MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs YARA 18 File information Comments

SHA256 hash:	dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02
SHA3-384 hash:	9497bed363e535495cceb6f4cf9fdee98aabd91b6551b4e08c0f3bb711bb17744c8361ce9f58c846aba1c4a1fdb3ee58
SHA1 hash:	fa3a516af1aa89399bd9702af25ac3a4d3169402
MD5 hash:	820e7ddb14f8b3de26b54c56d8b67749
humanhash:	double-seventeen-venus-sweet
File name:	dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02.bin
Download:	download sample
Signature	Stealc Create hunting rule
File size:	9'589'760 bytes
First seen:	2026-06-23 09:26:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4029dc5ee830151a426fff64189bae0e (7 x Stealc, 2 x RedLineStealer, 1 x SVCStealer)
ssdeep	196608:0vcpIZihQW4CsXDjDyfGZkJM1heRV/+Pi8:0GhQVCEDrZkeY2Pi
Threatray	35 similar samples on MalwareBazaar
TLSH	T1CDA6130AA75801F8E4B7C13CC962460BDBB2B8661375A74F07A416DAAF633D05F3EB51
TrID	37.0% (.EXE) Win64 Executable (generic) (6522/11/2) 28.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3) 11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	spamhaus
Tags:	exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Diamotrix LocalBinder Stealc TinyLoader

Details

Link:

https://research.acce.ciphertechsolutions.com/results/25afe990-d35d-47e7-b362-61fe9bb7482b/

Malware family:

amadey

ID:

File name:

xdad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02.exe

Verdict:

Malicious activity

Analysis date:

2026-04-25 04:14:01 UTC

Tags:

stealc stealer auto-reg auto clipbanker python amadey botnet loader pyinstaller openssl tool

Link:

https://app.any.run/tasks/8f9978ef-b1ec-41b0-a531-30d4e471e5f4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/71669/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ec3f8551cce3ff702fba39

Tags:

emotet cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Creating a process from a recently created file

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Loading a suspicious library

Creating a file

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Running batch commands

Sending an HTTP GET request to an infection source

Enabling the 'hidden' option for files in the %temp% directory

Launching a process

Creating a process with a hidden window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Enabling autorun by creating a file

Enabling autorun

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-04-23T22:43:00Z UTC

Last seen:

2026-06-25T06:43:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02/results?tab=lookup

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e159992b-ed88-4089-8bda-5db8e4ffad27

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02

Threat name:

Win64.Trojan.SvcStealer

Status:

Malicious

First seen:

2026-04-24 03:42:33 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3lmooa5kbyahpgjnif7sqjnz7v5tyvafr53ccjkh76ynulqhfyba._file

Verdict:

malicious

Label(s):

stealc

unc_clipper_003

remus

Stealc

11e8084e7792e38c432e041b5b0e4341cbd21c97e050ab2739e77e7fe30d0d1b

Stealc

203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761

Stealc

2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca

Stealc

423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

Stealc

7836fcfb6c81e23437fb1b4e812099a945fe318e3dc41cb3ba81f9768c0d0db8

Stealc

b5a211c440628f225bd8268c466305f3012096ec84f5821ef8045ece50e3c1bc

Stealc

+ 25 additional samples on MalwareBazaar

Result

Malware family:

xtinyloader

Score:

10/10

Tags:

family:remus_stealer family:stealc family:xtinyloader botnet:42095347b27b46c0e9195ed43d5626df botnet:mkaysnkmka4g1igb04jt botnet:run discovery loader persistence pyinstaller spyware stealer

Link:

https://tria.ge/reports/260623-le4kgabz51/

Behaviour

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Detects Pyinstaller

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Registers new Windows logon scripts automatically executed at logon.

Checks computer location settings

Executes dropped EXE

Detects Remus stealer

Detects Stealc stealer Version 2

Family: Remus

Family: Stealc

Family: XTinyLoader

Malware Config

C2 Extraction:

http://losslvs.surf:7802
http://baxe.pics:48261
http://iuta.today:8521
http://196.251.107.130
62.60.226.159/xvzpjyddlu/getdata.php
196.251.107.104/xvzpjyddlu/getdata.php

Unpacked files

SH256 hash:

dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02

MD5 hash:

820e7ddb14f8b3de26b54c56d8b67749

SHA1 hash:

fa3a516af1aa89399bd9702af25ac3a4d3169402

Link:

https://www.unpac.me/results/6df0c95c-654b-4a1b-8cb9-2c3ecc342cd1/

SH256 hash:

296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

MD5 hash:

89511df61678befa2f62f5025c8c8448

SHA1 hash:

df3961f833b4964f70fcf1c002d9fd7309f53ef8

Link:

https://www.unpac.me/results/6df0c95c-654b-4a1b-8cb9-2c3ecc342cd1/

SH256 hash:

da0ac1068d9e88c53613cb2cab84dede321e5cd9f356593c4e0124c5c2339c79

MD5 hash:

80e815d62da2c2a2f2917e876a55bc3e

SHA1 hash:

8781160a42e7d4c47326078f411bf16557770293

Link:

https://www.unpac.me/results/6df0c95c-654b-4a1b-8cb9-2c3ecc342cd1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dad8e703aa0e0077992d417f2825b9fd7b3c54058f76212547ffb0da2e072e02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Heuristics_ChromeABE Create hunting rule
Author:	Still
Description:	attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	StealcV2 Create hunting rule
Author:	Still
Description:	attempts to match the instructions found in StealcV2

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	TH_APT_EquationGroup_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Equation Group (G0020) APT malware detection - covers EquationDrug, GrayFish, DoubleFantasy, TripleFantasy, Fanny, GROK, nls_933w HDD firmware module, and Shadow Brokers tooling
Reference:	https://cyfare.net/

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	Windows_Trojan_Stealc_41db1d4d Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/71669/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample