MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c
SHA3-384 hash: 4717a93e80c9fb5ecbc66233cd7473436a2b145e36da4e24becbb5cde378fb5ff112db4ef4cf3eae4c024bf44bfe187e
SHA1 hash: 513d1bfb5027430089cdae760591c640408af57c
MD5 hash: e407fe5f509774531702d722e7a8eef7
humanhash: yellow-four-skylark-artist
File name:kilka.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:760'832 bytes
First seen:2025-07-23 22:56:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 112f19f28f55f461c3d7ad7d3898dd7b (30 x Stealc)
ssdeep 12288:/JLb4TZvg7l4RaaXGOFC4WKPMeY6ReOSoE/:/l8TZ472RaaX7yeM7
Threatray 29 similar samples on MalwareBazaar
TLSH T159F47D1FF7E501F8C4BB8278C9565942E77A74561370A68F03E019A63F2B650AF7EB20
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:77-90-153-129 exe Stealc


Avatar
iamaachum
http://141.98.6.34:5554/kilka.exe

Stealc C2: http://77.90.153.129/9ab2b73ab8b94d87.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://141.98.6.34:5554/kilka.exe
Verdict:
Malicious activity
Analysis date:
2025-07-21 10:35:05 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/663d27aa-e0d6-4f67-b8af-3513d4fa9787

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16564/
Detection(s):
Win.Malware.Marte-10045369-0
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6881677b2f623871a5f2a8c6
Tags:
shellcode packed hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP POST request to an infection source
Connection attempt to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd fingerprint lolbin microsoft_visual_cc obfuscated stealc stealer
Link:
https://www.filescan.io/uploads/688168968a7d628a81c005c6/reports/ee635735-2229-46ae-90f4-efd23abf6a4d/overview
Verdict:
Malicious
Labled as:
Shellcode.Loader.Marte.X.Generic
Link:
https://www.hybrid-analysis.com/sample/eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/86ae3f48-101d-49ac-b0a1-42bc2e1b808b
Result
Threat name:
Stealc v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1743075
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1743075 Sample: kilka.exe Startdate: 24/07/2025 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 4 other signatures 2->35 7 kilka.exe 22 2->7         started        11 elevation_service.exe 2->11         started        process3 dnsIp4 27 77.90.153.129, 49717, 49723, 49739 RAPIDNET-DEHaunstetterStr19DE Germany 7->27 37 Early bird code injection technique detected 7->37 39 Found many strings related to Crypto-Wallets (likely being stolen) 7->39 41 Contains functionality to inject code into remote processes 7->41 43 6 other signatures 7->43 13 msedge.exe 7->13         started        15 msedge.exe 7->15         started        17 msedge.exe 7->17         started        19 3 other processes 7->19 signatures5 process6 process7 21 WerFault.exe 16 13->21         started        23 WerFault.exe 1 16 15->23         started        25 WerFault.exe 16 17->25         started       
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/e407fe5f509774531702d722e7a8eef7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c/
Verdict:
Malicious
Threat:
VHO:Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c
Threat name:
Win64.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2025-07-11 23:15:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ne3gj2l5l7jjmpemgn73apvnidxn2pfs4dprxsw7xa3pe7fxuoa._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
451753ecd4346bc3ba642d0f23fc4838196fcf668fe414ec68a958bac48aedf5
Stealc
4c157555fd7e61dbf6609613e387591fd254724415105e0f205ed58fd1b32a79
Stealc
8301936f439f43579cffe98e11e3224051e2fb890ffe9df680bbbd8db0729387
Stealc
bd395f3593a9c3b08e2d61ad6fe8d3bf43238d918ba14178b5b75d045cb0eec1
Stealc
c6c888cfff95804254c631ce0ccd7abde97f0dda9fc0478ae7327db91ef18a67
Stealc
cb90a725fbbc095fc5748744d044f61642a629167a44cf0ee9680e4532c8363e
Stealc
d0476888c7c4a336562ac7132cb5be98ee30e22f9d7b829b971c6e6b4677e54d
Stealc
dca26fecbe9cd681c3e630161797d9db76d32ce42fb825d1f5f9c6029df8c52a
Stealc
eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c
Stealc
error
Stealc
+ 19 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:new001
Link:
https://tria.ge/reports/250723-2wvlwsdm3s/
Malware Config
C2 Extraction:
http://77.90.153.129
Verdict:
Malicious
Tags:
Win.Malware.Marte-10045369-0
YARA:
n/a
Link:
https://app.threat.zone/submission/e32eac26-2f7c-4cfd-b7ac-e0aa453dee28
Unpacked files
SH256 hash:
eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c
MD5 hash:
e407fe5f509774531702d722e7a8eef7
SHA1 hash:
513d1bfb5027430089cdae760591c640408af57c
Link:
https://www.unpac.me/results/02ef96a2-b4c3-4bfd-877e-1e36873a288a/
SH256 hash:
2c4651a093a276841935a5b85856ee323d618a60d02162517c9f828c5e3e686d
MD5 hash:
fc1c04e172f708bcfdcaac1d723703bc
SHA1 hash:
12b2a6fc9e88ceba38c90d3a39e09315f1ab93a7
Link:
https://www.unpac.me/results/02ef96a2-b4c3-4bfd-877e-1e36873a288a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aachum_Stealcv2
Create hunting rule
Author:aachum
Description:Detects new version of Stealc.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:StealcV2
Create hunting rule
Author:Still
Description:attempts to match the instructions found in StealcV2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

zip d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355

Stealc

Executable exe dca26fecbe9cd681c3e630161797d9db76d32ce42fb825d1f5f9c6029df8c52a

Stealc

Executable exe eb49b3274beafe94b1e4619bfd81f56a0776e9e59706f8de56fdc1b793e5bd1c

(this sample)

  
Link
https://tria.ge/250723-2q9tmatj15/behavioral2
  
Dropped by
SHA256 dca26fecbe9cd681c3e630161797d9db76d32ce42fb825d1f5f9c6029df8c52a
  
Dropped by
SHA256 d5e71862d95da35cd0e538e77a66a41afceea92a2965d10eb8d724a72d634355
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/16564/
  
Dropped by
MD5 79f603a07cd1312b4386382464924920
  
Dropped by
MD5 5f50ba7bfb8bb086d142e784926c7ecb
  
URLhaus
https://urlhaus.abuse.ch/url/3588863/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments