MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MarsStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 36 File information Comments

SHA256 hash:	d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f
SHA3-384 hash:	bce21dd18c14c87789fae999cd709e4c2e87142822f9a4c3e05339b3fa2691a70e6f377a5a9e107c6881366bd3f5be56
SHA1 hash:	7a6e6add661f4dabb1d87b859dbbff23cfd90be6
MD5 hash:	abcf72df3558ad41efb76c467ddb9628
humanhash:	speaker-north-sodium-venus
File name:	d2179f954fb900e8.exe
Download:	download sample
Signature	MarsStealer Create hunting rule
File size:	2'147'328 bytes
First seen:	2026-03-15 08:02:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a20218377378835f816db93bd4ba0e01 (1 x Stealc, 1 x MarsStealer)
ssdeep	49152:rwW4DK4/t/ZFnPU5R4pKM7/jxPU5R4pKM7/jxPU5R4pKM7/jx:rwW4D
Threatray	247 similar samples on MalwareBazaar
TLSH	T140A54A1227FA4209F2FF1B78B47951651BB7BD0A6A39C79E158CA4AD0BB3B508D10373
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Skynet11
Tags:	exe MarsStealer Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

AceCryptor Stealc

Details

AceCryptor

an extracted payload

AceCryptor

an extracted shellcode loader component and the ms_c_rand-XOR seed

Stealc

decrypted strings, a c2 url, and url paths

Link:

https://research.acce.ciphertechsolutions.com/results/baedb23b-8017-4375-94fd-0937d380018c/

Malware family:

n/a

ID:

File name:

xd2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f.exe

Verdict:

Malicious activity

Analysis date:

2026-03-15 07:55:12 UTC

Tags:

stealc stealer rust

Link:

https://app.any.run/tasks/99f63e6a-9a73-407c-8afc-86b3dae9171d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Stealc

Link:

https://www.capesandbox.com/analysis/57521/

Detection(s):

Win.Trojan.Generic-10038274-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b665df93b644ca466a3e93

Tags:

cobalt trojan micro worm

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypt fingerprint infostealer installer-heuristic krypt microsoft_visual_cc overlay packed stealc stealer tofsee unsafe

Link:

https://www.filescan.io/uploads/69b667c4493cb7d62dfdc738/reports/43c7c1e2-9c8d-4ac8-9239-d82d6318c2c8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan-PSW.Win32.Stealerc.sb Trojan.Win32.Zenpak.sb Trojan.Win32.Yakes.sb Trojan.Win32.Strab.sb Trojan.Win32.Chapak.sb HEUR:Trojan-PSW.Win32.Stealerc.gen

Link:

https://opentip.kaspersky.com/d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f/results?tab=lookup

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b212145-6572-4a58-97c0-aac6c8d4e638

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

.Net Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/abcf72df3558ad41efb76c467ddb9628

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f

Threat name:

Win32.Trojan.StealC

Status:

Malicious

First seen:

2026-03-15 01:45:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ilz7fkpxeaorjuebk4hzpqoyjdyeekoy2ymjzkzzbaymmefk5pq._file

Verdict:

malicious

Label(s):

shellcode_loader_002

stealc

MarsStealer

6094e2400b66c9d53bdd5f0de67d37705207af0283d00d531105ce0fee86f25b

MarsStealer

c40ada473bd3a23569dd60807fa9754f2917c029e28746e7c1a32568d801dbfe

MarsStealer

d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f

MarsStealer

error

MarsStealer

+ 237 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:logsdiller discovery stealer

Link:

https://tria.ge/reports/260315-jxs6cafx8x/

Behaviour

Program crash

System Location Discovery: System Language Discovery

Stealc

Stealc family

Malware Config

C2 Extraction:

http://95.215.204.230

Unpacked files

SH256 hash:

d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f

MD5 hash:

abcf72df3558ad41efb76c467ddb9628

SHA1 hash:

7a6e6add661f4dabb1d87b859dbbff23cfd90be6

Link:

https://www.unpac.me/results/019379f4-14c1-4900-bd82-26be1ea2964c/

SH256 hash:

7bb9a2c7a4a76b072bcf305c028417638972b5a6992b67e01a772af2b97be96a

MD5 hash:

927303662199eead6b2b9d06107f3ae2

SHA1 hash:

e06dd3eeb28dba46691d896d91a88d9f722f4f27

Detections:

stealc

detect_Mars_Stealer

Link:

https://www.unpac.me/results/019379f4-14c1-4900-bd82-26be1ea2964c/

Parent samples :

ffa2d47682f90005adc72092ecca35bc579803c0fb3eef11e5b22b7d5f7444df
3b2d94bdfce70ff0c55d797daef37210e0201af1500ca88721eaad50f861750a
c10c02af1f610e9436a6eb942070e5fae80e1041bdc027c73a261e2615522251
6448755cb9a0b33e628f4289d8a101858ee71c57a0969709d65719aabc37dc10
9f5195d2f0afe0cb776016c79b696bf4d027f753c31fb7a3507d4bf1c23c095a
4fa2faf24fb7ee3fc4020609c544924e74069331124a92f38e66c23862c307b0
90bf1aea7c89baeed430c90a5d29709fa13391996d6258a3ef7c710431f3e663
d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f

SH256 hash:

81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

MD5 hash:

eda18948a989176f4eebb175ce806255

SHA1 hash:

ff22a3d5f5fb705137f233c36622c79eab995897

Link:

https://www.unpac.me/results/019379f4-14c1-4900-bd82-26be1ea2964c/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d2179f954fb9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2179f954fb900e8a6840ab87cbe0ec24782114ec6b0c4e559c841863085575f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	malware_Stealc_str Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	Stealc infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETDLLMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Stealc Create hunting rule
Author:	kevoreilly
Description:	Stealc Payload

Rule name:	Stealc_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Stealc Payload

Rule name:	Stealer_Stealc Create hunting rule
Author:	Still
Description:	attempts to match instructions/strings found in Stealc

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	Sus_All_Windows_PE_Malware Create hunting rule
Author:	DiegoAnalytics
Description:	Detects Windows PE malware of all types, avoids non-executables like .html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Vidar_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Vidar Payload

Rule name:	Windows_Generic_Threat_2bba6bae Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Generic_2993e5a5 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Stealc_5d3f297c Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Stealc_b8ab9ab5 Create hunting rule
Author:	Elastic Security

Rule name:	WIN_FileFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:	FileFix social engineering with PowerShell and PHP commands

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	WIN_WebSocket_Base64_C2_20250726 Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57521/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample