MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 19


Intelligence 19 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8
SHA3-384 hash: da4719a3a14c85351a908a113b86c4193564d75af62b1ee4b7610243665f11cbd2022bcbb3dece3fd23061f5a1b857b1
SHA1 hash: 9f8cd8fd7fb1d8dfb92800265203730266b840ec
MD5 hash: 1c06b0d256aa27522767ff865cd19738
humanhash: potato-earth-uniform-hamper
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'751'768 bytes
First seen:2025-09-06 04:01:18 UTC
Last seen:2025-09-06 04:04:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 24576:N3D1Ayu2CcAemkCN7deoLWcjASlB3kYoaIQSdhuF1r7TsdBIe1sQ+YwbBgX:NGv1/BAwR5IQaurEJqQ+
Threatray 21 similar samples on MalwareBazaar
TLSH T1C2859ED1FCCB60F1E52606360AB7A1AF3331F50A0731ADC3D944AEBFB963582592661D
gimphash 8c71755f0102a3a2eb2d6ef6246b0619e20b2c88c8e97e4e1a9ec82b0d6fdf90
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Stealc


Avatar
Bitsight
url: http://178.16.54.200/files/8061402479/xO50QoO.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
74
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
_8444a4843eae3e67f6c5803b61bdae3e9e6312d6d7375dda0631efff88f28e46.exe
Verdict:
Malicious activity
Analysis date:
2025-09-05 15:51:30 UTC
Tags:
auto redline stealer amadey botnet loader autoit lumma arch-exec auto-startup possible-phishing evasion rdp telegram stealc vidar auto-reg python ddr anti-evasion auto-sch-xml gcleaner purelogs generic cyberstealer crypto-regex coinminer miner
Link:
https://app.any.run/tasks/a41ff1db-039e-4103-bb0f-af94777805f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25934/
Detection(s):
Win.Exploit.Deepscan-9951944-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bbb253eb163e0ec184cfb6
Tags:
injection emotet obfusc crypt
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang invalid-signature mingw obfuscated packed packed packer_detected signed threat
Link:
https://www.filescan.io/uploads/68bbb23420d0ee406d97a263/reports/5d40cebd-4cc2-4dea-9b34-6c47f61fee9d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-05T08:54:00Z UTC
Last seen:
2025-09-05T08:54:00Z UTC
Hits:
~10
Detections:
VHO:Trojan-PSW.Win32.Lumma.gen UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/556bc435-6bbb-4319-ba41-2a3e93f0aee2
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/1c06b0d256aa27522767ff865cd19738
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2025-09-05 13:26:46 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
21 of 36 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qn5fvyi2kxxfd4qpnyjxpjyuomh6jxyzctjckkigjjyaba4t3sua._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
244807fd2a661a53498aff35f940dea0caea6dcc8d1244af8c5cce268d23c117
Stealc
31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897
Stealc
4915ca57422d37e562a3e6daa22fd83b82df90032358e28552f56776ce5fce00
Stealc
4bef6f8cef8f5d75ead900b2ea1a3c8fd39aa705a9bb8a66e4e0229ccdcdd5cb
Stealc
70ae293eb1c023d40a8a48d6109a1bf792e1877a72433bcc89613461cffc7b61
Stealc
97c8d58eeef8b92cfee45f5b4a048b827cd94766ab3c96845cb54a109842137c
Stealc
b3fe4cebd7999dfe15f9469154add7ebfc7e4fad581b85a3d0364b54175cbdf3
Stealc
error
Stealc
f524e296af6c4b3344c749efe2afb6be33701942e78228c6ae45acd8e4a6237d
Stealc
+ 11 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:prol discovery spyware stealer
Link:
https://tria.ge/reports/250906-elpass1sat/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Stealc
Stealc family
Malware Config
C2 Extraction:
http://62.60.226.113
Verdict:
Malicious
Tags:
Win.Exploit.Deepscan-9951944-0
YARA:
n/a
Link:
https://app.threat.zone/submission/e86728be-6d39-4fc0-8e16-449a1054982f
Unpacked files
SH256 hash:
837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8
MD5 hash:
1c06b0d256aa27522767ff865cd19738
SHA1 hash:
9f8cd8fd7fb1d8dfb92800265203730266b840ec
Link:
https://www.unpac.me/results/8108a0fc-e354-4d04-9827-597ff0e6333a/
SH256 hash:
2c4651a093a276841935a5b85856ee323d618a60d02162517c9f828c5e3e686d
MD5 hash:
fc1c04e172f708bcfdcaac1d723703bc
SHA1 hash:
12b2a6fc9e88ceba38c90d3a39e09315f1ab93a7
Link:
https://www.unpac.me/results/8108a0fc-e354-4d04-9827-597ff0e6333a/
SH256 hash:
bac2b50b3d8ecda13e860e115d17c571b543300506c869deaca7f7e8cb7f66cc
MD5 hash:
fd12b50790868cdb6dee9345b15f543e
SHA1 hash:
2f0f0e89751cd27dbc4b44edb9b266484b5ea42f
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/8108a0fc-e354-4d04-9827-597ff0e6333a/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/837a5ae11a55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Stealc
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 837a5ae11a55ee51f20f6e1377a714730fe4df1914d22529064a70008393dca8

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3615935/
  
URLhaus
https://urlhaus.abuse.ch/url/3617798/
Cape
Cape
https://www.capesandbox.com/analysis/25934/

Comments