MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5
SHA3-384 hash: 6ae51f9229772b0a4741f47010fc48baace39286949536de71691fa5d14420dba2ccef9d78dc836ea09821de335e294f
SHA1 hash: baef56a59c44e529c63097bc5081619049b7e455
MD5 hash: 6f1f6d2c9a8e5cd35f62527ff38e591e
humanhash: wyoming-spring-oranges-may
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:678'912 bytes
First seen:2025-12-08 11:03:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 6144:oahOcKe5v0bURyWKV0VC3QZd05Pp9HfZu5PIImWy/WAb:oiSNbURpKVuC3SdgpRBuuWC
Threatray 84 similar samples on MalwareBazaar
TLSH T186E42940B689DEA9E9160230886AD2F31915BCB9D751214F39D8FF3FFA73648101DE6B
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:BB3.file dropped-by-gcleaner exe Stealc x


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/967c8d12-7613-40d4-9630-2ef02f388b16/
Malware family:
n/a
ID:
1
File name:
_e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5.exe
Verdict:
Malicious activity
Analysis date:
2025-12-08 11:04:38 UTC
Tags:
payload ta558 apt stegocampaign loader reverseloader stealc stealer
Link:
https://app.any.run/tasks/3cd4758b-cb92-41af-967d-418139b27800

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42987/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936b0b6db58e1a2c22b7dc6
Tags:
xtreme shell sage
Verdict:
Malicious
Labled as:
Trojan/Malware
Link:
https://www.hybrid-analysis.com/sample/e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-08T08:10:00Z UTC
Last seen:
2025-12-08T19:24:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.PowerShell.NanoShield.sb HEUR:Trojan.Script.Generic Trojan-Downloader.SLoad.TCP.ServerRequest Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/727ad151-c536-4e60-a48f-4a4d51d822b3
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5
Verdict:
Malware
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX DeObfuscated Executable Obfuscated PDB Path PE (Portable Executable) PE File Layout T1059.005 VBScript Win 64 Exe WScript.Network WScript.Shell x64
Link:
https://app.malva.re/file/6f1f6d2c9a8e5cd35f62527ff38e591e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2025-12-08 11:04:21 UTC
File Type:
PE+ (Exe)
Extracted files:
237
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yegj2x5goi4ljtyazyiti4zze4yhhjhfmrfr532tb44k6vgucsq._file
Verdict:
malicious
Label(s):
shellcode_loader_007
Create hunting rule
stealc
Create hunting rule
Similar samples:
20291af59067a9886fa2c749d711adc8c2ecf687a48611cbdfefe6b5ca0f583f
Stealc
2f977b90f9a83a87a6ce2f911abcba241de57757a862a1bd06b523e51a6bee08
Stealc
53a4ec3d8e00bb60c891bf45069a2ea5a987382410b76613c7fc7c9407693daf
Stealc
5f14beaba244bd8335e26210102783ffc5d7d49cae2a870342e9e911c26d0da8
Stealc
70dfe5d54ffa3a00287da91d36a9d1a3a19520276816505fa08875c14d8759c7
Stealc
73420694fb8c75bed7825d4074c596e681f36aa287efaddd60d7370e98abd740
Stealc
83863006b4dda98ef3dfdf417d11b099fec994d1886ce7e91c4e708e23bb2ba6
Stealc
b38e57dc8a718b9b9ecb84b8ad7c8fc11c5028e7b9f0eafc1591d5b58c9de9c2
Stealc
b95e69a846b41f56eb8e746b56dc85a98da5ed989411579bcda5af0b959f07e1
Stealc
error
Stealc
+ 74 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:2222 discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/251208-m6ek4awqfk/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Badlisted process makes network request
Stealc
Stealc family
Malware Config
C2 Extraction:
http://163.5.112.94
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b44c4d1-adb0-4774-a2e4-af5eb4a87530
Unpacked files
SH256 hash:
e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5
MD5 hash:
6f1f6d2c9a8e5cd35f62527ff38e591e
SHA1 hash:
baef56a59c44e529c63097bc5081619049b7e455
Link:
https://www.unpac.me/results/0997fa9f-49cb-4860-93e7-aecead22e76f/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e60864eafd33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:StealcV2
Create hunting rule
Author:kevoreilly
Description:Stealc V2 Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/42987/

Comments