MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs YARA 8 File information Comments

SHA256 hash:	83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6
SHA3-384 hash:	fe7d2b911cde97be5779fec81329a105dc08480ba7e8bfeafd1fe1bdfb6ce09cbadab70b20e6ad5a3cfb51222442edd7
SHA1 hash:	7c8b34ad475fe123b939183e56d7803e6f533d72
MD5 hash:	f0a638cbbb4b527f74e59f28e372cc40
humanhash:	louisiana-winter-neptune-river
File name:	XTS.loder.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	96'552'072 bytes
First seen:	2025-12-03 16:24:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4035d2883e01d64f3e7a9dccb1d63af5 (47 x ServHelper, 25 x Vidar, 20 x LummaStealer)
ssdeep	49152:xmlKa/qEa3WEMnl7IOYBz+SPL0f7uYpCHMeGO16IdK1wOm:dEa31Mm+wOZir
Threatray	4 similar samples on MalwareBazaar
TLSH	T17728D742F9919894CABAF134A1927270BAB53E5943317BD35FF81A660C367C02B3EF54
gimphash	808c524917ea16ca3b50d44d12e1cfbc4d408466aa8bfd2651754b9e3ff3d513
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	burger
Tags:	exe signed Stealc

Code Signing Certificate

Organisation:	githab.com
Issuer:	R13
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-10-16T07:06:41Z
Valid to:	2026-01-14T07:06:40Z
Serial number:	06811e3acd8227232ee58a61ecd714a9b643
Intelligence:	60 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	a94d8efd4bb1086c6659ff0d791fdf0b6e958107132230d5544feb524e29a228
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

XTS.loder.exe

Verdict:

Malicious activity

Analysis date:

2025-12-03 16:23:56 UTC

Tags:

golang stealc stealer

Link:

https://app.any.run/tasks/73c3c37b-ceb9-486f-9559-2f302771cf5d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6930642e16e6db515e465982

Tags:

cobalt trojan hype sage

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

Connection attempt

Sending an HTTP POST request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-vm bloated golang overlay signed

Link:

https://www.filescan.io/uploads/69306479d4d2310e5cbe50f7/reports/c40cd1ab-7608-4b2d-92e3-a9a941ff4b40/overview

Verdict:

Suspicious

Labled as:

Trojan.Encoder

Link:

https://www.hybrid-analysis.com/sample/83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-04T06:44:00Z UTC

Last seen:

2025-12-04T23:20:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.Win32.Lumma.yma Trojan-PSW.Lumma.HTTP.C&C

Link:

https://opentip.kaspersky.com/83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6/results?tab=lookup

Result

Threat name:

Stealc v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1825599

Signature

AI detected suspicious PE digital signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Drops PE files to the document folder of the user

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queues an APC in another process (thread injection)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Unusual module load detection (module proxying)

Writes to foreign memory regions

Yara detected Stealc v2

Behaviour

Behavior Graph:

Download SVG

Score:

71%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6

Gathering data

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6

Threat name:

Win64.Trojan.Malgent

Status:

Malicious

First seen:

2025-12-03 16:23:56 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

6 of 24 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qoddabvu3wuy546735ax2enqth7mtfgrrbwop2i4jzyi4i53fota._file

Verdict:

malicious

Label(s):

shellcode_loader_007

Stealc

46ef4064738bfaa95b0577a0554dd711e338cc9aee98ef01a9e111a5ecd3a9b9

Stealc

50419b6ae38000b3d639e462f69bb35ff167650ca8eff6eb35dcfbd38b08c393

Stealc

c5b2b190d18f40051c5697746b21252cf14894ba10ae6e3e007e6f5ed4b31dfe

Stealc

error

Stealc

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:sr stealer

Link:

https://tria.ge/reports/251203-tw7mfsej8v/

Behaviour

Stealc

Stealc family

Malware Config

C2 Extraction:

http://178.17.59.148

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/51fe1b48-24ef-4546-a106-3f3bb22aa97f

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/83863006b4dd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Heuristics_ChromeABE Create hunting rule
Author:	Still
Description:	attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	StealcV2 Create hunting rule
Author:	Still
Description:	attempts to match the instructions found in StealcV2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample