MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SantaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9
SHA3-384 hash: 3e7178c212cf7fa68859170c9280ac2ea28bbeeac2e75769e1f6dca9e873831064b879ce633fea917f9abc06cfee804f
SHA1 hash: dcc5eef439d1f5e3226a6381d3fca21ec816ca9a
MD5 hash: 7353a954cec61f3e25fd5721d21ef103
humanhash: emma-glucose-summer-ohio
File name:file
Download: download sample
Signature SantaStealer
Create hunting rule
File size:14'780'265 bytes
First seen:2026-04-13 09:51:26 UTC
Last seen:2026-04-13 16:05:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac4ded70f85ef621e5f8917b250855be (72 x OffLoader, 6 x Gh0stRAT, 5 x Tofsee)
ssdeep 196608:jpGBlSIdZUmNtRwaXpTvxIZ65Y43+BVpuu:jpGjYmNXNvqZ683
TLSH T128E61223B28A633EE06A1A3745B2D1304D3B6E51A51B8C5696F03C5FFF3A1601E3E657
TrID 63.8% (.EXE) Inno Setup installer (107240/4/30)
24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (6522/11/2)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 058e2b17172b8e40 (1 x SantaStealer)
Reporter Bitsight
Tags:a dropped-by-gcleaner exe MIX4.file SantaStealer


Avatar
Bitsight
url: http://158.94.209.95/service

Intelligence

File Origin
# of uploads :
11
# of downloads :
158
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/c20a3927-be48-4937-a255-cf3a006547ad/
Malware family:
teamviewer
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-04-13 09:54:14 UTC
Tags:
inno installer delphi auto-reg stealer teamviewer rmm-tool tightvnc santastealer upx telegram
Link:
https://app.any.run/tasks/fe42d328-6ced-4d95-ad52-dbe219f35002

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61343/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dcbcabf68adfe10039541c
Tags:
shellcode dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi expand fingerprint inno installer installer installer-heuristic lolbin packed
Link:
https://www.filescan.io/uploads/69dcbca3d920e19044f9a96d/reports/5975bf80-191c-4ba3-add9-e3a4f134bfa2/overview
Verdict:
Malicious
Labled as:
TrojanDldr.OffLoader.gen
Link:
https://www.hybrid-analysis.com/sample/6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9
Result
Gathering data
Verdict:
Clean
File Type:
exe x32
Link:
https://opentip.kaspersky.com/6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fb45dfc0-a879-4037-ab77-439a097ae70d
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9/
Verdict:
Malicious
Threat:
Family.TIGHTVNC
Link:
https://tip.neiki.dev/file/6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n64hxbmhxt5nnuoooivc4trek6e7ysawc4ibl3564r42gaii4leq._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
error
SantaStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access discovery installer persistence spyware stealer upx
Link:
https://tria.ge/reports/260413-lvrwlsg16j/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9
MD5 hash:
7353a954cec61f3e25fd5721d21ef103
SHA1 hash:
dcc5eef439d1f5e3226a6381d3fca21ec816ca9a
Link:
https://www.unpac.me/results/10c584f6-b5b3-4dd4-a81b-cab3ed6f0e37/
SH256 hash:
e6d0eccd2171be3ecb8456ca887c35fad6bf5bb1ec52e0427f5f5a750d8772e2
MD5 hash:
fed5384b4ecf4fa32f43298dc6f73e98
SHA1 hash:
72cd0a9e4761545956e68930a823b90934770b32
Link:
https://www.unpac.me/results/10c584f6-b5b3-4dd4-a81b-cab3ed6f0e37/
SH256 hash:
e7308dc2bc8bbdb43f597a7b6ed33ac4a689ab7ddb20aa4129e09ea6c648dd6e
MD5 hash:
6c8f7b3a9c726ed6c0fd48dc782a7409
SHA1 hash:
aff2e3b4bb28dd55840ef0f2d6621e29fdef110c
Link:
https://www.unpac.me/results/10c584f6-b5b3-4dd4-a81b-cab3ed6f0e37/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SantaStealer

Executable exe 6fb87b8587bcfad6d1ce722a2e4e245789fc4816171015efbee479a30108e2c9

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/61343/

Comments