MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8953c494ae38623a62bea5c6705056fd8dce59f88f1d3c2b5da89cfa71f620a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GOStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8953c494ae38623a62bea5c6705056fd8dce59f88f1d3c2b5da89cfa71f620a9
SHA3-384 hash: cb4b3a8d7c621024c56268d5d814b104360d7426714bf6645545e852d2a6e3691bb56821afc2d8221314412330549b8d
SHA1 hash: e8b6a3340ae80ef3ca92ec151f61292f748474a4
MD5 hash: ff4929b3adb5ab979408e09b3f7bf723
humanhash: fillet-don-island-nitrogen
File name:ff4929b3adb5ab979408e09b3f7bf723.exe
Download: download sample
Signature GOStealer
Create hunting rule
File size:8'514'560 bytes
First seen:2025-04-22 15:55:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (234 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:E1Tex3ATmJe8Tv0oBmaB7Yvp29rdtq8Owmo9sEOdM1c/N/LdHILRRwYEwxM/wkKm:E1TepeFkmaOBArIZdyCN/L9ywYndiVT
TLSH T15C86333290D5F30DAA9058B9D897FAF544769EEACD30130BCF95BC477A72AA03731660
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0fe888e8cc692b8e (3 x njrat, 1 x RedLineStealer, 1 x GOStealer)
Reporter abuse_ch
Tags:exe GOStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
427
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
http://185.215.113.41/mine/random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-22 14:20:41 UTC
Tags:
loader amadey botnet stealer lumma credentialflusher gcleaner rdp auto generic phishing putty rmm-tool pastebin evasion autoit fileshare telegram vidar rhadamanthys
Link:
https://app.any.run/tasks/6fd5992f-2158-4cb3-8038-66b3f80ac08c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3459/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.27153.28608.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6807bcf9a37ff28e129812e5
Tags:
overt spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP GET request
Launching the process to change network settings
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a file
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/8953c494ae38623a62bea5c6705056fd8dce59f88f1d3c2b5da89cfa71f620a9
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/412812be-c9ec-4112-8c7f-52b41bd3c99d
Result
Threat name:
Go Stealer
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1671212
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops password protected ZIP file
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Yara detected Go Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1671212 Sample: SWx02Uwrat.exe Startdate: 22/04/2025 Architecture: WINDOWS Score: 100 33 ip-api.com 2->33 35 api.csgoguide.org 2->35 47 Antivirus / Scanner detection for submitted sample 2->47 49 Sigma detected: Capture Wi-Fi password 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 6 other signatures 2->53 7 SWx02Uwrat.exe 2 38 2->7         started        12 SecurityHealthSystray.exe 1 2->12         started        14 svchost.exe 1 1 2->14         started        16 SecurityHealthSystray.exe 1 2->16         started        signatures3 process4 dnsIp5 37 ip-api.com 208.95.112.1, 49681, 80 TUT-ASUS United States 7->37 39 api.csgoguide.org 172.67.192.193, 443, 49682 CLOUDFLARENETUS United States 7->39 41 192.168.2.16 unknown unknown 7->41 31 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 7->31 dropped 55 Found many strings related to Crypto-Wallets (likely being stolen) 7->55 57 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 7->57 59 Uses netsh to modify the Windows network and firewall settings 7->59 65 5 other signatures 7->65 18 powershell.exe 23 7->18         started        21 powershell.exe 23 7->21         started        23 taskkill.exe 1 7->23         started        29 6 other processes 7->29 61 Antivirus detection for dropped file 12->61 63 Multi AV Scanner detection for dropped file 12->63 25 conhost.exe 12->25         started        43 127.0.0.1 unknown unknown 14->43 27 conhost.exe 16->27         started        file6 signatures7 process8 signatures9 45 Loading BitLocker PowerShell Module 18->45
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8953c494ae38623a62bea5c6705056fd8dce59f88f1d3c2b5da89cfa71f620a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8953c494ae38623a62bea5c6705056fd8dce59f88f1d3c2b5da89cfa71f620a9/
Threat name:
Win64.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-04-22 08:20:21 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfj4jffohbrduyv6uxdhaucw7wg44wpyr4otyk25vcopu4pwecuq._file
Verdict:
suspicious
Label(s):
skuldstealer
Create hunting rule
Similar samples:
error
GOStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access discovery execution persistence privilege_escalation spyware stealer upx
Link:
https://tria.ge/reports/250422-tdj4fazxc1/
Behaviour
GoLang User-Agent
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Maps connected drives based on registry
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/6058235a-0bed-4cfb-aa6e-aeea25cd96a5
Unpacked files
SH256 hash:
8953c494ae38623a62bea5c6705056fd8dce59f88f1d3c2b5da89cfa71f620a9
MD5 hash:
ff4929b3adb5ab979408e09b3f7bf723
SHA1 hash:
e8b6a3340ae80ef3ca92ec151f61292f748474a4
Link:
https://www.unpac.me/results/5aea8989-bab6-4208-bc1a-30055e5d3887/
SH256 hash:
a9a95ed51b5f83dbdf3c7bf8870f8975ae041c28739a56145ce5cb0ad9f884f1
MD5 hash:
0270e79188a1499f7da3c71dda18a8d3
SHA1 hash:
38543f25b37ec51307c838d1488a6a31ce05346c
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Link:
https://www.unpac.me/results/5aea8989-bab6-4208-bc1a-30055e5d3887/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8953c494ae38/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8953c494ae38623a62bea5c6705056fd8dce59f88f1d3c2b5da89cfa71f620a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AIX binary
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Generic_Threat_19854dc2
Create hunting rule
Author:Elastic Security
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GOStealer

Executable exe 8953c494ae38623a62bea5c6705056fd8dce59f88f1d3c2b5da89cfa71f620a9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3521970/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/3459/

Comments