MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 19


Intelligence 19 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582
SHA3-384 hash: ab4185bf8c87fb13cd4f8b64fd9d3e820af8c01b040432b4b7012d47546e9df50e6ab008ed3d2ee1f18e7f36ae1898a4
SHA1 hash: 3ee0ad149b36c201d491c7153275a6dce427956f
MD5 hash: f3aeeddfb83449a97700da353e158436
humanhash: ten-uncle-wisconsin-robert
File name:f3aeeddfb83449a97700da353e158436.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:753'152 bytes
First seen:2026-01-16 16:08:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baedab261d9b0ee2285b2ff329a5eaec (19 x Stealc)
ssdeep 12288:aU8VHX4ZPBuvzkOkW7UE+YTRqwJ40jTv3YZtF15kjHKA:gVH6BuvbkW7xXVVmSr3UA
Threatray 222 similar samples on MalwareBazaar
TLSH T127F48D5AE7A502F8D0BBC178CE424553EBB2B8055770978F03E15AA61F376A05F3EB12
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
Stealc
Details
Stealc
decrypted strings, an RC4 key, c2 url, and url paths
Link:
https://research.acce.ciphertechsolutions.com/results/fe0d4913-1fa6-4f47-8d99-e1c142998a50/
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
https://rdmfile.eu/install/FNzpWqmJ6jjn
Verdict:
Malicious activity
Analysis date:
2026-01-15 18:06:00 UTC
Tags:
stealer stealc auto xworm rat loader arch-doc asyncrat remote
Link:
https://app.any.run/tasks/7ea5f462-3f7f-4d7d-bdcf-5ce000931980

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49093/
Detection(s):
Win.Malware.Marte-10045369-0
Create hunting rule

Win.Malware.Generickdz-10058619-0
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696a5aed57243ef151cd94f8
Tags:
shellcode packed virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 cmd fingerprint lolbin microsoft_visual_cc stealc swrort
Link:
https://www.filescan.io/uploads/696a627e584f1963ad5755a6/reports/321fd81b-0610-4f6d-8b02-067bc5edd26e/overview
Verdict:
Malicious
Labled as:
Shellcode.Loader.Marte.X.Generic
Link:
https://www.hybrid-analysis.com/sample/ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-15T13:11:00Z UTC
Last seen:
2026-01-17T10:58:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.StealC.v2 VHO:Trojan-PSW.Win32.StealC.gen VHO:Trojan-PSW.Win32.Convagent.gen Trojan-PSW.Lumma.HTTP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.Win64.StealC.sb
Link:
https://opentip.kaspersky.com/ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/620c614d-32a5-4fe7-9a1a-a1cc7cd67a2f
Result
Threat name:
AsyncRAT, Stealc v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1852120
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Early bird code injection technique detected
Found API chain indicative of debugger detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1852120 Sample: ysvfSL11hy.exe Startdate: 16/01/2026 Architecture: WINDOWS Score: 100 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 10 other signatures 2->98 10 ysvfSL11hy.exe 24 2->10         started        15 elevation_service.exe 2->15         started        17 elevation_service.exe 2->17         started        19 3 other processes 2->19 process3 dnsIp4 86 62.60.226.159, 49697, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 10->86 88 196.251.107.23, 49681, 49694, 49696 ANGANI-ASKE Seychelles 10->88 66 C:\Users\user\AppData\...\xNSFooNXfXt3.exe, PE32 10->66 dropped 68 C:\Users\...\Polarised_97.74.8_INSTALL[1].exe, PE32 10->68 dropped 70 grid-enabled_7888....8.91_INSTALL[1].exe, PE32 10->70 dropped 72 C:\Users\user\AppData\...\9xbq6uQZW6kF.exe, PE32 10->72 dropped 102 Early bird code injection technique detected 10->102 104 Found many strings related to Crypto-Wallets (likely being stolen) 10->104 106 Found API chain indicative of debugger detection 10->106 108 7 other signatures 10->108 21 9xbq6uQZW6kF.exe 2 10->21         started        25 xNSFooNXfXt3.exe 2 10->25         started        27 msedge.exe 10->27         started        29 5 other processes 10->29 file5 signatures6 process7 file8 54 C:\Users\user\AppData\...\9xbq6uQZW6kF.tmp, PE32 21->54 dropped 100 Multi AV Scanner detection for dropped file 21->100 31 9xbq6uQZW6kF.tmp 3 5 21->31         started        56 C:\Users\user\AppData\...\xNSFooNXfXt3.tmp, PE32 25->56 dropped 34 xNSFooNXfXt3.tmp 5 19 25->34         started        signatures9 process10 file11 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->74 dropped 76 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 31->76 dropped 36 9xbq6uQZW6kF.exe 2 31->36         started        78 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 34->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 34->80 dropped 82 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 34->82 dropped 84 12 other malicious files 34->84 dropped 39 cmd.exe 34->39         started        process12 file13 52 C:\Users\user\AppData\...\9xbq6uQZW6kF.tmp, PE32 36->52 dropped 41 9xbq6uQZW6kF.tmp 5 10 36->41         started        44 FnHotkeyUtility.exe 39->44         started        47 conhost.exe 39->47         started        process14 file15 58 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->58 dropped 60 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 41->60 dropped 62 C:\ProgramData\...\vcruntime140.dll (copy), PE32 41->62 dropped 64 9 other malicious files 41->64 dropped 49 eServiceHost.exe 41->49         started        110 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 44->110 signatures16 process17 signatures18 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->90
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582
Threat name:
Win64.Trojan.StealC
Create hunting rule
Status:
Malicious
First seen:
2026-01-15 15:46:20 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztwo3qmy3fl4aztf4bpt6y767mv7rvfcuwb6zf3llesdiw4eywba._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
326c02eabd6a78785cb5b2a906b75ffa2ae1980f7991ee812310c7d38ab90010
Stealc
423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38
Stealc
45bb2eb22ca0fd45c6ccba8b069e155eb97cd938cd526e5d83e8c68a867c5891
Stealc
60d43ddff6cd33da3f52147994b29c4f9a993e8c1f32dba4c51b6667bcc4ef34
Stealc
65170a027c2050be22fc06e635694d410f2a4afe0c38bf3787d283a564f9ef95
Stealc
a3a0322ac654a42a0883f23b01e19a6dd6586b099d124d9421e1c81de1317cc7
Stealc
dde0d05aa7f0843b643d6168f71881a7e7e4f0fa747ce6c09c25791ae60d30a9
Stealc
+ 212 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stealc botnet:crypted botnet:default discovery execution installer persistence rat spyware stealer upx
Link:
https://tria.ge/reports/260116-tlf2rahv5h/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Checks processor information in registry
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Stealc
Stealc family
Malware Config
C2 Extraction:
http://196.251.107.23
196.251.107.104:6606
196.251.107.104:7707
196.251.107.104:8808
Verdict:
Malicious
Tags:
Win.Malware.Marte-10045369-0
YARA:
n/a
Link:
https://app.threat.zone/submission/3402765b-7dae-4531-9d6e-f7a6146adf12
Unpacked files
SH256 hash:
ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582
MD5 hash:
f3aeeddfb83449a97700da353e158436
SHA1 hash:
3ee0ad149b36c201d491c7153275a6dce427956f
Detections:
win_stealc_auto
Create hunting rule
Link:
https://www.unpac.me/results/7aaf31a8-429f-473a-8077-dd1e4c8bb94f/
SH256 hash:
a66055a1590c0531819a987b2b6e648e04e9611be34b172eeecfcc2b0f3a8b83
MD5 hash:
7d35d6a446d95fe0b0bccbfa03d73a1e
SHA1 hash:
bdc371c1cb59d1aeee486744985391b86deab09d
Detections:
win_stealc_auto
Create hunting rule
Link:
https://www.unpac.me/results/7aaf31a8-429f-473a-8077-dd1e4c8bb94f/
Parent samples :
1d8cc65d36b53e94dff26e579d690b5a788393c96026a8689657de510ada2b81
dde0d05aa7f0843b643d6168f71881a7e7e4f0fa747ce6c09c25791ae60d30a9
c92d3b7961692f031863195786b6dbd7daff071635fc4622be6d50d6970ac531
83f96ebb903ce23ef34f3ad69ae98686d69153b3ca58baa197d728d63a14fc27
b554667949dc3847c3f04642b6c7b8d24948b72d5d3f0ee4ac656aa34a3dc8ed
26a730271fc63e71097339ae35df04983b59f8323136bd28e5dc58f1f5c2f64a
de0e5d92c8315b68338c60c01187cd7417f087bd64de4edfc4bf0bde605a5787
ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582
9b5a5c4b0f2fbb96698f76bb460eaa61cd7d49ebb1323fb149b54988c80ed725
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccecedc198d957c06665e05f3f63fefb2bf8d4a2a583ec976b5924345b84c582

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:StealcV2
Create hunting rule
Author:Still
Description:attempts to match the instructions found in StealcV2
Rule name:StealcV2
Create hunting rule
Author:kevoreilly
Description:Stealc V2 Payload
Rule name:Windows_Trojan_Stealc_41db1d4d
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stealc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49093/

Comments