6
Stealc
40270000aee777f2e04221195bfbf5cec694bd0e54df1897cbc4b16f640cbff0
Stealc
404ad4417ff5283dc1b43cb530403f682c579eab3ba59c200454aa2f04220ec0
Stealc
5cc5e2d2a89be652f7389dd7fe1d824b0f85c078e45f56ff70f8df5515500248
Stealc
b54284da10dac4d3aa020888c775ac90a00ece30853354d7d14e0175aa3c9c5b
Stealc
b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85
Stealc
de1e5a910f9c946c10a912236cd51f12e1d7cc3c280552853059560bc787c309
Stealc
error
Stealc
+ 66 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:fwefweg discovery spyware stealer
Link:
https://tria.ge/reports/260122-kpjglsbx5d/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Stealc
Stealc family
Malware Config
C2 Extraction:
http://45.93.20.34
Unpacked files
SH256 hash:
5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639
MD5 hash:
de9bd25b8185a04ba6ac06b66b168294
SHA1 hash:
14cba04971ad2398c24e3d940744df6ada2eff3f
Link:
https://www.unpac.me/results/f53f2714-a05c-4b90-b658-8ed196ee70ca/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5820d023c0c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 5820d023c0c382b11e17661f8e293792ffb86aa2f54da2cb120e93652c0e4639

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/49708/

Comments