MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c
SHA3-384 hash: 8732c1b0be7ec6f982038e5a3ca77d3e2eaa6a1a2e6e790a97bebd6574c48e0fff0d9644aa389a82e04b0a1b27deb9b2
SHA1 hash: a7653b515471ccf0a03ba1cf76049ba477cc0c1c
MD5 hash: 1c092a8eb30f3c606c6271d250bbcd60
humanhash: west-moon-king-diet
File name:1C092A8EB30F3C606C6271D250BBCD60.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:46'592 bytes
First seen:2026-02-09 15:10:35 UTC
Last seen:2026-02-09 16:33:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'002 x AgentTesla, 19'907 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 768:uoyGst+PMAcgEKrjJSP2Ew3Nfy+hw+QKOq9j0nLrLBSMB7:CXxKrjJSP2EwdK+h3VJ9jdMB7
Threatray 133 similar samples on MalwareBazaar
TLSH T1B4234A05C6149EB2C67F53319C87981597A46B216B352A0EB0CD6E9E3FB5361CFC02FA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 84b4e0e870fce470 (3 x RedLineStealer, 1 x DCRat, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://159.198.75.187/d076201aa1664664.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://159.198.75.187/d076201aa1664664.php https://threatfox.abuse.ch/ioc/1743849/

Intelligence

File Origin
# of uploads :
3
# of downloads :
165
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
https://drive.google.com/open?id=1Ym0UNC6V3XtI_CudDj2y7yl-9fEG3sCL
Verdict:
Malicious activity
Analysis date:
2026-02-06 01:17:16 UTC
Tags:
webdav loader auto generic netsupport rat blindeagle apt python rmm-tool remote nuitka purehvnc netreactor pyinstaller tool powershell upx
Link:
https://app.any.run/tasks/21c90593-571c-40c8-87b0-0931be849dca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52804/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6989f91342fd65534ccdeb66
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 cscript lolbin powershell zusy
Link:
https://www.filescan.io/uploads/6989f911930564ff3c947497/reports/383558ff-eea5-4f92-bfaf-b539cbc769ae/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-06T20:20:00Z UTC
Last seen:
2026-02-11T02:36:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Lumma.HTTP.C&C Trojan.Agentb.TCP.C&C HEUR:Trojan.MSIL.Alien.gen Trojan.JS.SAgent.sb Trojan-Downloader.SLoad.TCP.ServerRequest Trojan-Downloader.Agent.HTTP.ServerRequest Trojan-Downloader.PowerShell.NanoShield.sb Trojan-Banker.Script.Emotet.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/85578c53-6c1e-4a43-bfc8-389817aae7ae
Result
Threat name:
Stealc v2
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1866168
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1866168 Sample: EpShjT17P4.exe Startdate: 09/02/2026 Architecture: WINDOWS Score: 100 32 Suricata IDS alerts for network traffic 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 11 other signatures 2->38 8 EpShjT17P4.exe 2 2->8         started        process3 file4 26 C:\Users\user\AppData\...pShjT17P4.exe.log, CSV 8->26 dropped 11 cscript.exe 2 8->11         started        process5 signatures6 42 Suspicious powershell command line found 11->42 14 powershell.exe 14 15 11->14         started        18 conhost.exe 11->18         started        process7 dnsIp8 30 196.251.107.12, 49717, 80 ANGANI-ASKE Seychelles 14->30 44 Writes to foreign memory regions 14->44 46 Suspicious execution chain found 14->46 48 Injects a PE file into a foreign processes 14->48 20 RegAsm.exe 12 14->20         started        24 conhost.exe 14->24         started        signatures9 process10 dnsIp11 28 159.198.75.187, 49718, 80 CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT United States 20->28 40 Unusual module load detection (module proxying) 20->40 signatures12
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c
Verdict:
Malware
YARA:
11 match(es)
Tags:
.Net DeObfuscated Executable Managed .NET Obfuscated PE (Portable Executable) PE File Layout SOS: 0.00 T1059.005 VBScript Win 32 Exe WScript.Network wscript.shell x86
Link:
https://app.malva.re/file/1c092a8eb30f3c606c6271d250bbcd60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2026-02-07 01:05:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2p7rwo4kxu6ua55ck5cdud6bjpskhse26na2eucv3cqpofhrzga._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
28df48dc92fe19a9d0948e31cc86c97157034b1e314a75f2294c0ea4f34548a6
Stealc
312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da
Stealc
40270000aee777f2e04221195bfbf5cec694bd0e54df1897cbc4b16f640cbff0
Stealc
83f96ebb903ce23ef34f3ad69ae98686d69153b3ca58baa197d728d63a14fc27
Stealc
aeefae9a5162091ca000675cf8397bb7f4abc2e2589e6e2ae1f9f414c6a70bca
Stealc
b088d3e9e702436becd70c5bb63a62ecee92fda8a5e7177fe448dff0640bb3e1
Stealc
de0e5d92c8315b68338c60c01187cd7417f087bd64de4edfc4bf0bde605a5787
Stealc
e49c36c3b9de82ab0dfc8e3410d0389de54b21b535f972c81fe289998b52cde3
Stealc
error
Stealc
+ 123 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:financial2025 discovery execution stealer
Link:
https://tria.ge/reports/260209-skpf3aaw3a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Badlisted process makes network request
Stealc
Stealc family
Malware Config
C2 Extraction:
http://159.198.75.187
Unpacked files
SH256 hash:
c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c
MD5 hash:
1c092a8eb30f3c606c6271d250bbcd60
SHA1 hash:
a7653b515471ccf0a03ba1cf76049ba477cc0c1c
Link:
https://www.unpac.me/results/2b548768-801d-48c0-a9bc-b09b3e152472/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c69ff8d9dc55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c69ff8d9dc55e9ea03bd12ba21d07e0a5f251e44d79a0d1282aec507b8a78e4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/52804/

Comments