MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WallStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3
SHA3-384 hash: 19d3ebb10dc0df42e84c44ab8c8b59b230923587ca3c5ca01e31c45ae716780ce6b77a135cf8ced59ddac5e63427b4be
SHA1 hash: 53ec539629f1e112b2e92f139824f0bc1eb2f3be
MD5 hash: fd9e38e1799045d32bfba5ea6b6a60b3
humanhash: beer-four-fish-louisiana
File name:DAIs3ZV.exe
Download: download sample
Signature WallStealer
Create hunting rule
File size:9'436'160 bytes
First seen:2026-03-18 08:50:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c1853915d316a65d08a8dc489aff101 (3 x WallStealer)
ssdeep 49152:T9DoEo71k3Q0H9ubngSsLxO9IWV0yJPePn6vE38Xnb/EQlce/gKSFd+RrYP1l8W+:s
TLSH T11E96638FB2748613C8E262B5B20635727E2AD435479983B77CEDE435319F0BE4A728D4
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe WallStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
DAIs3ZV.exe
Verdict:
Malicious activity
Analysis date:
2026-03-18 08:51:36 UTC
Tags:
stealer wallstealer
Link:
https://app.any.run/tasks/2694975c-6992-4145-abd4-c04d5c8ab5c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57899/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.64411423.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba678888c80c01586b910e
Tags:
shellcode virus crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Behavior that indicates a threat
Connection attempt to an infection source
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive fingerprint overlay packed unsafe
Link:
https://www.filescan.io/uploads/69ba6784493cb7d62d03e220/reports/f6afa3f3-8536-427b-bee6-57c3d9648418/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan.Win32.Agentb.tqft PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Agentb.gen HEUR:HackTool.Multi.AmsiETWPatch.gen Trojan-PSW.Vidar.HTTP.C&C Trojan-PSW.Stealer.TCP.C&C Trojan-PSW.Stealer.HTTP.C&C Trojan-PSW.Lumma.TCP.C&C
Link:
https://opentip.kaspersky.com/6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cc8816fd-447f-4050-b8bc-de6a8856d49c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885420
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885420 Sample: DAIs3ZV.exe Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 49 callpit.icu 2->49 51 steamcommunity.com 2->51 53 adcashpro.icu 2->53 73 Suricata IDS alerts for network traffic 2->73 75 Antivirus detection for URL or domain 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Joe Sandbox ML detected suspicious sample 2->79 8 DAIs3ZV.exe 2->8         started        signatures3 process4 dnsIp5 67 callpit.icu 82.25.63.156, 443, 49690, 49691 NTLGB United Kingdom 8->67 69 adcashpro.icu 104.21.38.207, 443, 49688 CLOUDFLARENETUS United States 8->69 71 steamcommunity.com 184.24.57.225, 443, 49689 AKAMAI-ASUS United States 8->71 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->81 83 Hijacks the control flow in another process 8->83 85 Found many strings related to Crypto-Wallets (likely being stolen) 8->85 87 9 other signatures 8->87 12 WerFault.exe 8->12         started        15 WerFault.exe 8->15         started        17 msedge.exe 3 78 8->17         started        20 9 other processes 8->20 signatures6 process7 dnsIp8 39 C:\ProgramData\Microsoft\...\Report.wer, Unicode 12->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->41 dropped 43 239.255.255.250 unknown Reserved 17->43 22 msedge.exe 17->22         started        25 msedge.exe 17->25         started        27 msedge.exe 17->27         started        29 WerFault.exe 17->29         started        45 192.168.2.25 unknown unknown 20->45 47 192.168.2.26 unknown unknown 20->47 31 msedge.exe 20->31         started        33 WerFault.exe 16 20->33         started        35 msedge.exe 20->35         started        37 6 other processes 20->37 file9 process10 dnsIp11 55 part-0029.t-0009.t-msedge.net 13.107.213.57, 443, 49697, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->55 57 part-0029.t-0009.fb-t-msedge.net 13.107.253.57, 443, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->57 63 29 other IPs or domains 22->63 59 13.107.246.57, 443, 49694, 49759 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->59 61 mr-afd-azuredge.tm-azurefd.net 150.171.110.1, 443, 49766 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->61 65 24 other IPs or domains 31->65
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3/
Verdict:
Malicious
Threat:
Family.WALLSTEALER
Link:
https://tip.neiki.dev/file/6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3
Threat name:
Win64.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-18 08:51:29 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
17 of 36 (47.22%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nuz7mmwjwwpwu2bz5yzmwyj7kqe2u4ahpbjvryjmhzhryeprp6rq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/260318-ksac4sb17q/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Time Discovery
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3
MD5 hash:
fd9e38e1799045d32bfba5ea6b6a60b3
SHA1 hash:
53ec539629f1e112b2e92f139824f0bc1eb2f3be
Link:
https://www.unpac.me/results/72478d17-d529-4f24-9f30-470533b74889/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d33f632c9b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Surtr
Create hunting rule
Author:Katie Kleemola
Description:Rule for Surtr Stage One
Rule name:SurtrStrings
Create hunting rule
Author:Katie Kleemola
Description:Strings for Surtr
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

WallStealer

Executable exe 6d33f632c9b59f6a6839ee32cb613f5409aa7007785358e12c3e4f1c11f17fa3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3797366/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57899/

Comments