MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XillenStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 56 File information Comments

SHA256 hash:	6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a
SHA3-384 hash:	da6c41dfa01dc4af6960f98c65885be0804934cd9e0558fa98af1fce2700e4750e33592b5d50aabff9607b4b33f1d7d0
SHA1 hash:	d2634c4539d6a4729db6fda134f84742c139beb9
MD5 hash:	da7caa3b47a42ef7c3f142b85529e10b
humanhash:	glucose-nine-november-mississippi
File name:	6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a
Download:	download sample
Signature	XillenStealer Create hunting rule
File size:	2'181'848 bytes
First seen:	2026-01-30 18:54:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	99ee65c2db82c04251a5c24f214c8892 (38 x Formbook, 13 x RemcosRAT, 4 x SnakeKeylogger)
ssdeep	49152:npUlRhK0J93qSMiCibRuqTuLmZ1Gl1RhchGxShSgaQfUN:npUltUSM36RvTrMlhc8ghSgp8N
Threatray	146 similar samples on MalwareBazaar
TLSH	T134A52203BB85A4B2C42255311B5AC761263C79305F128DEB63D5BD2FAB744D1E23AF63
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	9494b494d4aeaeac (882 x DCRat, 479 x NirCmd, 172 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	adm-toolkit-live exe signed XillenStealer

Code Signing Certificate

Organisation:	Girand Studio
Issuer:	Girand Studio
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-12-30T03:37:43Z
Valid to:	2026-12-30T03:57:43Z
Serial number:	3acf758293b998b6458b65e00d433aa0
Thumbprint Algorithm:	SHA256
Thumbprint:	58083422cd7e8576f84dbd9a2749c18fd97ca5431c558ca919fffc709b666bc2
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

Girand.exe

Verdict:

Malicious activity

Analysis date:

2026-01-05 14:51:51 UTC

Tags:

evasion stealer telegram generic antivm ip-check upx crypto-regex xillen amsi-bypass ims-api

Link:

https://app.any.run/tasks/e891f0e4-e91d-428f-9d59-777768574415

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/50921/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.52467531.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695bd006e148d42004df90a1

Tags:

ransomware injection obfusc

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm crypto fingerprint installer installer installer-heuristic microsoft_visual_cc overlay overlay packed packed sfx signed

Link:

https://www.filescan.io/uploads/697cfe64c9bfb60ece19a359/reports/66efe0c5-c022-4d29-889b-0f2fc9a38d4b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-05T12:00:00Z UTC

Last seen:

2026-01-06T00:55:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c99ca290-5828-4ad2-a56d-83c4f59d9309

Score:

78%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Stealer

Link:

https://tip.neiki.dev/file/6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a

Threat name:

Win32.Trojan.Cryware

Status:

Malicious

First seen:

2026-01-05 14:51:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ntb6p3yj72rkm6kssutax5gpgn3xfhrs72czvvylriyj5h4pxafa._file

Verdict:

malicious

Label(s):

arkanixstealer

XillenStealer

4ca06ee3340b192b3ca3ff2d08ab69f3753c6a805c2db18ef81303d7beeb7d68

XillenStealer

6962ecb3e9c43b067ef6f3e6a445d8110f24165c3dd5704b3d2cc85fc3b65ba7

XillenStealer

6c292a1785ee86d820b7cd804efe7ae31b179cbab3a99fed8c5fccb1e2750936

XillenStealer

b9cb9cf246d2d9d8a4bff2d7758267af69bcb1f3179d104d66eb0a73e54ab524

XillenStealer

error

XillenStealer

+ 136 additional samples on MalwareBazaar

Result

Malware family:

chromelevator

Score:

10/10

Tags:

family:chromelevator discovery execution hacktool persistence privilege_escalation spyware stealer upx

Link:

https://tria.ge/reports/260130-xkfalses8f/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

ChromElevator

Chromelevator family

Contains code to disable Windows Defender

Detects ChromElevator

Unpacked files

SH256 hash:

6cc3e7ef09fea2a6795295260bf4cf3377729e32fe859ad70b8a309e9f8fb80a

MD5 hash:

da7caa3b47a42ef7c3f142b85529e10b

SHA1 hash:

d2634c4539d6a4729db6fda134f84742c139beb9

Link:

https://www.unpac.me/results/4eabeff8-0f41-45be-9feb-b5da11947bca/

SH256 hash:

457a0866fe8168d38ad9d98952c33d2dbe79b4d6109ee9e2f684679b40201553

MD5 hash:

9363a8ae847219265651d712a7bc9d0f

SHA1 hash:

4e6a07e30da6ea12714137bb20bf764db3cba340

Link:

https://www.unpac.me/results/4eabeff8-0f41-45be-9feb-b5da11947bca/

Malware family:

ReflectiveLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6cc3e7ef09fe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BunnyLoader Create hunting rule
Author:	indest
Description:	generic crypto/card stealer rule

Rule name:	Check_Qemu_Description Create hunting rule

Rule name:	Check_VBox_Description Create hunting rule

Rule name:	Check_VBox_VideoDrivers Create hunting rule

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing artifacts associated with disabling Widnows Defender

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing virtualization MAC addresses

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	rhadamanthys_ps1_v1 Create hunting rule
Author:	RandomMalware

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_All_Windows_PE_Malware Create hunting rule
Author:	DiegoAnalytics
Description:	Detects Windows PE malware of all types, avoids non-executables like .html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WIN_ClickFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:	ClickFix social engineering and malicious PowerShell commands

Rule name:	WIN_FileFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:	FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/50921/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample