MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 18


Intelligence 18 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55
SHA3-384 hash: f892a723c42bab318c5908dc5c420746feae8544d0ccc20dddad548ca228ea68ba3da9dde55901a1e7030125ba0f52e1
SHA1 hash: 29f3117edb374d53816324e0c25b21464b640532
MD5 hash: 45dfb6c7a2022889eb7aa5d0fb464965
humanhash: friend-washington-minnesota-mars
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:238'592 bytes
First seen:2025-11-15 11:35:05 UTC
Last seen:2025-12-08 15:00:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (293 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 6144:2WPOsiFHMMl38ID9VuCGVIePiBxKtxMMrk:2WPriFHMMt8A9YM8MM4
Threatray 2 similar samples on MalwareBazaar
TLSH T1E434239E1BDCC24DDC2CAB7E2314719DF7D769A92BB13B491AF1B092D2CCB326205524
TrID 54.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
4.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 Stealc UPX


Avatar
Bitsight
url: http://178.16.55.189/files/5296057416/ogsdjCA.exe
File size (compressed) :238'592 bytes
File size (de-compressed) :577'024 bytes
Format:win32/pe
Unpacked file: 33007149b2e210384c82ebdc51994db576e71149c39d43dd46cb973c551eb21c

Intelligence

File Origin
# of uploads :
4
# of downloads :
114
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-11-15 11:37:10 UTC
Tags:
stealc stealer upx
Link:
https://app.any.run/tasks/513f87e0-e223-4fc8-a266-0d3f6713e987

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38271/
Detection(s):
Win.Malware.Marte-10045369-0
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69186585bdb0ec3a9dc1d25b
Tags:
packed crypt spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP POST request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint lumma microsoft_visual_cc packed packed packed upx
Link:
https://www.filescan.io/uploads/6918658159887d113b3497eb/reports/23b6b599-e58c-4fdc-9dc1-e496df054b35/overview
Verdict:
Malicious
Labled as:
Shellcode.Loader.Marte.X.Generic
Link:
https://www.hybrid-analysis.com/sample/cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-15T08:49:00Z UTC
Last seen:
2025-11-16T20:51:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.StealC.v2
Link:
https://opentip.kaspersky.com/cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31912eb5-1d51-4d55-b96e-b5f46c90bc17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/45dfb6c7a2022889eb7aa5d0fb464965
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55
Threat name:
Win32.Trojan.ShellCodeRunner
Create hunting rule
Status:
Malicious
First seen:
2025-11-15 11:35:31 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zu3jct33kpkyr3zbyhurtjjttb2t4dpu6id3i6dfjmzhc324r5kq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
74cb0288fb2d930f4f1ca6360a79cedd2cc9b7d216d113b24af991bf263a1ac5
Stealc
cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55
Stealc
error
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:logsdillercloud discovery stealer upx
Link:
https://tria.ge/reports/251115-np9kks1jap/
Behaviour
System Location Discovery: System Language Discovery
UPX packed file
Stealc
Stealc family
Malware Config
C2 Extraction:
http://proproproaaa.fun
Verdict:
Malicious
Tags:
trojan Win.Malware.Marte-10045369-0
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/3ddb6c19-fd81-4f54-b9dc-270edc391cc4
Unpacked files
SH256 hash:
cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55
MD5 hash:
45dfb6c7a2022889eb7aa5d0fb464965
SHA1 hash:
29f3117edb374d53816324e0c25b21464b640532
Link:
https://www.unpac.me/results/50ae61f7-210d-4632-83ce-827b301d3628/
SH256 hash:
33007149b2e210384c82ebdc51994db576e71149c39d43dd46cb973c551eb21c
MD5 hash:
23b52dc13e6eb59ae2e5179995449fe3
SHA1 hash:
42e7c0de8b314afed5c8bfb3659384f6b8b4a02c
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/50ae61f7-210d-4632-83ce-827b301d3628/
Parent samples :
33007149b2e210384c82ebdc51994db576e71149c39d43dd46cb973c551eb21c
cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55
SH256 hash:
a66055a1590c0531819a987b2b6e648e04e9611be34b172eeecfcc2b0f3a8b83
MD5 hash:
7d35d6a446d95fe0b0bccbfa03d73a1e
SHA1 hash:
bdc371c1cb59d1aeee486744985391b86deab09d
Link:
https://www.unpac.me/results/50ae61f7-210d-4632-83ce-827b301d3628/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd36914f7b53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:StealcV2
Create hunting rule
Author:kevoreilly
Description:Stealc V2 Payload
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe cd36914f7b53d588ef21c1e919a53398753e0df4f207b478654b32716f5c8f55

(this sample)

Stealc

Executable exe 33007149b2e210384c82ebdc51994db576e71149c39d43dd46cb973c551eb21c

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38271/
  
Dropping
SHA256 33007149b2e210384c82ebdc51994db576e71149c39d43dd46cb973c551eb21c
  
Dropping
MD5 23b52dc13e6eb59ae2e5179995449fe3
  
URLhaus
https://urlhaus.abuse.ch/url/3708909/
  
URLhaus
https://urlhaus.abuse.ch/url/3687751/

Comments