MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2
SHA3-384 hash: 30e4aa6060110607d171c03b880314326bd8e5727258044d20d74343b816c1c57a7481e7adbd74ac30d8df7c08897bb2
SHA1 hash: 7181b8d68aac0861ef505e6fe00b6a4e33a06f3f
MD5 hash: 12247ebf4653796ec00abd7c8f59b149
humanhash: tennis-twenty-nineteen-cat
File name:QqcGyAXXOb_dump_64-injected-svchost.exe-
Download: download sample
Signature Stealc
Create hunting rule
File size:747'520 bytes
First seen:2025-04-26 04:08:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b23a826b20a3969b3a9de8d267c2ca81 (2 x Stealc)
ssdeep 12288:278oc9laEnU2j5CHdf3JYzi6GCsVt8nv47wrcxxQe:278oUFnU2j5CHdfZYeFCsVUv4cx
Threatray 12 similar samples on MalwareBazaar
TLSH T1D7F47C2FFBA501F8D4BBC278C9564992E77A74561330978F03E015A63F2B6509F6EB20
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter AzakaSekai
Tags:exe Stealc Stealc-v2

Intelligence

File Origin
# of uploads :
1
# of downloads :
565
Origin country :
NZ NZ
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QqcGyAXXOb_dump_64-injected-svchost.exe-
Verdict:
No threats detected
Analysis date:
2025-04-26 04:10:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fce40a67-2621-496b-bb08-5fd768b73582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4174/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.40091.28910.19902.UNOFFICIAL
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680c5d3f3d067f8483996d50
Tags:
shellcode packed
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context cmd fingerprint lolbin microsoft_visual_cc
Link:
https://www.filescan.io/uploads/680c5c69218c4a98ade2c4c1/reports/02a32ef2-02ed-4490-bfdb-7dec9810985b/overview
Verdict:
Malicious
Labled as:
Shellcode.Loader.Marte.X.Generic
Link:
https://www.hybrid-analysis.com/sample/a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f41ced1b-57ac-4412-ad59-b426766d2b5a
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1674630
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2/
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-26 04:09:17 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujqjlt2776nh5qcmh7j7wybxf44phxbqblo7jgb6btsposio66za._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
4f67628770ddf40e1ef854e47ac588029dd4f7973abeca62e87085708d58f9fe
Stealc
536a64b3267c5056b261d71324793571d02a8714bcb8f395927f72f77d004f56
Stealc
640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780
Stealc
9a04ea7b557bafd72472be198c5bdc470109683332efed7ebd2a899be1906a91
Stealc
a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2
Stealc
b86abdfbad86c5faaa00aeb30fad083c237160377227cad9ad22cc2fd4daa6da
Stealc
error
Stealc
fcc3edcd526b0c746998d72af8ce9cc29b0bd801f767078cc472f93d57eee9ef
Stealc
fe70369d4b479537bb85b333bdb2d56566d6dfb9320c566b25ac6faa904fc317
Stealc
+ 2 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:2edc7cfesy0wsqks
Link:
https://tria.ge/reports/250426-eqxsqsvns6/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/54074e9f-e16c-407c-b7b6-e12473da5db6
Unpacked files
SH256 hash:
a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2
MD5 hash:
12247ebf4653796ec00abd7c8f59b149
SHA1 hash:
7181b8d68aac0861ef505e6fe00b6a4e33a06f3f
Link:
https://www.unpac.me/results/b117294b-37be-4b39-b587-a2e45e2e7bbe/
SH256 hash:
533308eb905f448ff278e32b8e63add76bb83dc2e1ddd10c6419bc635566e6df
MD5 hash:
bdddcd47017b8eeedb8a16286510fb37
SHA1 hash:
112ee78aa443fa1bb229ad2424b0a93d844239ab
Link:
https://www.unpac.me/results/b117294b-37be-4b39-b587-a2e45e2e7bbe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aachum_Stealcv2
Create hunting rule
Author:aachum
Description:Detects new version of Stealc.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RustyStealer

Executable exe 536a64b3267c5056b261d71324793571d02a8714bcb8f395927f72f77d004f56

Stealc

Executable exe a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2

(this sample)

  
Dropped by
SHA256 536a64b3267c5056b261d71324793571d02a8714bcb8f395927f72f77d004f56
Cape
Cape
https://www.capesandbox.com/analysis/4174/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments