MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 18 File information Comments

SHA256 hash:	d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1
SHA3-384 hash:	cc75de0aa65ba0afecbc8272ed57c2c81afd786216380f016a3867d93086a289c4adf82147abf9cb1ac880b48c216800
SHA1 hash:	66223509d0083fbd05b5156f19f5ef85689187b9
MD5 hash:	18a5ac918c8adaefb3ae6c93d802cb19
humanhash:	kilo-tango-four-august
File name:	18a5ac918c8adaefb3ae6c93d802cb19.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	16'787'892 bytes
First seen:	2025-12-26 18:00:32 UTC
Last seen:	2025-12-26 22:20:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ad8c67341e87ae242bae94df127c88fc (1 x Stealc)
ssdeep	196608:n8jd3I7FpsVOFroRCZpHo+fRz0Uef0V9/gdvzf5VsswAUzvHBv64Alde63AACc:U3I7gVOFrHtNyMV9/SzhoAyBC4aDX
TLSH	T12C073337F268913FD5AA0B3209B39150993BBE606A098C9F03FC394DCF765611E3B55A
TrID	61.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 15.5% (.EXE) Win64 Executable (generic) (10522/11/4) 7.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.6% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://84.201.25.198/d038a0451b0e491c.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://84.201.25.198/d038a0451b0e491c.php	https://threatfox.abuse.ch/ioc/1686862/

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

18a5ac918c8adaefb3ae6c93d802cb19.exe

Verdict:

Malicious activity

Analysis date:

2025-12-26 18:01:42 UTC

Tags:

delphi inno installer stealc stealer

Link:

https://app.any.run/tasks/13d3bf37-2ebd-403a-b663-c02d065b355f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Stealc

Link:

https://www.capesandbox.com/analysis/46176/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694ecd86038f10550b560f5e

Tags:

vmdetect cobalt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm anti-vm crypt fingerprint installer-heuristic invalid-signature microsoft_visual_cc overlay overlay packed signed

Link:

https://www.filescan.io/uploads/694ecd87a7163552ba052e97/reports/53866bfd-2e7a-4e7a-b6bd-5682fba89f02/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-22T12:46:00Z UTC

Last seen:

2025-12-27T09:45:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Lumma.HTTP.C&C Trojan-Dropper.Win32.Dapato.sb Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.Lumma.zfa Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb

Link:

https://opentip.kaspersky.com/d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6f53cbd8-4a37-4f58-93ea-5111da91395c

Result

Threat name:

Stealc v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1839837

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Unusual module load detection (module proxying)

Writes to foreign memory regions

Yara detected Stealc v2

Behaviour

Behavior Graph:

Download SVG

Score:

71%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/18a5ac918c8adaefb3ae6c93d802cb19

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1

Threat name:

Win32.Trojan.StealC

Status:

Malicious

First seen:

2025-12-23 01:17:47 UTC

File Type:

PE (Exe)

Extracted files:

307

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=25foom2epcu23mizu2h4k3kdwpjrjjr5j265gmeoj2s4shbth6yq._file

Verdict:

malicious

Label(s):

stealc

Similar samples:

error

Stealc

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:obs discovery installer spyware stealer

Link:

https://tria.ge/reports/251226-wmamgafl4t/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Stealc

Stealc family

Malware Config

C2 Extraction:

http://84.201.25.198

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/46901199-e95f-46e2-b7f0-448136fbabc5

Unpacked files

SH256 hash:

d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1

MD5 hash:

18a5ac918c8adaefb3ae6c93d802cb19

SHA1 hash:

66223509d0083fbd05b5156f19f5ef85689187b9

Link:

https://www.unpac.me/results/52f7b44b-340a-4022-8fc9-e53fc13466c5/

SH256 hash:

a66055a1590c0531819a987b2b6e648e04e9611be34b172eeecfcc2b0f3a8b83

MD5 hash:

7d35d6a446d95fe0b0bccbfa03d73a1e

SHA1 hash:

bdc371c1cb59d1aeee486744985391b86deab09d

Link:

https://www.unpac.me/results/52f7b44b-340a-4022-8fc9-e53fc13466c5/

Parent samples :

1d8cc65d36b53e94dff26e579d690b5a788393c96026a8689657de510ada2b81
dde0d05aa7f0843b643d6168f71881a7e7e4f0fa747ce6c09c25791ae60d30a9
c92d3b7961692f031863195786b6dbd7daff071635fc4622be6d50d6970ac531
83f96ebb903ce23ef34f3ad69ae98686d69153b3ca58baa197d728d63a14fc27
b554667949dc3847c3f04642b6c7b8d24948b72d5d3f0ee4ac656aa34a3dc8ed

SH256 hash:

466b241956b9d7b99e83923bf0db276e1de3e40fbf99f8f71a83b562bdfb5589

MD5 hash:

4ce125cceaaadd9d16cf9dc004b2cdf6

SHA1 hash:

93e63642e5a57726c75f0c3d93d02639872f121b

Link:

https://www.unpac.me/results/52f7b44b-340a-4022-8fc9-e53fc13466c5/

SH256 hash:

b7831523af227b88cc1d164061f9240ca519c539e0fe15bd2e38f27cfc5da832

MD5 hash:

31ff1aa6564061ad52a19e0e0edd6173

SHA1 hash:

177b65b07efdedd615d199f126401b306dd2c1e4

Detections:

stealc

Link:

https://www.unpac.me/results/52f7b44b-340a-4022-8fc9-e53fc13466c5/

Malware family:

Stealc.v2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d74ae7334478/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d74ae7334478a9adb119a68fc56d43b3d314a63d4ebdd3308e4ea5c91c333fb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	Heuristics_ChromeABE Create hunting rule
Author:	Still
Description:	attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	StealcV2 Create hunting rule
Author:	kevoreilly
Description:	Stealc V2 Payload

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Warp Create hunting rule
Author:	Seth Hardy
Description:	Warp

Rule name:	WarpStrings Create hunting rule
Author:	Seth Hardy
Description:	Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/46176/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample