MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 9

Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash:	d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355
SHA3-384 hash:	ba477f0a27adc643d245d2bde1b0c66fb5dc53fcbcc8a0577c9734b4aed04be51f61f702175d65b4a420d26f80a9702d
SHA1 hash:	cfce2320b35119bd4a701dda93820bfdf3ce16a1
MD5 hash:	5f50ba7bfb8bb086d142e784926c7ecb
humanhash:	diet-fix-alanine-purple
File name:	Set-up.zip
Download:	download sample
Signature	Stealc Create hunting rule
File size:	1'248'341 bytes
First seen:	2025-07-23 22:54:43 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:kT6sSedpi9CMIImcHtEtACz7+6V/9mbPmkcZhBHbZLwdxbnTZGC1TkFzhClJIyrB:ledpePw7+umTmDB965nMCZIhDy1D
TLSH	T17945791A64A34F95C89D417E80EB0B46775EBB4A6256A31F8372E26F7FF33F09825401
Magika	zip
Reporter	aachum
Tags:	77-90-153-129 file-pumped rezipped Stealc zip

iamaachum

https://www.youtube.com/post/Ugkxo2geOa1z9aNiDiMpJE_e22s-NeZF6HUV => https://www.mediafire.com/folder/r3j9115p6o9ly/File

Stealc C2: http://77.90.153.129/9ab2b73ab8b94d87.php

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Set-up.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	790'626'304 bytes
SHA256 hash:	d0476888c7c4a336562ac7132cb5be98ee30e22f9d7b829b971c6e6b4677e54d
MD5 hash:	83404bfb1e64b24f9549dec1c3b85582
De-pumped file size:	1'220'608 bytes (Vs. original size of 790'626'304 bytes)
De-pumped SHA256 hash:	2604f33eea298ff68165214acb53a3892f90b72ecb2c220f63d63dc353452593
De-pumped MD5 hash:	72ac042564366147fe1db1ae695c6fd5
MIME type:	application/x-dosexec
Signature	Stealc

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688168712f623871a5f2aac2

Tags:

stration rapid shell spawn

Result

Verdict:

Malicious

File Type:

ZIP File - Malicious

Link:

https://app.docguard.net/d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355/results/dashboard

Behaviour

SuspiciousEmbeddedObjects detected

Verdict:

Suspicious

Labled as:

HEUR/Pumpar.Generic

Link:

https://www.hybrid-analysis.com/sample/d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355

Verdict:

Malware

YARA:

3 match(es)

Tags:

CVE-2019-13232 CVE-2019-9674 CVE-2022-29225 CVE-2022-36114 CVE-2023-46104 CVE-2024-0450 Executable Malicious PDB Path PE (Portable Executable) Zip Archive Zip Bomb

Link:

https://app.malva.re/file/5f50ba7bfb8bb086d142e784926c7ecb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355/

Verdict:

Malicious

Threat:

Win64.Downloader.Heuristic

Link:

https://tip.neiki.dev/file/d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-07-23 22:55:42 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2xtrqywzlwrvzuhfhdtxuzvedl6o5kjkffs5cdvy24skolldinkq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PK_PUMP_AND_DUMP Create hunting rule
Author:	Will Metcalf @node5
Description:	Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	weird_zip_high_compression_ratio Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit
Reference:	https://twitter.com/Cryptolaemus1/status/1633099154623803394