MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DestinyStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac
SHA3-384 hash: 8f899a45a6f1bc20226188164cbb65aa01241e55a74357783b0cc60f24833430624562e7accc7499b6ec3ec2007032d3
SHA1 hash: 672d96a261ebbe542ee9772647713bde95242380
MD5 hash: e012a3a91194c52eaa1a52806ee08674
humanhash: lactose-sink-lion-sodium
File name:ZjzKL2r.exe
Download: download sample
Signature DestinyStealer
Create hunting rule
File size:12'950'528 bytes
First seen:2025-09-07 16:47:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 393216:U4fTYzcEwVNZHSzJlxfgBy5ZBjl4ObMGTVMC1x4ITOugKDIe8SLJyX:U+mcLVDHSlbfgBy5h4OwGFT/ceF1yX
TLSH T167D6FBB46D37E0BD6A7DB080CE9B710E8D9A9722826450F70AED17486738DD6B407E73
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:DestinyStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac.exe
Verdict:
Malicious activity
Analysis date:
2025-09-06 15:02:12 UTC
Tags:
stealer themida api-base64 zerotrace arch-doc arch-html
Link:
https://app.any.run/tasks/0945a7a6-fcfb-4c5d-b91b-068228857f33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26129/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bc4cf63e988eb6ab842bfe
Tags:
shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Enabling the 'hidden' option for analyzed file
Using the Windows Management Instrumentation requests
Launching a process
Adding an access-denied ACE
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Reading critical registry keys
Changing a file
Launching a service
Creating a file
Creating a window
Creating a process from a recently created file
Creating a process with a hidden window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/68bdb76620d0ee406d992c4e/reports/8e2e6ba6-4c67-4208-9309-da3b38e5c12c/overview
Verdict:
Malicious
Labled as:
Suspicious:Packed.NSAnti.b.flgf
Link:
https://www.hybrid-analysis.com/sample/b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-06T12:12:00Z UTC
Last seen:
2025-09-06T12:12:00Z UTC
Hits:
~10
Detections:
Trojan.PowerShell.Agent.sb Backdoor.Win32.Phpw.fbc Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-Dropper.Win32.Dapato.sb Trojan.MSIL.Crypt.sb Trojan.Win32.Miner.a Trojan.Miner.HTTP.ServerRequest HEUR:Backdoor.Win32.Generic not-a-virus:PSWTool.MSIL.BroPass.sb
Link:
https://opentip.kaspersky.com/b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2b717337-5912-4ad0-b6e7-e4725c531f1e
Result
Threat name:
Destiny Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772691
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected BrowsingHistoryView browser history reader tool
Yara detected Destiny Stealer
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1772691 Sample: ZjzKL2r.exe Startdate: 07/09/2025 Architecture: WINDOWS Score: 100 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 9 other signatures 2->84 8 ZjzKL2r.exe 26 2->8         started        13 msedge.exe 2->13         started        process3 dnsIp4 58 205.209.99.112, 49767, 8888 IS-AS-1US United States 8->58 52 C:\Users\user\AppData\...\cookieextract.ps1, ASCII 8->52 dropped 54 C:\Users\user\AppData\...\ZjzKL2r.exe.log, ASCII 8->54 dropped 86 Detected unpacking (changes PE section rights) 8->86 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->88 90 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->90 92 9 other signatures 8->92 15 powershell.exe 8->15         started        19 grpconv.exe 2 8->19         started        22 grpconv.exe 1 8->22         started        30 13 other processes 8->30 60 239.255.255.250 unknown Reserved 13->60 24 msedge.exe 13->24         started        26 msedge.exe 13->26         started        28 msedge.exe 13->28         started        file5 signatures6 process7 dnsIp8 64 127.0.0.1 unknown unknown 15->64 72 Attempt to bypass Chrome Application-Bound Encryption 15->72 74 Found many strings related to Crypto-Wallets (likely being stolen) 15->74 32 chrome.exe 15->32         started        35 msedge.exe 15->35         started        37 msedge.exe 15->37         started        39 2 other processes 15->39 50 C:\Users\user\AppData\...\places.sqlite-shm, data 19->50 dropped 76 Tries to harvest and steal browser information (history, passwords, etc) 19->76 66 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49726, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->66 68 ln-0007.ln-msedge.net 150.171.22.17, 443, 49710 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->68 70 32 other IPs or domains 24->70 file9 signatures10 process11 dnsIp12 56 192.168.2.5, 138, 443, 49675 unknown unknown 32->56 41 chrome.exe 32->41         started        44 chrome.exe 32->44         started        46 msedge.exe 35->46         started        48 msedge.exe 37->48         started        process13 dnsIp14 62 www.google.com 142.250.80.4, 443, 49696, 49701 GOOGLEUS United States 41->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/e012a3a91194c52eaa1a52806ee08674
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac/
Verdict:
Malicious
Threat:
Trojan.Win32.Miner
Link:
https://tip.neiki.dev/file/b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-06 15:02:14 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wosj5vdjk67ktnx2i23pm5cfxrxirbnoeagicgslaogzhgzwtkwa._file
Verdict:
malicious
Label(s):
admintool_extpassword
Create hunting rule
admintool_bulletpassview
Create hunting rule
zerotracestealer
Create hunting rule
admintool_iepassview
Create hunting rule
admintool_credentialsfileview
Create hunting rule
nirsoft
Create hunting rule
admintool_mailpassview
Create hunting rule
Similar samples:
error
DestinyStealer
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery execution stealer
Link:
https://tria.ge/reports/250907-vbf5fasnt6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks BIOS information in registry
Identifies Wine through registry keys
Uses browser remote debugging
Detected Nirsoft tools
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/30744935-3692-4a58-ad47-91cff72c7cca
Unpacked files
SH256 hash:
b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac
MD5 hash:
e012a3a91194c52eaa1a52806ee08674
SHA1 hash:
672d96a261ebbe542ee9772647713bde95242380
Link:
https://www.unpac.me/results/9e85cda8-024a-4e17-90f3-fe9abb837c49/
SH256 hash:
3685bc9f3014a7de5d8ad87ecf464d33ee2fb583c657c665e8d753fdd53bcbe1
MD5 hash:
84f94c90716bb797872affbab6670d4f
SHA1 hash:
5555c2c1577c323b91473911f89655d9d436d461
Detections:
INDICATOR_TOOL_EdgeCookiesView
Create hunting rule
INDICATOR_TOOL_ChromeCookiesView
Create hunting rule
Link:
https://www.unpac.me/results/9e85cda8-024a-4e17-90f3-fe9abb837c49/
Parent samples :
c1b33d9ce977f2a7c8577c0b88a45b5bd309f7cc73d5f68151d5d4e5aa10a523
7697bddee02bf680693692309514c70a8bb30c70131ba9decaeb9d14cae6e1c5
8c8b9aee1ff113dc4de14fd7e45d8d250c483ba9bfc558cc24bdf777bbaa176f
0f67f24f04c5b2b70ea17aff9311547cd51a7951c5701989ef821e41b47b0ea3
6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
660fbba89f4b2c211f4d6f2a83b270f7f72fed23a6fa59889e3bb40c3b157568
715bb47c2a60942db2cebe81a02e8a8e86b2e6cfc42bde9ed2f19e20b9dd4498
9ea62e79472c5ed05b81d2d98db61b28af2d8f1076b9055b853cd8a4c08f0415
3208513da212e3a87c66a370ff805cd8378bd981c2966e9aba5453d4763f2fa9
b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac
b42e97c12a39ea8ce7d889b1487f497de27a49549467fa8dbf9d8ac9cca9e8cc
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
f76953c27b5c17dd1f1e7d1ee6d856d0060e6e37e16bcd7d32779c0790dd70ac
Malware family:
ChromePass
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3a49ed46957/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:nirsoft_v1
Create hunting rule
Author:RandomMalware
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DestinyStealer

Executable exe b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3617782/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26129/

Comments