MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886
SHA3-384 hash: de96341e37b58a0a67ab610fb23c014ac73cb1a17d60d40d489144005061729ba2b02d178e41ca12a7bc5f3c698d7c4c
SHA1 hash: 090c5fce1d0e6aad7e65e84c0c1f7ab587dea032
MD5 hash: a523e35e4b9e94da90b548ad187a16e8
humanhash: burger-cup-avocado-equal
File name:script.ps1
Download: download sample
Signature Stealc
Create hunting rule
File size:2'681 bytes
First seen:2025-05-03 17:44:01 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:i+cvMDGw6JzefP/DKaR51P3eq1P3U7Rg8cakzVIqlmWBNgSG3WpuH38eH8CDySzJ:AecJzefDLRbPOsPkn9khI8mINnG3wy8E
Threatray 22 similar samples on MalwareBazaar
TLSH T1AF5146057925D33889FD17698F8594A4DB2F153F42391910F3AC8A143F302B98B7AFEA
Magika powershell
Reporter JaffaCakes118
Tags:ps1 Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.1744.29528.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fd465f1dba888a93d3bcc5
Tags:
ransomware dropper spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 dropper obfuscated packed persistence
Link:
https://www.filescan.io/uploads/681655f70b64e174c415f83e/reports/9c4e31f6-6151-4c1f-bde8-bd62c8a0ee45/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886
Result
Threat name:
Stealc v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1680625
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Early bird code injection technique detected
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1680625 Sample: script.ps1 Startdate: 03/05/2025 Architecture: WINDOWS Score: 100 53 amssh.co 2->53 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 8 other signatures 2->95 9 powershell.exe 16 35 2->9         started        14 powershell.exe 14 30 2->14         started        16 powershell.exe 2->16         started        signatures3 process4 dnsIp5 55 amssh.co 91.92.46.219, 443, 49715, 49723 TELECOMASET-ASBG Bulgaria 9->55 45 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 9->45 dropped 47 C:\Users\user\AppData\...\WindowsUpdate.ps1, ASCII 9->47 dropped 97 Found many strings related to Crypto-Wallets (likely being stolen) 9->97 99 Creates autostart registry keys with suspicious values (likely registry only malware) 9->99 101 Found suspicious powershell code related to unpacking or dynamic code loading 9->101 18 updater.exe 9->18         started        21 conhost.exe 9->21         started        49 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 14->49 dropped 103 Loading BitLocker PowerShell Module 14->103 105 Powershell drops PE file 14->105 23 updater.exe 14->23         started        25 conhost.exe 14->25         started        51 C:\Users\user\AppData\Local\...\updater.exe, PE32+ 16->51 dropped 27 updater.exe 16->27         started        29 conhost.exe 16->29         started        file6 signatures7 process8 signatures9 75 Multi AV Scanner detection for dropped file 18->75 77 Hijacks the control flow in another process 18->77 79 Found API chain indicative of debugger detection 18->79 81 Contains functionality to inject code into remote processes 18->81 31 updater.exe 18 18->31         started        83 Modifies the context of a thread in another process (thread injection) 23->83 85 Found evasive API chain (may stop execution after checking locale) 23->85 87 Injects a PE file into a foreign processes 23->87 35 updater.exe 18 23->35         started        37 updater.exe 27->37         started        process10 dnsIp11 57 91.92.46.70, 49716, 49725, 49729 TELECOMASET-ASBG Bulgaria 31->57 59 Early bird code injection technique detected 31->59 61 Found many strings related to Crypto-Wallets (likely being stolen) 31->61 63 Writes to foreign memory regions 31->63 65 Queues an APC in another process (thread injection) 31->65 39 chrome.exe 31->39         started        67 Allocates memory in foreign processes 35->67 69 Tries to steal Crypto Currency Wallets 35->69 71 Injects a PE file into a foreign processes 35->71 41 chrome.exe 35->41         started        73 Tries to harvest and steal browser information (history, passwords, etc) 37->73 43 chrome.exe 37->43         started        signatures12 process13
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886/
Threat name:
Script-PowerShell.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2025-04-13 13:41:43 UTC
File Type:
Text (PowerShell)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdmyegshr4ndo4evqz5owibyyrsmywpnggsmoqj765upfyknhcda._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
2c3066d84a1942c8a7d0873d6863e47b73dca05a07283e52e567533447a7afc9
Stealc
4dfc09bfab1e813c8122d6f8c3d83966346fe676464497ce100e8c385fe5e5f9
Stealc
629d83659df3e1aaa04b6c296a3cf8e2248033e9d1ff422e350453d77cb2a5f0
Stealc
a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2
Stealc
b86abdfbad86c5faaa00aeb30fad083c237160377227cad9ad22cc2fd4daa6da
Stealc
d5355c5bddacdf20377d6cc75766ccb25199724c382be1b9b29d4adb0ee97972
Stealc
error
Stealc
fcc3edcd526b0c746998d72af8ce9cc29b0bd801f767078cc472f93d57eee9ef
Stealc
+ 12 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:main defense_evasion execution persistence stealer
Link:
https://tria.ge/reports/250503-wbbemaxwaz/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Hide Artifacts: Hidden Window
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Stealc
Stealc family
Malware Config
C2 Extraction:
91.92.46.70
Dropper Extraction:
https://amssh.co/file.exe
https://amssh.co/script.ps1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

PowerShell (PS) ps1 b8d9821a478f1a377095867aeb2038c464cc59ed31a4c7413ff768f2e14d3886

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3492949/

Comments