MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6
SHA3-384 hash: 6f3a4efb11e6d764fab72e01f6ee0d2782ba889e2531fc7eed93d25ea11dcb387c0e04c6d8eaf224147b01b625ecc6ad
SHA1 hash: e9464430fa4bf29b141f39a033224d8748c0a9da
MD5 hash: 1fa4e9131a13ac94778caf99d7c232ab
humanhash: dakota-ohio-magazine-princess
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:3'919'424 bytes
First seen:2025-10-31 19:13:42 UTC
Last seen:2025-10-31 21:19:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 46 x PureHVNC, 28 x RedLineStealer)
ssdeep 49152:GyK5cMyoFN6o8vuM9dflj+RbHf6jILgn+OwBzpuWOgYBgmc5i+M2cWgXRt90:GyoFidDdNgmsJbIWOnc5i+3cWgXRw
Threatray 105 similar samples on MalwareBazaar
TLSH T176062220D94F119CCA982EBCE2C46735F5FF6CB09964640FB88D7D0F5E3524ABB4462A
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 Stealc


Avatar
Bitsight
url: http://178.16.55.189/files/5917492177/q9AG9qV.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
111
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-31 19:15:58 UTC
Tags:
stealc stealer themida
Link:
https://app.any.run/tasks/9811dd21-506a-4a4e-834e-4206f47c6d1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34922/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69050a9f706befaf4ecac675
Tags:
injection cobalt packed virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP POST request to an infection source
DNS request
Connection attempt
Connection attempt to an infection source
Gathering data
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-31T16:27:00Z UTC
Last seen:
2025-11-02T11:33:00Z UTC
Hits:
~100
Detections:
VHO:Trojan-PSW.Win32.Lumma.xhg Trojan-PSW.Lumma.HTTP.C&C PDM:Trojan.Win32.Generic VHO:Trojan-PSW.Win32.Lumma.gen Trojan-PSW.Win32.Lumma.xhg
Link:
https://opentip.kaspersky.com/9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7c546461-0df5-4373-a140-d04af3c5d303
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/1fa4e9131a13ac94778caf99d7c232ab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-31 19:15:59 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tyoxd5ckpb3wy6wut6kjd4sofl6dsqfzawu3mwmmhrgrq65zklda._file
Verdict:
malicious
Label(s):
shellcode_loader_007
Create hunting rule
Similar samples:
2b091c0eab9477231eb8a65bf5094050829961f5e31580c466e3d228692ce715
Stealc
40062fc584624b5295f5ee7e1b942c561186a07f5adbaa64d3b53e09fae0be88
Stealc
5a4a506bd9bef25b31aebdc7ee588a7af4c2ea507bb6cd3de1453c60fc6d053a
Stealc
6cd64f365082097c06d80ea848bdf6b885e7618e7f30478fbb83689d0ac9a063
Stealc
8299d0550bae005d4bac1b306a02ce2bb03910b5431b26362ffbdd5597fed2d0
Stealc
95595f85b6c244e4e5b496c5342ca0fabe469a8f3887117fb8149c7b664c4da9
Stealc
c37d93385f10213d3059eac34996e589f415458989499fd281fdef5b7d929986
Stealc
cb1c92b17ae5606bf62b6d0eaabf99c49c8e3bfac1540cf4cc25a9d2ed1629b7
Stealc
error
Stealc
f65e9847a1712a2d5f3e92073cff994b8a8e3875dc83d86841c629a3b9807089
Stealc
+ 95 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:tr1pernn defense_evasion stealer themida trojan
Link:
https://tria.ge/reports/251031-xxxenaan2y/
Behaviour
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Stealc family
Malware Config
C2 Extraction:
http://178.16.54.175
Unpacked files
SH256 hash:
9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6
MD5 hash:
1fa4e9131a13ac94778caf99d7c232ab
SHA1 hash:
e9464430fa4bf29b141f39a033224d8748c0a9da
Link:
https://www.unpac.me/results/697e81f2-836b-45d0-a4b3-8fefde51a5e0/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e1d71f44a78/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 9e1d71f44a78776c7ad49f9491f24e2afc3940b905a9b6598c3c4d187bb952c6

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3692181/
Cape
Cape
https://www.capesandbox.com/analysis/34922/

Comments