MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 18

Intelligence 18 IOCs 1 YARA 4 File information Comments

SHA256 hash:	5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014
SHA3-384 hash:	4a73e92568d03dff61de2465933519320d2cfba8f76216ae3f567d85bbf409473f286a3e1813e4847e57646de1a9baa6
SHA1 hash:	cd01fae386600b86d751212f0fb9185618ab09de
MD5 hash:	05f5addcc409e0d8bd1ef0d464a75e42
humanhash:	carolina-video-king-mars
File name:	x5e4360008d4cdd40ede1d19a565cf754598425d03c56.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	2'243'072 bytes
First seen:	2026-03-24 09:10:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	30b62189dd33bea0f552414113e8b2af (2 x Vidar, 1 x Tofsee, 1 x RedLineStealer)
ssdeep	49152:YPIaGigXBHvfD1f3Li9UVlerVWhNBGigXBHvfD1f3Li9UVlerVWhN:cIxD1jiaYQhCD1jiaYQh
Threatray	341 similar samples on MalwareBazaar
TLSH	T139A59E76B6C08035D45B31B13D1AAD7B659CE031832091CB62E89B7E5EB06F12B37E5E
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	916a6e6a6a6a6a64 (27 x RedLineStealer, 23 x Smoke Loader, 10 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://777palm.com/bef7fb05c9ef6540.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://777palm.com/bef7fb05c9ef6540.php	https://threatfox.abuse.ch/ioc/1081612/

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

AceCryptor Stealc

Details

AceCryptor

an extracted payload

AceCryptor

an extracted shellcode loader component and the ms_c_rand-XOR seed

AceCryptor

an extracted shellcode loader component and a TEA decryption key

Stealc

decrypted strings, an RC4 key, c2 url, url paths, and possibly a missionid and a separate network RC4 key

Link:

https://research.acce.ciphertechsolutions.com/results/d2f8e1b6-743e-4757-9e2a-63e03a17f3f7/

Malware family:

n/a

ID:

File name:

x5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014.exe

Verdict:

Malicious activity

Analysis date:

2026-03-23 17:34:00 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/8f0b42ff-0f41-4a9d-8f2e-ef4fbdcf71e3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

Win.Packed.Trojanx-9987262-0

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69c17987390b996474130d69

Tags:

injection

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

DNS request

Gathering data

Verdict:

Malicious

Labled as:

Mint.Zard.Generic

Link:

https://www.hybrid-analysis.com/sample/5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan.Win32.Chapak.sb HEUR:Trojan.Win32.Zenpak.gen Trojan-PSW.Win32.Stealerc.sb Trojan.Win32.Zenpak.sb Trojan.Win32.Yakes.sb Trojan.Win32.Strab.sb

Link:

https://opentip.kaspersky.com/5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014/results?tab=lookup

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/de09477b-a159-4b43-a495-3d4e7d61c731

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1888101

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Unusual module load detection (module proxying)

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014

Threat name:

Win32.Backdoor.SmokeLoader

Status:

Malicious

First seen:

2026-03-14 19:20:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lzbwaaenjtoub3pb2gnfmxhxkrmyijoqhrlm37pp6jehgzqa2aka._file

Verdict:

malicious

Label(s):

stealc

shellcode_loader_002

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:default discovery stealer

Link:

https://tria.ge/reports/260324-k5w3msgx9q/

Behaviour

Program crash

System Location Discovery: System Language Discovery

Detects Stealc stealer

Stealc

Stealc family

Malware Config

C2 Extraction:

http://777palm.om

Unpacked files

SH256 hash:

5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014

MD5 hash:

05f5addcc409e0d8bd1ef0d464a75e42

SHA1 hash:

cd01fae386600b86d751212f0fb9185618ab09de

Link:

https://www.unpac.me/results/c43fd8e6-6eac-4822-94e7-6ceb036a57be/

SH256 hash:

b4bd180c14d6869f3cf5601d9d8540a2ac6e20bef4a9c68b8499a6c1770ed828

MD5 hash:

654c8fd62b651a4e3dfb7d351e293a24

SHA1 hash:

ea605bd371906c0d931527ce5a4926b4e3d4fdb5

Detections:

win_stealc_w0

win_stealc_auto

win_stealc_a0

Win32_Infostealer_StealC

Link:

https://www.unpac.me/results/c43fd8e6-6eac-4822-94e7-6ceb036a57be/

Parent samples :

5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014
621e48effd3bea252f5a21019527a7babfdd475b8ae9923ad7bacdbc89f9f34d

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5e4360008d4c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5e4360008d4cdd40ede1d19a565cf754598425d03c56cdfdeff248736600d014

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/58938/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample