MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 7 File information Comments

SHA256 hash:	bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402
SHA3-384 hash:	fd1ce8bafa958f60a3aec444b0eaf163b87dcc7608e6e056c52249b67d04fc6627ba1526d4324160348c071c4dde68b3
SHA1 hash:	9793876737fccdc492f52dbbc0dea30e65236cbe
MD5 hash:	c4d24e19ade97cbaa572a32e4c90abf4
humanhash:	fruit-thirteen-tango-kilo
File name:	xbad80b145550725bee88caa50d095c8fd8cf50ecc8d7.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	6'312'448 bytes
First seen:	2026-02-05 01:15:19 UTC
Last seen:	2026-02-05 02:23:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2f70eb106e1135b4eeb96dee2b06a134 (1 x Stealc)
ssdeep	49152:7yxTOqc4zOGJ9l3IraB5wyoN+3zHCpj/bKtPtOr/TVz:oJJXQa4y/mpj/0Oz
Threatray	297 similar samples on MalwareBazaar
TLSH	T18256D081807E0760C270F03E5623356F17BB3FE64689D2EBE8E8DD439C5B858E959AD1
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://198.251.89.171/e86b90f3097e4b27.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://198.251.89.171/e86b90f3097e4b27.php	https://threatfox.abuse.ch/ioc/1741345/

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

xbad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402.exe

Verdict:

Malicious activity

Analysis date:

2026-02-05 00:58:15 UTC

Tags:

stealer stealc

Link:

https://app.any.run/tasks/d6ac7de1-a5b0-454f-801e-876e3a569c79

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Stealc

Link:

https://www.capesandbox.com/analysis/51752/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.13861456.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6983eb268ce611733c0b155e

Tags:

vmdetect cobalt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm fingerprint lumma microsoft_visual_cc unsafe

Link:

https://www.filescan.io/uploads/6983ef2f981ff1d38a4922de/reports/0c65a407-05d6-4889-99ea-b69d16748358/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-02-04T12:26:00Z UTC

Last seen:

2026-02-04T18:18:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Win32.Lumma.aavp Backdoor.Win32.Agent.sb Trojan-PSW.Lumma.HTTP.C&C Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.StealC.v2

Link:

https://opentip.kaspersky.com/bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b4d79164-cd58-47e6-b404-46111c641850

Result

Threat name:

Stealc v2

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1863660

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Stealc v2

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/c4d24e19ade97cbaa572a32e4c90abf4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402

Threat name:

Win64.Trojan.StealC

Status:

Malicious

First seen:

2026-02-04 20:21:00 UTC

File Type:

PE+ (Exe)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xlmawfcvkbzfx3uizksq2ck4r7mm6uhmzdl5fp2tflegfjor2qba._file

Verdict:

malicious

Label(s):

stealc

Stealc

423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

Stealc

45bb2eb22ca0fd45c6ccba8b069e155eb97cd938cd526e5d83e8c68a867c5891

Stealc

4d60481b15d3c0fe5f925a702fdf67b5efc016dc360407189f3d30429f205c31

Stealc

60d43ddff6cd33da3f52147994b29c4f9a993e8c1f32dba4c51b6667bcc4ef34

Stealc

79be87ad14b473f6ca727969014fa8cc27a8020200cf653096b6f77a0b331502

Stealc

9b5a5c4b0f2fbb96698f76bb460eaa61cd7d49ebb1323fb149b54988c80ed725

Stealc

a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34

Stealc

error

Stealc

+ 287 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:f111 stealer

Link:

https://tria.ge/reports/260205-bmfs9scz8d/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks system information in the registry

Executes dropped EXE

Stealc

Stealc family

Malware Config

C2 Extraction:

http://198.251.89.171

Unpacked files

SH256 hash:

bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402

MD5 hash:

c4d24e19ade97cbaa572a32e4c90abf4

SHA1 hash:

9793876737fccdc492f52dbbc0dea30e65236cbe

Link:

https://www.unpac.me/results/7710512c-e979-46dd-9fbc-df28e306fdd4/

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bad80b145550/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bad80b145550725bee88caa50d095c8fd8cf50ecc8d7d2bf532ac862a5d1d402

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51752/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample