MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85
SHA3-384 hash: 6db56c58b0146ad9c070591046740fcb61fe5144caaab27b0abf8b77227eaef6a9222f14384a8778842e5d9b6b8fada9
SHA1 hash: 7019c8b4d550ae504532ae9d5e9eb27a832f5d9d
MD5 hash: 16f2158c708cc886b2a28aed2bf31179
humanhash: sodium-neptune-two-saturn
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:12'561'024 bytes
First seen:2026-01-13 20:05:24 UTC
Last seen:2026-01-14 22:34:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (155 x Vidar, 92 x Rhadamanthys, 74 x Stealc)
ssdeep 49152:AoY0Fqbz/OpdF3munP+IbAg9gJKwf2drq8MANplWLZfKrKlvAe16OKP2eN0bKpQP:AlRmF3myaYrqSNplmVKm1vt
Threatray 50 similar samples on MalwareBazaar
TLSH T1E6C65CD2ED508767D69BA33ADCA2524E2230F045033524D7BA9437A55D2BBC8173BB2F
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:a dropped-by-gcleaner exe signed Stealc TWO.file

Code Signing Certificate

Organisation:ware.com
Issuer:WE1
Algorithm:sha256WithRSAEncryption
Valid from:2026-01-11T22:11:44Z
Valid to:2026-04-11T23:11:41Z
Serial number: ca8d556c3b39f64313dda18de5a517c8
Intelligence: 10 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 134a3f5ffb069cd40363fe874705a639233286c10ca79ab3b003a83c91660677
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
20
# of downloads :
164
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Going Stealc
Details
Going
a sub-decoded component
Stealc
decrypted strings, an RC4 key, c2 url, and url paths
Link:
https://research.acce.ciphertechsolutions.com/results/fd1e20d2-36f3-4b04-a508-6602cc66276d/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-13 20:07:35 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/3a823e8f-34ea-42bb-93f1-c14c68d9a52a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48816/
Detection(s):
SecuriteInfo.com.Spam-104324.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6966a59657243ef151ccfe48
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypt crypto golang signed
Link:
https://www.filescan.io/uploads/6966a58fb5214ecba5eede8b/reports/cfee671c-4895-4527-8957-110f33d19d09/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-13T15:20:00Z UTC
Last seen:
2026-01-14T17:51:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-PSW.Win64.Agent.gen Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.Lumma.aael Trojan-PSW.Lumma.HTTP.C&C Trojan.Win64.Agent.sb Trojan.Win32.Inject.sb Trojan.MSIL.Agent.sb Trojan-PSW.Win32.StealC.v2
Link:
https://opentip.kaspersky.com/b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/256a5fe9-60f4-4019-8896-ba94ac9fb120
Score:
38%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2026-01-13 20:06:31 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhxxy4aqx6tz6rid2dwsffbholpp42ddaki6xn4gx6bijzcrz6cq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
01777810e2b9edaa543fb7be8a238a442cb070cc4838b5a1263ffba65d7e1845
Stealc
40270000aee777f2e04221195bfbf5cec694bd0e54df1897cbc4b16f640cbff0
Stealc
5cc5e2d2a89be652f7389dd7fe1d824b0f85c078e45f56ff70f8df5515500248
Stealc
b7bbc5e217162c0d2a5799c78b105037e0707de7eda04a0103a1161d8d604102
Stealc
cc6f6e9ed69008189ddbd378fd9abb42e97b9df516a5dde7cd2827c0f168dd3e
Stealc
de1e5a910f9c946c10a912236cd51f12e1d7cc3c280552853059560bc787c309
Stealc
e6b7c61c1ec82a05ea4859320d88f2050ec5097a5f70b419ebdfe257fe4845ac
Stealc
error
Stealc
+ 40 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:wwjkefmvf discovery spyware stealer
Link:
https://tria.ge/reports/260113-yt46rshx5d/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Stealc
Stealc family
Malware Config
C2 Extraction:
http://45.93.20.34
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/79894ffd-cf01-4539-a525-4c546f50eed4
Unpacked files
SH256 hash:
b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85
MD5 hash:
16f2158c708cc886b2a28aed2bf31179
SHA1 hash:
7019c8b4d550ae504532ae9d5e9eb27a832f5d9d
Link:
https://www.unpac.me/results/63f92df1-5195-4718-a7d3-1f5988c9fa2b/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9ef7c7010bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe b9ef7c7010bfa79f4503d0ed22942772defe68630291ebb786bf8284e451cf85

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/48816/

Comments