MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ScarfaceStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12
SHA3-384 hash:	91507b3b4907dae966ee180afa93525b3631eeab6febde0c94e5d2a77a82c5c274628b38635ac6c8feb23646aff5785e
SHA1 hash:	f3e0efdb97a5e63dc3e7a8fd177dd05ee244c482
MD5 hash:	c62e255e24ae2828eed69e12c6843d4a
humanhash:	bravo-nineteen-steak-sweet
File name:	Setup.exe
Download:	download sample
Signature	ScarfaceStealer Create hunting rule
File size:	13'969'408 bytes
First seen:	2026-05-27 17:40:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae41470776de8f200324de833b6ea38f (1 x ScarfaceStealer)
ssdeep	196608:dtUVWMMST750pJDZ6P4pt1vJ9kGQJ8uuYVNSVbGQjV5CcOXlCPb2QRNB:dmVWMM07581T1vDKJ5VAVbeCPC
TLSH	T161E623EA40A552F4D5D34B80234E53CE71D0B15E45F96C2D3ADA2C42AF22DAF268DE73
TrID	44.6% (.EXE) Win64 Executable (generic) (6522/11/2) 14.0% (.ICL) Windows Icons Library (generic) (2059/9) 13.8% (.EXE) OS/2 Executable (generic) (2029/13) 13.7% (.EXE) Generic Win/DOS Executable (2002/3) 13.6% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
dhash icon	c486b2b2b2b284c0 (1 x ScarfaceStealer)
Reporter	burger
Tags:	exe ScarfaceStealer

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4e654be4-532a-406c-8ec4-4de89d7432ba/

Malware family:

n/a

ID:

File name:

Setup.exe

Verdict:

No threats detected

Analysis date:

2026-05-27 17:40:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/46e40435-1750-4dba-94b5-7aa4484c67ea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68184/

Verdict:

Clean

Score:

84.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a172c755d76862ef948598d

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6a172cc3099ef368af0616dc/reports/7b70e905-017c-4ca2-a9d9-0bfecf2b9e5e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12

Verdict:

Clean

File Type:

exe x64

First seen:

2026-05-27T15:41:00Z UTC

Last seen:

2026-05-27T15:51:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/91fb7ca6-d377-4609-97e0-e1a980005bf6

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

57 / 100

Link:

https://www.joesandbox.com/analysis/1919406

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Query firmware table information (likely to detect VMs)

Tries to detect debuggers (CloseHandle check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction (VM detection)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pzqvgiyc6krsnjyzd44wgxpxzur2lxvqhmw4xyp6zi3hw6m3lyja._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/260527-v85jasgw5z/

Behaviour

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12

MD5 hash:

c62e255e24ae2828eed69e12c6843d4a

SHA1 hash:

f3e0efdb97a5e63dc3e7a8fd177dd05ee244c482

Link:

https://www.unpac.me/results/5ebd6dbe-8ed1-4668-a996-919aabd0b736/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/7e61532302f2a326a7191f39635df7cd23a5deb03b2dcbe1feca367b799b5e12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/68184/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample