MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be5cc9d8fa9dfef9c57da9916a119424c8f5e8273fd5503e01c9fee733aae6da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VexxStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be5cc9d8fa9dfef9c57da9916a119424c8f5e8273fd5503e01c9fee733aae6da
SHA3-384 hash: d53c641c032d35efb57bb0ef9b115c188327877fcac0cabd6c001ebc9605642e4138df7b861f291126a2da48cce07f26
SHA1 hash: f76ed0da46447a3531cebb7e8fa4aab89a3fee99
MD5 hash: 01b32b487f01de9334715364fda91f5b
humanhash: moon-football-lamp-lactose
File name:PalamodSetup2.1.1.exe
Download: download sample
Signature VexxStealer
Create hunting rule
File size:89'084'312 bytes
First seen:2026-05-15 08:25:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (575 x GuLoader, 128 x RemcosRAT, 82 x EpsilonStealer)
ssdeep 1572864:nE+BWMFDe45k4cM06hDRVOzGyD1KWHsPKhwC8coHhdXmaXALwpD/M7rG:nlBFle45n7hDRVeBKQ5wvS4pmu
Threatray 952 similar samples on MalwareBazaar
TLSH T14D18337A5F96D84EC00635BB87E479B214E3B9921E22F03F735A81A894FCE32D534587
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 28969696969696e8 (18 x GenesisStealer, 2 x MythStealer, 2 x VexxStealer)
Reporter burger
Tags:exe VexxStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/281d1f59-2bb1-4db3-bdc1-1105d32089f3/
Malware family:
n/a
ID:
1
File name:
PalamodSetup2.1.1.exe
Verdict:
Malicious activity
Analysis date:
2026-05-15 08:25:15 UTC
Tags:
vexxstealer stealer generic evasion nodejs discord arch-doc
Link:
https://app.any.run/tasks/ee212c1b-da72-4029-9aa9-7bcd2f61e75c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a06d83b953bbcef1c9073a4
Tags:
obfuscate shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Changing a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto evasive fingerprint installer installer installer-heuristic microsoft_visual_cc nsis packed reconnaissance
Link:
https://www.filescan.io/uploads/6a06d89886e92bda7031429e/reports/60c403dd-b521-402a-97a8-5e1252604b9d/overview
Verdict:
Malicious
Labled as:
Trojan.NSISDrp
Link:
https://www.hybrid-analysis.com/sample/be5cc9d8fa9dfef9c57da9916a119424c8f5e8273fd5503e01c9fee733aae6da
Result
Gathering data
Verdict:
Unknown
File Type:
exe x32
Link:
https://opentip.kaspersky.com/be5cc9d8fa9dfef9c57da9916a119424c8f5e8273fd5503e01c9fee733aae6da/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1913898
Signature
Drops large PE files
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive system registry key value via command line tool
Sigma detected: Capture Wi-Fi password
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Unusual module load detection (module proxying)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses WMIC command to query system information (often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1913898 Sample: PalamodSetup2.1.1.exe Startdate: 15/05/2026 Architecture: WINDOWS Score: 100 58 www.python.org 2->58 60 shed.dual-low.part-0012.t-0009.t-msedge.net 2->60 62 10 other IPs or domains 2->62 72 Sigma detected: Capture Wi-Fi password 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->76 8 Palamod.exe 7 2->8         started        12 PalamodSetup2.1.1.exe 12 430 2->12         started        15 Palamod.exe 2->15         started        17 powershell.exe 2->17         started        signatures3 process4 dnsIp5 64 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 8->64 66 api.vexxproject.org 45.138.16.182, 443, 49734 SPECTRAIPSpectraIPBVNL Netherlands 8->66 68 4 other IPs or domains 8->68 92 Suspicious powershell command line found 8->92 94 Obfuscated command line found 8->94 96 Tries to harvest and steal WLAN passwords 8->96 19 cmd.exe 8->19         started        22 cmd.exe 8->22         started        24 cmd.exe 8->24         started        28 93 other processes 8->28 50 C:\Users\user\AppData\Local\...\Palamod.exe, PE32+ 12->50 dropped 52 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 12->52 dropped 54 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 12->54 dropped 56 19 other files (none is malicious) 12->56 dropped 98 Drops large PE files 12->98 26 cmd.exe 1 12->26         started        100 Unusual module load detection (module proxying) 15->100 102 Uses WMIC command to query system information (often done to detect virtual machines) 15->102 file6 signatures7 process8 dnsIp9 78 Uses netsh to modify the Windows network and firewall settings 19->78 80 Uses ipconfig to lookup or modify the Windows network settings 19->80 82 Tries to harvest and steal WLAN passwords 19->82 84 Queries sensitive system registry key value via command line tool 19->84 44 2 other processes 19->44 31 powershell.exe 22->31         started        34 conhost.exe 22->34         started        46 2 other processes 24->46 36 conhost.exe 26->36         started        38 tasklist.exe 1 26->38         started        40 find.exe 1 26->40         started        70 chrome.cloudflare-dns.com 172.64.41.3, 443, 49696, 49697 CLOUDFLARENETUS United States 28->70 86 Maps a DLL or memory area into another process 28->86 88 Uses WMIC command to query system information (often done to detect virtual machines) 28->88 90 Loading BitLocker PowerShell Module 28->90 42 powershell.exe 28->42         started        48 109 other processes 28->48 signatures10 process11 signatures12 104 Loading BitLocker PowerShell Module 31->104 106 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 36->106 108 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 36->108 110 Queries memory information (via WMI often done to detect virtual machines) 36->110
Score:
55%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/be5cc9d8fa9dfef9c57da9916a119424c8f5e8273fd5503e01c9fee733aae6da
Gathering data
Verdict:
Clean
Link:
https://tip.neiki.dev/file/be5cc9d8fa9dfef9c57da9916a119424c8f5e8273fd5503e01c9fee733aae6da
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzomtwh2tx7ptrl5vgiwuemuetepl2bhh7kvapqbzh7oom5k43na._file
Verdict:
malicious
Label(s):
novablight
Create hunting rule
Similar samples:
080d71eaff2082b9c10ff0a2414ed2371eb0eb700b71f975de595d7bbc409590
VexxStealer
1715bffc46bace588a5015bcc089fcad4d9905d6c7ed8a51c4d2ff970f3fe692
VexxStealer
1b61cc90e7143f97f267c265858d0c0409b69a2ffec6cfed9c2a794981d756b1
VexxStealer
204b8a498705e97af6b7f050646bc3e9bb8609dc1cf8f57b5f7433e12b2e2319
VexxStealer
56eb6afd322ef89de23aac3f5b7247a8d0f0b2db508285967e1de242e6050af6
VexxStealer
86999ec14bdd085e1ec3acea4620d971369b928337f29169c941ffce276bf1c9
VexxStealer
b24994f3fc5e7fc858bb6acd2f1e5f1bbbf0dffe05282403bc63efce1756581c
VexxStealer
d7a86dadc15ebf5cc064a9d9b413093854c25fdb6b06d3710300fcf4ffc79519
VexxStealer
dbe6483c3fa475ac6ec6cf2b981ec08a5617093568ef1b04575c129013af6908
VexxStealer
ef591a22899653a15acd0c3f303d8659d7022df02681148891dcd153a8a5a317
VexxStealer
error
VexxStealer
+ 942 additional samples on MalwareBazaar
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments