MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 17

Intelligence 17 IOCs YARA 11 File information Comments

SHA256 hash:	8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db
SHA3-384 hash:	b17d94643bac5a118e471cec78d70505242fdf2de556709a201f362d58cc7e8c623cccfc1d6f4a7a4ed0b5b39e22f5c9
SHA1 hash:	8c68a27f38496c91143e4a684c9d790c3d645331
MD5 hash:	2ec65ea39e10130c9ef1b4959cd8c1b6
humanhash:	twenty-grey-dakota-oklahoma
File name:	trvb3cO.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	760'832 bytes
First seen:	2025-08-20 15:24:16 UTC
Last seen:	2025-09-24 14:33:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	112f19f28f55f461c3d7ad7d3898dd7b (30 x Stealc)
ssdeep	12288:cJLb4TZvg7l4RaaXGOFC4VCPMeY6ReOSoE/:cl8TZ472RaaX7ZGM7
Threatray	37 similar samples on MalwareBazaar
TLSH	T1D7F48D1FF7E501F8C4BB8278C9525952E77A74561370A68F03E019A63F2B650AF7EB20
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	aachum
Tags:	185-102-115-104 exe LabInstalls Stealc

iamaachum

http://213.209.150.113/files/5254702106/trvb3cO.exe

Stealc C2: http://185.102.115.104/cd1072355afc4f72.php

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

9b55f6144b096d141be338f36ad10386818e04ed8166899fbb3de0ac3f53b51c.zip

Verdict:

Malicious activity

Analysis date:

2025-08-17 14:14:08 UTC

Tags:

auto amadey botnet arch-exec stealer redline loader rdp python miner lumma gcleaner vidar telegram stealc rhadamanthys github antivm delphi xmrig auto-sch-xml generic pyinstaller themida

Link:

https://app.any.run/tasks/c3ffd5b5-9460-4f49-a252-948394f7ae39

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Stealc

Link:

https://www.capesandbox.com/analysis/22559/

Detection(s):

Win.Malware.Marte-10045369-0

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a5e8b28fd55a79c5297b0f

Tags:

shellcode packed virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Sending an HTTP POST request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug base64 cmd fingerprint lolbin lumma microsoft_visual_cc stealc threat

Link:

https://www.filescan.io/uploads/68a5e8b5abfbaec31826bbe9/reports/53342d64-e82d-462f-81ab-4d081e068e5d/overview

Verdict:

Malicious

Labled as:

Shellcode.Loader.Marte.X.Generic

Link:

https://www.hybrid-analysis.com/sample/8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4c18ab3a-5fc9-4d55-8b02-a14287bcef62

Result

Threat name:

Stealc v2

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1761227

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Yara detected Stealc v2

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/2ec65ea39e10130c9ef1b4959cd8c1b6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db

Threat name:

Win64.Trojan.Stealc

Status:

Malicious

First seen:

2025-08-12 16:16:24 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qra7roidyz3ni2f3bmgapvuzzomn6fj4yufuvrlg46vzkkj42lnq._file

Verdict:

malicious

Label(s):

stealc

Stealc

451753ecd4346bc3ba642d0f23fc4838196fcf668fe414ec68a958bac48aedf5

Stealc

4c157555fd7e61dbf6609613e387591fd254724415105e0f205ed58fd1b32a79

Stealc

8301936f439f43579cffe98e11e3224051e2fb890ffe9df680bbbd8db0729387

Stealc

8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db

Stealc

dca26fecbe9cd681c3e630161797d9db76d32ce42fb825d1f5f9c6029df8c52a

Stealc

eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c

Stealc

error

Stealc

+ 27 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:system

Link:

https://tria.ge/reports/250820-ss9f7styby/

Malware Config

C2 Extraction:

http://185.102.115.104

Verdict:

Malicious

Tags:

Win.Malware.Marte-10045369-0

YARA:

n/a

Link:

https://app.threat.zone/submission/96e354b2-2948-49f4-9f15-ce64c2b6244c

Unpacked files

SH256 hash:

8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db

MD5 hash:

2ec65ea39e10130c9ef1b4959cd8c1b6

SHA1 hash:

8c68a27f38496c91143e4a684c9d790c3d645331

Link:

https://www.unpac.me/results/3a8986c2-9d43-49b0-81e6-c333f6e445b5/

SH256 hash:

2c4651a093a276841935a5b85856ee323d618a60d02162517c9f828c5e3e686d

MD5 hash:

fc1c04e172f708bcfdcaac1d723703bc

SHA1 hash:

12b2a6fc9e88ceba38c90d3a39e09315f1ab93a7

Link:

https://www.unpac.me/results/3a8986c2-9d43-49b0-81e6-c333f6e445b5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	aachum_Stealcv2 Create hunting rule
Author:	aachum
Description:	Detects new version of Stealc.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Heuristics_ChromeABE Create hunting rule
Author:	Still
Description:	attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	StealcV2 Create hunting rule
Author:	Still
Description:	attempts to match the instructions found in StealcV2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 8441f8b903c676d468bb0b0c07d699cb98df153cc50b4ac566e7ab95293cd2db

(this sample)

Link

https://tria.ge/250820-sgathavkt5/static1

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3601509/

URLhaus

https://urlhaus.abuse.ch/url/3604158/

URLhaus

https://urlhaus.abuse.ch/url/3606201/

URLhaus

https://urlhaus.abuse.ch/url/3607224/

Cape

https://www.capesandbox.com/analysis/22559/

URLhaus

https://urlhaus.abuse.ch/url/3607408/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample