MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3
SHA3-384 hash: 14bee1f6e99759a42d77bc3fd48474e864f5407c22e3ac0d78f6791214a049269bcea019478cde8b00b04f43b79466ac
SHA1 hash: 081b2d022e16b8da009cf5462a738b44ea1f5e80
MD5 hash: 18976f34847b41b204d1ea6019dad165
humanhash: nine-texas-black-connecticut
File name:a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d68.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:2'293'760 bytes
First seen:2026-01-23 07:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0ea7b7844bbc5bfa9bb32efdcea957c (63 x Sliver, 17 x CobaltStrike, 12 x AsyncRAT)
ssdeep 49152:y7sR5lKve3uurb/TMvO90d7HjmAFd4A64nsfJ+/udfCpGd/X8mMyHxoloYg15Q6o:C23uvGd/X8
TLSH T158B56A47B89115B9D0AED2328A6692527B70BC990F3163DB3A60B3F82F737D45E35318
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://196.251.107.23/04ca1421433e0038.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://196.251.107.23/04ca1421433e0038.php https://threatfox.abuse.ch/ioc/1736007/

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3.exe
Verdict:
Malicious activity
Analysis date:
2026-01-23 07:32:48 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/2a3523dd-60b9-4aef-bcbb-c1327984bf66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49870/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697323acbcad3327ec07ef4b
Tags:
dropper small hype
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm golang rozena
Link:
https://www.filescan.io/uploads/697323a4f3c1b7b1fbdafcd9/reports/6cfa58bc-0ead-4969-9621-5dd771f226bb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-21T20:44:00Z UTC
Last seen:
2026-01-25T02:04:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Lumma.HTTP.C&C Trojan-PSW.Win32.Lumma.aaln Trojan.Win32.Inject.sb Trojan-PSW.Win64.StealC.sb
Link:
https://opentip.kaspersky.com/a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/65b8cd25-a54f-4b94-8bf5-71bedff529b2
Result
Threat name:
Tinynuke / Nukebot, AsyncRAT, Clipboard
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1856194
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected Tinynuke / Nukebot malware
Drops PE files with benign system names
Early bird code injection technique detected
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies Internet Explorer zone settings
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Yara detected Stealc v2
Yara detected TinyNuke
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1856194 Sample: a5870b765c6fc83f992d149e0f9... Startdate: 23/01/2026 Architecture: WINDOWS Score: 100 143 Suricata IDS alerts for network traffic 2->143 145 Found malware configuration 2->145 147 Malicious sample detected (through community Yara rule) 2->147 149 15 other signatures 2->149 11 a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d68.exe 2->11         started        14 hBlp9TPkZbdM.exe 2->14         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 process3 dnsIp4 179 Hijacks the control flow in another process 11->179 181 Writes to foreign memory regions 11->181 183 Allocates memory in foreign processes 11->183 193 3 other signatures 11->193 21 HelpPane.exe 31 11->21         started        185 Injects code into the Windows Explorer (explorer.exe) 14->185 187 Creates a thread in another existing process (thread injection) 14->187 189 Injects a PE file into a foreign processes 14->189 191 Changes security center settings (notifications, updates, antivirus, firewall) 16->191 26 MpCmdRun.exe 1 16->26         started        135 127.0.0.1 unknown unknown 18->135 signatures5 process6 dnsIp7 137 62.60.226.159, 49727, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 21->137 139 196.251.107.23, 49712, 49723, 49725 ANGANI-ASKE Seychelles 21->139 141 196.251.107.61, 49726, 49728, 49729 ANGANI-ASKE Seychelles 21->141 83 C:\Users\user\AppData\...\s1HKjzcsfxQh.exe, PE32+ 21->83 dropped 85 C:\Users\user\AppData\...\hBlp9TPkZbdM.exe, PE32+ 21->85 dropped 87 C:\Users\user\AppData\...\X3RVycHSMEMn.exe, PE32 21->87 dropped 89 9 other malicious files 21->89 dropped 155 Early bird code injection technique detected 21->155 157 Found many strings related to Crypto-Wallets (likely being stolen) 21->157 159 Contains functionality to inject code into remote processes 21->159 161 6 other signatures 21->161 28 X3RVycHSMEMn.exe 1 3 21->28         started        32 MQ8xPqC5MoVS.exe 21->32         started        34 Pib8bhKC2rPM.exe 21->34         started        38 9 other processes 21->38 36 conhost.exe 26->36         started        file8 signatures9 process10 file11 125 C:\Users\user\...\7672E5D12EFD1106654546.exe, PE32 28->125 dropped 195 Multi AV Scanner detection for dropped file 28->195 197 Found evasive API chain (may stop execution after checking mutex) 28->197 199 Creates multiple autostart registry keys 28->199 201 Contains functionality to inject threads in other processes 28->201 40 7672E5D12EFD1106654546.exe 3 1 28->40         started        127 C:\Users\user\AppData\...\MQ8xPqC5MoVS.tmp, PE32 32->127 dropped 43 MQ8xPqC5MoVS.tmp 32->43         started        129 C:\Users\user\AppData\...\Pib8bhKC2rPM.tmp, PE32 34->129 dropped 46 Pib8bhKC2rPM.tmp 34->46         started        131 C:\Users\user\Pictures\svchost.exe, PE32+ 38->131 dropped 133 C:\Users\user\AppData\...133j6Cp8ZRLYXD.tmp, PE32 38->133 dropped 203 Injects code into the Windows Explorer (explorer.exe) 38->203 205 Uses schtasks.exe or at.exe to add and modify task schedules 38->205 207 Writes to foreign memory regions 38->207 209 4 other signatures 38->209 48 Nj6Cp8ZRLYXD.tmp 38->48         started        50 schtasks.exe 38->50         started        52 schtasks.exe 38->52         started        signatures12 process13 file14 171 Multi AV Scanner detection for dropped file 40->171 173 Detected Tinynuke / Nukebot malware 40->173 175 Found evasive API chain (may stop execution after checking mutex) 40->175 177 6 other signatures 40->177 54 dllhost.exe 7 40->54         started        117 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 43->117 dropped 119 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 43->119 dropped 58 MQ8xPqC5MoVS.exe 43->58         started        121 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->121 dropped 60 Pib8bhKC2rPM.exe 46->60         started        123 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->123 dropped 62 Nj6Cp8ZRLYXD.exe 48->62         started        64 conhost.exe 50->64         started        66 conhost.exe 52->66         started        signatures15 process16 file17 91 C:\Users\user\AppData\...\FCBA.tmp.zx.exe, PE32+ 54->91 dropped 163 Detected Tinynuke / Nukebot malware 54->163 165 Found evasive API chain (may stop execution after checking mutex) 54->165 167 Found stalling execution ending in API Sleep call 54->167 169 8 other signatures 54->169 68 explorer.exe 54->68 injected 93 C:\Users\user\AppData\...\MQ8xPqC5MoVS.tmp, PE32 58->93 dropped 71 MQ8xPqC5MoVS.tmp 58->71         started        95 C:\Users\user\AppData\...\Pib8bhKC2rPM.tmp, PE32 60->95 dropped 74 Pib8bhKC2rPM.tmp 60->74         started        97 C:\Users\user\AppData\...97j6Cp8ZRLYXD.tmp, PE32 62->97 dropped 76 Nj6Cp8ZRLYXD.tmp 62->76         started        signatures18 process19 file20 151 Detected Tinynuke / Nukebot malware 68->151 153 Unusual module load detection (module proxying) 68->153 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 71->99 dropped 101 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 71->101 dropped 111 10 other malicious files 71->111 dropped 78 eServiceHost.exe 71->78         started        103 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 74->103 dropped 105 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 74->105 dropped 107 C:\ProgramData\...\vcruntime140.dll (copy), PE32+ 74->107 dropped 113 10 other malicious files 74->113 dropped 109 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 76->109 dropped 115 10 other malicious files 76->115 dropped 81 eServiceHost.exe 76->81         started        signatures21 process22 signatures23 211 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 78->211
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/18976f34847b41b204d1ea6019dad165
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2026-01-22 00:41:29 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
21 of 36 (58.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwdqw5s4n7ed7gjncspa7gwkxrh2rztpepliedz2yrxjxg2hhdbq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
error
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:crypted stealer
Link:
https://tria.ge/reports/260123-jb8c5sex8c/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Stealc
Stealc family
Malware Config
C2 Extraction:
http://196.251.107.23
Unpacked files
SH256 hash:
a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3
MD5 hash:
18976f34847b41b204d1ea6019dad165
SHA1 hash:
081b2d022e16b8da009cf5462a738b44ea1f5e80
Link:
https://www.unpac.me/results/fc9038e0-7710-497a-98c9-4783c585e5df/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5870b765c6f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/a5870b765c6fc83f992d149e0f9acabc4fa8e66f23d6820f3ac46e9b9b4738c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49870/

Comments