MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

StealeriumStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68
SHA3-384 hash:	ff9a4b6999369ddb6a3423b05962580a7bbfb9d278eb6ae0d37abe6f6fb137d83bfc515dc32ca5ee3834afc47b1d425c
SHA1 hash:	509d650261f34c9d1ca31050fd5b5fe412389805
MD5 hash:	79d48a321c2a2eebc20bf93d4243be4f
humanhash:	louisiana-potato-three-utah
File name:	MTDYN20260906.exe
Download:	download sample
Signature	StealeriumStealer Create hunting rule
File size:	25'088 bytes
First seen:	2026-06-09 12:51:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a2706f6f638154d2b431abe5e1551efb (2 x StealeriumStealer)
ssdeep	768:XpmljpNfUDnCy8Dbmk5lwOClqAAAAAAUY:Xpm9pRUDnCyGbmk5OOCjY
TLSH	T1D4B23B05E3A300BCC89DC7B1C16B5512EEBE3C172B50BADF67A126297C30794B529EB5
TrID	51.9% (.EXE) Win64 Executable (generic) (6522/11/2) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.9% (.EXE) Generic Win/DOS Executable (2002/3) 15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
dhash icon	74f4d4d4cce4e8e0 (27 x AgentTesla, 20 x Formbook, 17 x DBatLoader)
Reporter	threatcat_ch
Tags:	exe StealeriumStealer

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68.exe

Verdict:

No threats detected

Analysis date:

2026-06-09 12:54:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ed0ffe66-853d-4c5f-90d0-83a20a1fe4ef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70302/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a280c61a15110463ee43a33

Tags:

obfuscated ransomware emotet virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Connection attempt

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

hacktool

Link:

https://www.filescan.io/uploads/6a280c5dbf16337e43be2b99/reports/1ce511f0-3a76-487a-9d56-e62a770fbb99/overview

Verdict:

Malicious

Labled as:

Ser.Cerbu.Generic

Link:

https://www.hybrid-analysis.com/sample/b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-06-09T06:28:00Z UTC

Last seen:

2026-06-10T10:47:00Z UTC

Hits:

~1000

Detections:

VHO:Trojan.MSIL.Inject.gen VHO:Trojan.MSIL.Convagent.gen VHO:Trojan.MSIL.Inject.acrfg HEUR:Trojan.Win32.Generic Trojan.MSIL.Inject.acrfg

Link:

https://opentip.kaspersky.com/b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d33fca2e-436a-42b5-9128-98e4f8e3c6fe

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1925088

Signature

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Score:

40%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68/

Verdict:

Malicious

Threat:

VHO:Trojan.MSIL.Inject

Link:

https://tip.neiki.dev/file/b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68

Threat name:

Win64.Trojan.Cerbu

Status:

Malicious

First seen:

2026-06-09 10:06:33 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

11 of 36 (30.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wgvdagimoaadg62ogrtnwb622ph7luvwd27o5ty33kc7wj3hpzua._file

Result

Malware family:

n/a

Score:

7/10

Tags:

collection defense_evasion discovery persistence spyware stealer trojan

Link:

https://tria.ge/reports/260609-p3vh9abt2m/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Browser Information Discovery

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks BIOS information in registry

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68

MD5 hash:

79d48a321c2a2eebc20bf93d4243be4f

SHA1 hash:

509d650261f34c9d1ca31050fd5b5fe412389805

Link:

https://www.unpac.me/results/5121f051-cdc6-4b17-86f3-121467486ca8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1aa30190c7000337b4e3466db07dad3cff5d2b61ebeeecf1bda85fb27677e68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/70302/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample