MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STXRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1
SHA3-384 hash: e9522ea54a2565a41f33fa1e184cbbfd035311379cf6cca270dcb55a2e40aad399619cf890d9fa53f3d1b4e770ad37fe
SHA1 hash: e2464454017cd02a8bc6744596c384cf91cdd67e
MD5 hash: f9383b7840ff31fe914e13cd5924993f
humanhash: shade-monkey-shade-jupiter
File name:_8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1.dll
Download: download sample
Signature STXRAT
Create hunting rule
File size:2'217'472 bytes
First seen:2026-04-14 08:59:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ace1d82b82edd3d6398fc649e502a7e (1 x STXRAT)
ssdeep 24576:I7Pml7Vo2ZXAdQ0YtjvM2GdXVJKMbcBBp6Rb2qHs96eHNuL:2G7V
Threatray 53 similar samples on MalwareBazaar
TLSH T16BA50C65423FC874EABEA6368E5F399F0C6B495D003AB1F87A534D909D273128BF4D21
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:dll exe RAT STXRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1.dll
Verdict:
Malicious activity
Analysis date:
2026-04-10 10:27:50 UTC
Tags:
stealer fake-filezilla
Link:
https://app.any.run/tasks/d45abe8b-a8cd-49d1-9d42-27998b3357a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61509/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.5807.27533.15311.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d8d0a46a61012f6ad09b9f
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a process
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Creating a file
Creating a window
Сreating synchronization primitives
Query of malicious DNS domain
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1
Verdict:
Malicious
File Type:
dll x64
First seen:
2026-03-15T00:38:00Z UTC
Last seen:
2026-04-14T15:10:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Reflo.sb PDM:Trojan.Win32.Generic Backdoor.Mirai.HTTP.C&C Backdoor.Agent.HTTP.C&C Trojan.Win64.Reflo.ixa
Link:
https://opentip.kaspersky.com/8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/34ab8771-1065-4c68-99d7-29913ed9af81
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897916
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found potential malicious scriptlet (likely CVE-2017-8570)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897916 Sample: C4zoZqsnZu.exe Startdate: 14/04/2026 Architecture: WINDOWS Score: 100 109 welcome.supp0v3.com 2->109 111 shed.dual-low.part-0012.t-0009.t-msedge.net 2->111 113 9 other IPs or domains 2->113 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for URL or domain 2->119 121 Multi AV Scanner detection for submitted file 2->121 123 5 other signatures 2->123 11 loaddll64.exe 1 2->11         started        14 powershell.exe 2->14         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        signatures3 process4 signatures5 153 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->153 155 Unusual module load detection (module proxying) 11->155 157 Found direct / indirect Syscall (likely to bypass EDR) 11->157 159 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->159 20 rundll32.exe 11->20         started        23 cmd.exe 1 11->23         started        37 5 other processes 11->37 25 MSBuild.exe 14->25         started        27 conhost.exe 14->27         started        29 MSBuild.exe 16->29         started        31 conhost.exe 16->31         started        33 MSBuild.exe 18->33         started        35 conhost.exe 18->35         started        process6 signatures7 125 System process connects to network (likely due to code injection or exploit) 20->125 127 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->127 129 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->129 39 powershell.exe 2 32 20->39         started        44 rundll32.exe 23->44         started        131 Unusual module load detection (module proxying) 25->131 46 csc.exe 25->46         started        48 csc.exe 29->48         started        50 csc.exe 33->50         started        52 csc.exe 37->52         started        54 conhost.exe 37->54         started        process8 dnsIp9 115 95.216.51.236, 31415, 49725, 49727 HETZNER-ASDE Germany 39->115 89 C:\Users\user\AppData\...\CommonBuild.proj, ASCII 39->89 dropped 91 C:\Users\user\AppData\Local\...\c_3791.proj, ASCII 39->91 dropped 93 C:\Users\user\AppData\Local\...\Clippy.sct, XML 39->93 dropped 95 C:\Users\user\AppData\Local\...\ActiveX.sct, XML 39->95 dropped 141 Early bird code injection technique detected 39->141 143 Creates autostart registry keys with suspicious values (likely registry only malware) 39->143 145 Creates autostart registry keys with suspicious names 39->145 151 4 other signatures 39->151 56 powershell.exe 39->56         started        59 chrome.exe 39->59         started        61 csc.exe 39->61         started        64 conhost.exe 39->64         started        147 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->147 149 Tries to detect sandboxes / dynamic malware analysis system (registry check) 44->149 66 powershell.exe 23 44->66         started        97 C:\Users\user\AppData\Local\...\yj0kzf1a.dll, PE32 46->97 dropped 68 cvtres.exe 46->68         started        99 C:\Users\user\AppData\Local\...\hsixlsbo.dll, PE32 48->99 dropped 70 cvtres.exe 48->70         started        101 C:\Users\user\AppData\Local\...\m0nxrkmv.dll, PE32 50->101 dropped 72 cvtres.exe 50->72         started        103 C:\Users\user\AppData\Local\...\5hu5gz0f.dll, PE32 52->103 dropped 74 cvtres.exe 52->74         started        file10 signatures11 process12 file13 133 Loading BitLocker PowerShell Module 56->133 76 conhost.exe 56->76         started        105 C:\Users\user\AppData\Local\...\01bg3r0k.dll, PE32 61->105 dropped 78 cvtres.exe 61->78         started        107 C:\Users\user\AppData\...\qrvegzqz.cmdline, Unicode 66->107 dropped 135 Found potential malicious scriptlet (likely CVE-2017-8570) 66->135 137 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 66->137 139 Unusual module load detection (module proxying) 66->139 80 csc.exe 3 66->80         started        83 conhost.exe 66->83         started        signatures14 process15 file16 87 C:\Users\user\AppData\Local\...\qrvegzqz.dll, PE32 80->87 dropped 85 cvtres.exe 80->85         started        process17
Score:
9%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1/
Verdict:
Malicious
Threat:
Trojan.Win64.Reflo
Link:
https://tip.neiki.dev/file/8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1
Threat name:
Win64.Trojan.Supdor
Create hunting rule
Status:
Malicious
First seen:
2026-03-15 05:30:09 UTC
File Type:
PE+ (Dll)
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjwdt6l7xbve76o4sitpvczuixc74er2xk2tf2tk7on6eyehqdqq._file
Verdict:
malicious
Label(s):
stxrat
Create hunting rule
stxrat_loader
Create hunting rule
Similar samples:
2b0d8c8e86dd372b44b99f8be4e4a7cbbfe5ce78bc10b714fc0735c15b7ddb32
STXRAT
3763b9e6eeb9a18875c45ba7d1a4f9fbfd6e80d1aea434e88ad99ee5b1bbd790
STXRAT
52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6
STXRAT
84c2f3b13f5251cf87d1a2c95ac7ca111238f61d56358b2c4228c84ef9ed1ae7
STXRAT
a27df06c7167eced1ddaeb8adccaa5f60500f52bc7030389eed2a0903cdf8286
STXRAT
abd003ab1172cda83731dbe76d20a43c35a452d683d628a4e59eac8aadc68ffa
STXRAT
error
STXRAT
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/260414-kyvk8sft4q/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Checks system information in the registry
Adds Run key to start application
Checks BIOS information in registry
Badlisted process makes network request
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1
MD5 hash:
f9383b7840ff31fe914e13cd5924993f
SHA1 hash:
e2464454017cd02a8bc6744596c384cf91cdd67e
Link:
https://www.unpac.me/results/3d4ed6bf-f7b2-4eed-94cf-0ff45df52213/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win64_photoloader_packed
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects specific packed photoloader
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61509/

Comments