MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444
SHA3-384 hash: ce4708232513bc9217138a6b18c9eb7afda7e16287f4aeb2d78a6881686fcedfda897be78113e97f365d83bc7cc86fd6
SHA1 hash: 6f3bc6f23cc114b4a53c67fc9f8311c85d9db5f8
MD5 hash: 10f45b3f694d39a3c33e7368588f65f1
humanhash: virginia-floor-mars-ink
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'659'904 bytes
First seen:2025-09-04 04:06:00 UTC
Last seen:2025-09-24 04:06:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 37801b95c438a73e300d9190a7cb0752 (8 x LummaStealer, 5 x Stealc, 3 x Vidar)
ssdeep 24576:tUYxEL+Rbj/0c9qx6rFdmJYPC0pAWs6rnYKT4H5rzmKvI8sMjpU7Y:tUAE69t9qsFQ0pI6r2Hc8s8D
Threatray 199 similar samples on MalwareBazaar
TLSH T15175F118AC7590DAFCD340706F7A9112E533BD7BCB242EAB41E497511A06EFD0A3E366
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Stealc


Avatar
Bitsight
url: http://176.46.152.47/bot.exe

Intelligence

File Origin
# of uploads :
24
# of downloads :
72
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2025-09-04 04:10:19 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/595bfb1b-78bc-4bbb-bb21-4d854ac2675c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24986/
Detection(s):
Win.Packed.Lazy-10057809-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b91049eb163e0ec1844638
Tags:
emotet extens virus remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Sending an HTTP POST request to an infection source
Sending a custom TCP request
Connection attempt to an infection source
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-03T13:42:00Z UTC
Last seen:
2025-09-03T13:42:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6b8be03b-fdb6-4433-adc0-2f2f80d1e088
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/10f45b3f694d39a3c33e7368588f65f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 01:25:24 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mytjc7py72r7sulkbdubabrvwgr3rzn5oz2st3ijpb5e4tz7crca._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
451753ecd4346bc3ba642d0f23fc4838196fcf668fe414ec68a958bac48aedf5
Stealc
5eca42331ae9a3f0ac2bf39266cf5d4b2a2694b52a3014ea3cad4243ccd8860a
Stealc
825772cb107224690e35b423882883bd59349d8942be7448a9024a2aacfab4de
Stealc
9dd11cef91d0ff03900e69e0c2a9bec6ea80233fea7c98a8abef3287d35cea11
Stealc
b2c3c6e352faa8e7357f6da60e03a4d94421b33802c84445a8c72c8b7cd6b378
Stealc
b75d16f3d805baf49792f7f39c7e4dbd27e2bf134b4519922a23a1bfb0afc092
Stealc
c3b72389eba306e58381b4a62bce1d04e1071664dc2ec106e06e59a32fb4e54f
Stealc
cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089
Stealc
d05d6df07fb2fb70e80fb69bc8e38600b88711b2d179e024e4cb96aa43f272e5
Stealc
eb3897c3c88c16f9c0202a285e7dd9ac51fb1debb0e8a0298904d14a633f2915
Stealc
+ 189 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:stealc botnet:ucov adware discovery persistence pyinstaller ransomware spyware stealer
Link:
https://tria.ge/reports/250904-epewjahn2z/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Malware Config
C2 Extraction:
http://176.46.152.46
https://t.me/quincyplayer6
https://starexs.bet/tskx
https://mastwin.in/qsaz
https://noggs.ru/yopd
https://georgej.ru/plnb
https://oneflof.ru/tids
https://epitherd.ru/zadw
https://backab.ru/lkdo
https://eigwos.ru/wqex
https://kimmenkiz.ru/zldw
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/94c451fb-b728-429f-8301-9f82938d78d8
Unpacked files
SH256 hash:
6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444
MD5 hash:
10f45b3f694d39a3c33e7368588f65f1
SHA1 hash:
6f3bc6f23cc114b4a53c67fc9f8311c85d9db5f8
Link:
https://www.unpac.me/results/5097f208-5fa6-4350-b35d-2ec49c99b455/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6626917df8fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aachum_Stealcv2
Create hunting rule
Author:aachum
Description:Detects new version of Stealc.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:StealcV2
Create hunting rule
Author:Still
Description:attempts to match the instructions found in StealcV2
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 6626917df8fea3f9516a08e8100635b1a3b8e5bd767529ed09787a4e4f3f1444

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3593488/
  
URLhaus
https://urlhaus.abuse.ch/url/3602898/
Cape
Cape
https://www.capesandbox.com/analysis/24986/

Comments