MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SantaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45
SHA3-384 hash: a0d2157e3561f3ebf8dd139cb998e645353cd18a94e48e46b354ab4c2cdfbbe1529b7f92bcb57d11977fe40a9784af0e
SHA1 hash: 74de7f5ab752f1f8c53a7df35de147c5e862364c
MD5 hash: f8b49ed3d1a7ba6726c63830c5201316
humanhash: wyoming-magazine-high-golf
File name:file
Download: download sample
Signature SantaStealer
Create hunting rule
File size:4'106'752 bytes
First seen:2026-02-18 07:59:42 UTC
Last seen:2026-02-18 08:30:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 459038dd913bd7fa2746dd2acf101131 (5 x SantaStealer)
ssdeep 98304:QT+8lBJPegOwwmMbScbjEHYvJ3yXR0edx/UNck/Ny6U7xoEz71v:QT+ITbM2vHvXR0edVU2kIlxRX
Threatray 69 similar samples on MalwareBazaar
TLSH T1C81633FA5FC2D571ED6940F883E9EE029B61AAB0C48CB33E15F706355E3345AA27D016
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 SantaStealer


Avatar
Bitsight
url: http://130.12.180.43/files/5926060486/28tzRfP.exe

Intelligence

File Origin
# of uploads :
16
# of downloads :
103
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
teamviewer
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-02-18 08:02:09 UTC
Tags:
stealer teamviewer rmm-tool tightvnc
Link:
https://app.any.run/tasks/9a4c08be-f108-4b4d-9d2b-b23ce9fc6b37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53668/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.15554264.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699571a61ebe863df48512e3
Tags:
phishing emotet lien
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypt crypto packed
Link:
https://www.filescan.io/uploads/699571a110e80629d4e85a2b/reports/588e5c83-2bed-48ee-af96-924771d2e8d1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45
Result
Gathering data
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/797e02ed-7fdc-4306-94dc-e212817f62f3
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45/
Verdict:
Malicious
Threat:
Family.TIGHTVNC
Link:
https://tip.neiki.dev/file/756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45
Threat name:
Win64.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-18 08:10:45 UTC
AV detection:
8 of 24 (33.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovv33mdj3mke6fw5mloj3w7avqfu2ywkga6ur5s6sxssmw64t5cq._file
Verdict:
malicious
Label(s):
santastealer
Create hunting rule
Similar samples:
055d777c3d38269f07d454f07abc985dfa52493b669cd3cc687304a0a6425122
SantaStealer
756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45
SantaStealer
865882a0c9d61a465e26e53ef51124ba527ad581bebb41b0e43f6b855df94e9d
SantaStealer
9ee91363392ad72e1d7f9303b814daaa50c66fa0eea0bd3ded99d6d150c59b52
SantaStealer
ace0a0d6615f233f3c71781e59d6438bf3ca35ead4123cf4e02b97effd45a75c
SantaStealer
d3fb6919ce5b708d7e4f50e49050d5c497f658f89951418c4f590d9476764271
SantaStealer
error
SantaStealer
+ 59 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/260218-jv913sc16d/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Browser Information Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45
MD5 hash:
f8b49ed3d1a7ba6726c63830c5201316
SHA1 hash:
74de7f5ab752f1f8c53a7df35de147c5e862364c
Link:
https://www.unpac.me/results/2e529cc5-17b0-4ae9-badc-69fb4f2ac281/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/756bbdb069db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SantaStealer

Executable exe 756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/53668/
  
URLhaus
https://urlhaus.abuse.ch/url/3780205/

Comments