MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851
SHA3-384 hash: 1ddde2193bfe23c3f4abee04073ca6f4bd3591de4651ed54d871d71966c5e6ef3b3f640a06d1db0d4dad22b98e1e3a07
SHA1 hash: 56d3d039a033d7fefa49fe07dd42cbc2a4a0aec6
MD5 hash: 5e37faab506b470afc2f8d8cf02c9a49
humanhash: blossom-uncle-music-yellow
File name:s8nn1xPrUrd.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:2'872'320 bytes
First seen:2025-09-17 18:46:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3b8060c77e25bad949642210b0e3d82 (2 x LummaStealer, 1 x Stealc)
ssdeep 49152:nkjfR5nJjR0AqEJrCPYsCFGZQ3xddxvWCmB2ne5HGtScX+YI9sROWCUSihhRJ2On:nkjfR5nJjR0AqEJrCPYsCFGZQ3xddxvT
Threatray 88 similar samples on MalwareBazaar
TLSH T11BD5BF25FC36918AECE34071BF39D211E5323D37DF28266B90DC4D900565DEEAA2E17A
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:dropped-by-gcleaner exe LogsDiller Stealc


Avatar
iamaachum
Stealc C2: http://chrome1update.shop/afc4f85e6b33b2f0.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Soft.exe
Verdict:
Malicious activity
Analysis date:
2025-09-17 18:37:03 UTC
Tags:
gcleaner loader stealc stealer auto generic
Link:
https://app.any.run/tasks/0c120dad-3b8a-4b4f-a721-d66c129da92f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27998/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cb024d88b9544392476233
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP POST request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68cb02c073287948292dbc3f/reports/3d4af596-1434-44a8-a348-23fe6b02ac44/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-17T15:27:00Z UTC
Last seen:
2025-09-17T15:27:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2a85f560-9782-4995-be1d-28c9339b1c31
Result
Threat name:
Stealc v2, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779529
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Stop EventLog
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Stealc v2
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779529 Sample: s8nn1xPrUrd.exe Startdate: 17/09/2025 Architecture: WINDOWS Score: 100 94 xmr-eu1.nanopool.org 2->94 96 chrome1update.shop 2->96 98 michelsaliba.com.br 2->98 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for URL or domain 2->108 112 23 other signatures 2->112 10 s8nn1xPrUrd.exe 2->10         started        13 updater.exe 2->13         started        16 powershell.exe 2->16         started        signatures3 110 DNS related to crypt mining pools 94->110 process4 file5 140 Writes to foreign memory regions 10->140 142 Allocates memory in foreign processes 10->142 144 Injects a PE file into a foreign processes 10->144 18 MSBuild.exe 22 10->18         started        23 MSBuild.exe 10->23         started        25 MSBuild.exe 10->25         started        92 C:\Windows\Temp\rgnjfvdbjwqd.sys, PE32+ 13->92 dropped 146 Antivirus detection for dropped file 13->146 148 Query firmware table information (likely to detect VMs) 13->148 150 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->150 156 8 other signatures 13->156 27 powershell.exe 13->27         started        29 cmd.exe 13->29         started        31 sc.exe 13->31         started        37 10 other processes 13->37 152 Found many strings related to Crypto-Wallets (likely being stolen) 16->152 154 Modifies the context of a thread in another process (thread injection) 16->154 33 dllhost.exe 16->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 100 chrome1update.shop 172.67.220.95, 49719, 80 CLOUDFLARENETUS United States 18->100 102 michelsaliba.com.br 148.113.216.81, 49721, 80 GOOGLE-PRIVATE-CLOUDUS United States 18->102 84 C:\Users\user\AppData\...\OLLP9YpqSpYA.exe, PE32+ 18->84 dropped 86 C:\Users\user\AppData\...\chrome_134[1].exe, PE32+ 18->86 dropped 114 Found many strings related to Crypto-Wallets (likely being stolen) 18->114 116 Tries to harvest and steal browser information (history, passwords, etc) 18->116 118 Writes to foreign memory regions 18->118 130 3 other signatures 18->130 39 OLLP9YpqSpYA.exe 1 3 18->39         started        43 conhost.exe 18->43         started        45 chrome.exe 18->45         started        51 2 other processes 18->51 120 Switches to a custom stack to bypass stack traces 23->120 122 Loading BitLocker PowerShell Module 27->122 47 conhost.exe 27->47         started        53 2 other processes 29->53 49 conhost.exe 31->49         started        124 Injects code into the Windows Explorer (explorer.exe) 33->124 126 Creates a thread in another existing process (thread injection) 33->126 128 Injects a PE file into a foreign processes 33->128 55 3 other processes 33->55 57 8 other processes 37->57 file9 signatures10 process11 file12 88 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 39->88 dropped 90 C:\Windows\System32\drivers\etc\hosts, ASCII 39->90 dropped 132 Antivirus detection for dropped file 39->132 134 Query firmware table information (likely to detect VMs) 39->134 136 Uses powercfg.exe to modify the power settings 39->136 138 8 other signatures 39->138 59 powershell.exe 23 39->59         started        62 cmd.exe 1 39->62         started        64 powercfg.exe 1 39->64         started        66 13 other processes 39->66 signatures13 process14 signatures15 158 Found suspicious powershell code related to unpacking or dynamic code loading 59->158 160 Loading BitLocker PowerShell Module 59->160 68 conhost.exe 59->68         started        70 conhost.exe 62->70         started        72 wusa.exe 62->72         started        74 conhost.exe 64->74         started        76 conhost.exe 66->76         started        78 conhost.exe 66->78         started        80 conhost.exe 66->80         started        82 9 other processes 66->82 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/5e37faab506b470afc2f8d8cf02c9a49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851/
Threat name:
Win64.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2025-09-17 18:50:51 UTC
File Type:
PE+ (Exe)
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tns3re2zngqvh7uoltyy5r4z5budfc6sxipvy3f4lk76in763biq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
02c22cb54244b9a05b47ce93046dbdbdee3724ae33e63799163975eaad85c698
Stealc
1bd80ac9b25684d8a761d999933f416fb8afa628980eb1d06413685799944e10
Stealc
20af689a1596040d8150691b55df006755e0f6cdfe4fe8ef852d6c526ff888c2
Stealc
524a74f9c7e94b4a2b944a09493e31c2824bb2918a8b1ebfa2a760e3fdf1dfd6
Stealc
6e76ac5121bb58809c217bc73cb461e85201b29b3c968c5d9e4dea2a9d38e405
Stealc
9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851
Stealc
a2791f6939871d79cdd265be3a6e9371f73d83402ac4145b69ef12a220f80b3c
Stealc
bc63e5b5d616f5c554bb2d2e4121590cf7a1dddfd3b362e2a5a4ebb74c086e56
Stealc
e08a7ed1e201f5564f8ec101f6f5faff7b93f3d72e340e707e0d4bead84ebe2b
Stealc
error
Stealc
+ 78 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:logsdillercloud2 discovery stealer
Link:
https://tria.ge/reports/250917-xgngtabm4x/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Stealc
Stealc family
Malware Config
C2 Extraction:
http://chrome1update.shop
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8de394c3-87cf-49dd-9304-497992beb925
Unpacked files
SH256 hash:
9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851
MD5 hash:
5e37faab506b470afc2f8d8cf02c9a49
SHA1 hash:
56d3d039a033d7fefa49fe07dd42cbc2a4a0aec6
Link:
https://www.unpac.me/results/15a9c858-cc29-4e80-bbdc-cd4d95b19d24/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b65b8935969/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 9b65b8935969a153fe8e5cf18ec799e868328bd2ba1f5c6cbc5abfe437fed851

(this sample)

  
Link
https://tria.ge/250917-xb231st1hy/behavioral2
  
Dropped by
GCleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27998/

Comments