MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SkuldStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523
SHA3-384 hash: 840248514e92bfaf01fad4fb1676ae393ab2b1144aecf384422418829b8749da4e07251e5a2e0aacab2cd809a6dbe47b
SHA1 hash: 5455176a7647f15572269d15a51959ff11a8d6bc
MD5 hash: 5043c2662dc3317a39df544aa034ee3a
humanhash: bacon-july-london-early
File name:SecurityHealthSystray.exe
Download: download sample
Signature SkuldStealer
Create hunting rule
File size:3'403'776 bytes
First seen:2025-08-09 09:05:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (234 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:86TMapSKALaDWX2Zo88OAraYF9dbDF/dO+xgYWwOmM1lnyMupm2vw9N0r0IvZXQX:8m4K742WvprB9FDF/dOIgYOK4Xi0eC
TLSH T11BF533497D80DAE4ED064F37F78A4EBE15DAB08C151D4B4A3F2A78DE187B06368821C7
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:exe SkuldStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
niga.exe
Verdict:
Malicious activity
Analysis date:
2025-08-08 12:55:38 UTC
Tags:
uac evasion skuld python stealer trox arch-doc screenshot
Link:
https://app.any.run/tasks/18eedd5e-6316-4b7f-91d1-fd22069aa757

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19858/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68970f451e8a59ee04e7e490
Tags:
backdoor lien sage hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Enabling the 'hidden' option for analyzed file
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm crypto packed packed packed upx
Link:
https://www.filescan.io/uploads/68970f6e397fd3ce6fa30e9d/reports/699ad2df-a040-4b41-95cd-8616902fee35/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/052ec73f-5a9c-4db5-a956-6af22519127d
Result
Threat name:
Go Stealer, Skuld Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1753619
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected Go Stealer
Yara detected Skuld Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1753619 Sample: SecurityHealthSystray.exe Startdate: 09/08/2025 Architecture: WINDOWS Score: 100 51 nameless-mouse-2f97.gogohoog546.workers.dev 2->51 53 ip-api.com 2->53 55 api.ipify.org 2->55 69 Sigma detected: Capture Wi-Fi password 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected Skuld Stealer 2->73 75 10 other signatures 2->75 9 SecurityHealthSystray.exe 2 73 2->9         started        14 SecurityHealthSystray.exe 2->14         started        16 SecurityHealthSystray.exe 2->16         started        signatures3 process4 dnsIp5 57 ip-api.com 208.95.112.1, 49718, 49725, 80 TUT-ASUS United States 9->57 59 nameless-mouse-2f97.gogohoog546.workers.dev 104.21.25.193, 443, 49721 CLOUDFLARENETUS United States 9->59 61 api.ipify.org 104.26.12.205, 443, 49716, 49724 CLOUDFLARENETUS United States 9->61 45 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 9->45 dropped 47 C:\Windows\System32\drivers\etc\hosts, ASCII 9->47 dropped 77 Installs new ROOT certificates 9->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 9->79 81 Uses cmd line tools excessively to alter registry or file data 9->81 87 11 other signatures 9->87 18 powershell.exe 9->18         started        21 powershell.exe 23 9->21         started        23 netsh.exe 9->23         started        31 12 other processes 9->31 83 Multi AV Scanner detection for dropped file 14->83 85 UAC bypass detected (Fodhelper) 14->85 25 conhost.exe 14->25         started        27 cmd.exe 14->27         started        29 WMIC.exe 14->29         started        34 2 other processes 14->34 36 2 other processes 16->36 file6 signatures7 process8 file9 63 Found many strings related to Crypto-Wallets (likely being stolen) 18->63 65 Loading BitLocker PowerShell Module 18->65 67 Uses cmd line tools excessively to alter registry or file data 23->67 49 C:\Users\user\AppData\...\kzcbcjuy.cmdline, Unicode 31->49 dropped 38 csc.exe 31->38         started        signatures10 process11 file12 43 C:\Users\user\AppData\Local\...\kzcbcjuy.dll, PE32 38->43 dropped 41 cvtres.exe 38->41         started        process13
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/5043c2662dc3317a39df544aa034ee3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.AntiVM
Link:
https://tip.neiki.dev/file/6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523
Threat name:
Win64.Trojan.YanismaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-09 09:05:11 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=moa2h5p4o365gg6qbicakxmkpjatef637faij7u7g7xw75i52urq._file
Verdict:
malicious
Label(s):
skuldstealer
Create hunting rule
Similar samples:
error
SkuldStealer
Result
Malware family:
n/a
Score:
  5/10
Tags:
upx
Link:
https://tria.ge/reports/250809-k2j9nsyqy7/
Behaviour
Suspicious use of AdjustPrivilegeToken
UPX packed file
Verdict:
Malicious
Tags:
trojan Cloudflare_Workers External_IP_Lookup Stealer
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/108f73a7-887e-441c-824d-991294321c23
Unpacked files
SH256 hash:
6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523
MD5 hash:
5043c2662dc3317a39df544aa034ee3a
SHA1 hash:
5455176a7647f15572269d15a51959ff11a8d6bc
Link:
https://www.unpac.me/results/fd37fd22-2ff1-49ea-a4b8-1659b5ddb32b/
SH256 hash:
fe80f80d3d41a01cfbbcf209d9d523b2a0dc2341a2ca25f89aa5adb4d56631e8
MD5 hash:
a668e309394628c6b6773ed7961413b8
SHA1 hash:
44b6d5535c3924070e8b15557c7d81feb28a8396
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Crypto_Wallet_Regex
Create hunting rule
Link:
https://www.unpac.me/results/fd37fd22-2ff1-49ea-a4b8-1659b5ddb32b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6381a3f5fc76/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SkuldStealer

Executable exe 40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe

SkuldStealer

Executable exe 6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523

(this sample)

  
Dropped by
SHA256 40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe
Cape
Cape
https://www.capesandbox.com/analysis/19858/
  
Dropped by
MD5 c3075d13b1389b0e0c0de80f937bfe93

Comments