MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 15

Intelligence 15 IOCs YARA 18 File information Comments

SHA256 hash:	ba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83
SHA3-384 hash:	c249a9d65b441b83c2a8c9d3fb5b1b2f0705da68eec2321af656b5d8f485817bafee4f7e2c0f924e84100e80dede054d
SHA1 hash:	453f69b62c8fcfe186c745e2d20372cedafc9707
MD5 hash:	6375d9aa2021cd6b42e6876aeed7d6f9
humanhash:	oranges-nebraska-utah-pasta
File name:	ba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83
Download:	download sample
Signature	Stealc Create hunting rule
File size:	50'849'792 bytes
First seen:	2026-05-14 11:47:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4029dc5ee830151a426fff64189bae0e (6 x Stealc, 2 x RedLineStealer, 1 x SVCStealer)
ssdeep	786432:weka+Ha0+3H2yUMotV3WGzG1U2J8Rc0Sgr8AmXYXkH4AAkSwYVEfSDzb8fJXFzRB:Mp6j3H2ykzK1wrvmYUYXVpSVzRBzs
Threatray	11 similar samples on MalwareBazaar
TLSH	T1B5B723D527BC20ADC4179E30CA895FF9E7D8BC43E9B858EB6B8204016F36CA5CC6552D
TrID	37.0% (.EXE) Win64 Executable (generic) (6522/11/2) 28.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3) 11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
dhash icon	b0cd8a8e92b2d4f8 (1 x Stealc)
Reporter	Threatray
Tags:	exe Remus Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/ecb03a61-4a6c-452e-8332-674cdaf37f07/

Malware family:

amadey

ID:

File name:

xba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83.exe

Verdict:

Malicious activity

Analysis date:

2026-05-09 23:56:54 UTC

Tags:

stealc stealer auto-reg auto amadey botnet generic smoke loader auto-sch

Link:

https://app.any.run/tasks/b385f427-c1fd-44e5-9867-bc354c57acbc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a05b6d746d6967b3d9043fd

Tags:

ransomware emotet virus remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Creating a process from a recently created file

Сreating synchronization primitives

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Creating a window

Creating a file

Enabling the 'hidden' option for recently created files

Sending a custom TCP request

Creating a service

Loading a system driver

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Searching for synchronization primitives

DNS request

Connection attempt

Sending an HTTP POST request

Connecting to a non-recommended domain

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Enabling autorun for a service

Blocking the Windows Defender launch

Blocking the Windows Security Center launch

Forced shutdown of a system process

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Changing the hosts file

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/ba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-03T06:22:00Z UTC

Last seen:

2026-05-06T09:50:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/ba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83/results?tab=lookup

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83

Gathering data

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/ba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83

Threat name:

Win64.Trojan.SvcStealer

Status:

Malicious

First seen:

2026-05-03 11:06:52 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xkdnzwfda6flbxcqx6jtsudqfzirzqpmtsarnawihlvvo32fjkbq._file

Verdict:

malicious

Label(s):

remus

stealc

fotloader

unc_clipper_003

Stealc

11e8084e7792e38c432e041b5b0e4341cbd21c97e050ab2739e77e7fe30d0d1b

Stealc

203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761

Stealc

7836fcfb6c81e23437fb1b4e812099a945fe318e3dc41cb3ba81f9768c0d0db8

Stealc

b5a211c440628f225bd8268c466305f3012096ec84f5821ef8045ece50e3c1bc

Stealc

c865559a8dc200b297f365f1e233234319645f7a0278ceb223202c7eb9b1c12e

Stealc

+ 1 additional samples on MalwareBazaar

Gathering data

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ba86dcd8a307/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ba86dcd8a3078ab0dc50bf933950702e511cc1ec9c811682c83aeb576f454a83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DemonNtdllHashes Create hunting rule
Author:	embee_research @ HuntressLabs

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_CobaltStrike_f0b627fc Create hunting rule
Description:	Rule for beacon reflective loader

Rule name:	win_havoc_demon_ntdll_hashes Create hunting rule
Author:	embee_research @ HuntressLabs
Description:	Detection of havoc demons via hardcoded ntdll api hashes

Rule name:	win_havoc_ntdll_hashes_oct_2022 Create hunting rule
Author:	embee_research @ HuntressLabs
Description:	Detection of havoc demons via hardcoded ntdll api hashes

Rule name:	win_havoc_w0 Create hunting rule
Author:	embee_research @ HuntressLabs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://x.com/ThreatrayLabs/status/2054882244641042902

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample