MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MicroStealer


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb
SHA3-384 hash: 92b45bb562c6a8b59cc17324c696e93f63e9d3de6ab91d277c1f31b1cf41c41a947b71bffc3bf6e5827c4c3ba38975a7
SHA1 hash: 73ec61914f587c78f1133f9ba5372e199788cda2
MD5 hash: 2389f0f778553ffcff8dfeac35e98066
humanhash: oscar-london-comet-undress
File name:system.jar
Download: download sample
Signature MicroStealer
Create hunting rule
File size:29'526'308 bytes
First seen:2026-03-01 15:57:00 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 786432:LDNcLQGN5q+feL1rC8Mk4CrpPXjstm97IDEz0t:LDNccY55eLVC8MkDtPXWu7I4z0
TLSH T143570219D25F403ACA57D67928EF4BE6FF34869B8320571F23F439198CD2B890B22759
TrID 63.1% (.SPE) SPSS Extension (30000/1/7)
28.4% (.JAR) Java Archive (13500/1/2)
8.4% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar MicroStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://kitsucraft.com/pages/faq
Verdict:
Malicious activity
Analysis date:
2026-03-01 12:05:54 UTC
Tags:
discord stealer microstealer anti-evasion arch-doc
Link:
https://app.any.run/tasks/3380023e-609a-4305-b513-2aa95adf93b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55129/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a461b0c950ab5d9ab3122a
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm lolbin macros-on-close obfuscated runonce
Link:
https://www.filescan.io/uploads/69a461e19eaae846594109d6/reports/9c498455-fd54-48c7-92ff-8557016c67ed/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb
Verdict:
Clean
File Type:
jar
Link:
https://opentip.kaspersky.com/7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb/results?tab=lookup
Result
Threat name:
Micro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1876526
Signature
Excessive usage of taskkill to terminate processes
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Processes Spawned by Java.EXE
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Micro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876526 Sample: system.jar Startdate: 01/03/2026 Architecture: WINDOWS Score: 96 44 78smp.com 2->44 46 shed.dual-low.part-0012.t-0009.t-msedge.net 2->46 48 6 other IPs or domains 2->48 56 Suricata IDS alerts for network traffic 2->56 58 Yara detected Micro Stealer 2->58 60 Found many strings related to Crypto-Wallets (likely being stolen) 2->60 62 7 other signatures 2->62 9 cmd.exe 2 2->9         started        signatures3 process4 process5 11 java.exe 44 9->11         started        16 conhost.exe 9->16         started        dnsIp6 50 78smp.com 104.21.52.58, 443, 49717, 49730 CLOUDFLARENETUS United States 11->50 52 162.159.128.233, 443, 49737, 49738 CLOUDFLARENETUS United States 11->52 54 discord.com 162.159.136.232, 443, 49716, 49718 CLOUDFLARENETUS United States 11->54 40 sqlite-3.49.1.0-ca...6b2e-sqlitejdbc.dll, PE32 11->40 dropped 42 C:\Users\user\...\jna8695411739769113166.dll, PE32 11->42 dropped 64 Found many strings related to Crypto-Wallets (likely being stolen) 11->64 66 Tries to harvest and steal browser information (history, passwords, etc) 11->66 68 Excessive usage of taskkill to terminate processes 11->68 70 Uses WMIC command to query system information (often done to detect virtual machines) 11->70 18 taskkill.exe 1 11->18         started        20 taskkill.exe 1 11->20         started        22 taskkill.exe 1 11->22         started        24 29 other processes 11->24 file7 signatures8 process9 process10 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 26 other processes 24->38
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb
Gathering data
Verdict:
Clean
Link:
https://tip.neiki.dev/file/7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4q5j7eso5hhkqo7ggiruvs3kwj3whwcircdxzfbjmuqewhwol5q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/260301-td37baay9b/
Behaviour
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates processes with tasklist
Contacts third-party web service commonly abused for C2
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f21d4fc9277/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

77b9606043b772da89e6b417de3de71c48483e8a485979ab27e908626067f5f2

MicroStealer

Java file jar 7f21d4fc92774e7541df31911a565b5593bb1ec244443be4a14b290258f672fb

(this sample)

  
Dropped by
SHA256 77b9606043b772da89e6b417de3de71c48483e8a485979ab27e908626067f5f2
Cape
Cape
https://www.capesandbox.com/analysis/55129/

Comments