MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1
SHA3-384 hash: 332e0ac099e0e2b8296d3a50b3a678c598da01e131bf680df6549b340d2e7644cb1f42759a991f36fcedebf42e183bb0
SHA1 hash: 1dc5beb369f0af15c1fbf792060ae782d5b7c14c
MD5 hash: cb7d153e0b6288be03b05d92c9636b04
humanhash: bakerloo-fruit-alaska-pennsylvania
File name:Tse2E3k.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:1'228'800 bytes
First seen:2025-08-30 14:52:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 82c087080422decfaeb58e6a93d707b4 (2 x LummaStealer, 1 x Rhadamanthys, 1 x PureLogsStealer)
ssdeep 24576:igHo19TDgiST8sj8PCVLz0iCUIxLtvuwIXmjMRxG:igKkT8o0lWwqmn
Threatray 352 similar samples on MalwareBazaar
TLSH T1E545E035904262DAF1A680B35A455680F563B83747392FEF42F4E7751E0AEE80F3E716
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
a29635bd603e1997148880259df5c2a7f2aaf14cd41e44a3bb0624390bf4cc5d.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-29 22:37:59 UTC
Tags:
lumma stealer themida auto redline amadey botnet loader telegram gcleaner rdp autoit evasion phishing stealc websocket auto-reg
Link:
https://app.any.run/tasks/763ac323-ff38-4e2a-9ba9-80f7b54c6565

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24275/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b3108c3e988eb6ab82ff50
Tags:
virus
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint krypt microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68b3114b39a6221faa766a6f/reports/23eb0341-ac27-4490-aef1-5b447df8aac4/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-29T10:27:00Z UTC
Last seen:
2025-08-29T10:27:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Lumma.HTTP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Lumma.vgp
Link:
https://opentip.kaspersky.com/f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c5cfd3cc-a5e5-4666-8aa8-571bd79878aa
Result
Threat name:
Stealc v2, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768171
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
DNS related to crypt mining pools
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Stealc v2
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768171 Sample: Tse2E3k.exe Startdate: 30/08/2025 Architecture: WINDOWS Score: 100 92 xmr-eu1.nanopool.org 2->92 94 trainisshit.shop 2->94 96 2 other IPs or domains 2->96 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for dropped file 2->108 112 13 other signatures 2->112 10 Tse2E3k.exe 2->10         started        13 updater.exe 2->13         started        16 svchost.exe 2->16         started        18 3 other processes 2->18 signatures3 110 DNS related to crypt mining pools 92->110 process4 file5 140 Writes to foreign memory regions 10->140 142 Allocates memory in foreign processes 10->142 144 Injects a PE file into a foreign processes 10->144 146 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->146 20 MSBuild.exe 23 10->20         started        25 conhost.exe 10->25         started        90 C:\Windows\Temp\fwvisgtkabvd.sys, PE32+ 13->90 dropped 148 Antivirus detection for dropped file 13->148 150 Multi AV Scanner detection for dropped file 13->150 152 Query firmware table information (likely to detect VMs) 13->152 156 11 other signatures 13->156 27 explorer.exe 13->27         started        29 powershell.exe 13->29         started        31 cmd.exe 13->31         started        35 10 other processes 13->35 154 Changes security center settings (notifications, updates, antivirus, firewall) 16->154 33 MpCmdRun.exe 1 16->33         started        signatures6 process7 dnsIp8 98 trainisshit.shop 87.120.126.216, 49687, 49692, 80 UNACS-AS-BG8000BurgasBG Bulgaria 20->98 100 lomejordesalamanca.es 188.164.198.15, 49693, 80 INFORTELECOM-ASES Spain 20->100 82 C:\Users\user\AppData\...\n8eNhBKZKFUB.exe, PE32+ 20->82 dropped 84 C:\Users\user\AppData\...\chrome_134[1].exe, PE32+ 20->84 dropped 114 Found many strings related to Crypto-Wallets (likely being stolen) 20->114 116 Tries to harvest and steal browser information (history, passwords, etc) 20->116 118 Writes to foreign memory regions 20->118 128 5 other signatures 20->128 37 n8eNhBKZKFUB.exe 1 3 20->37         started        41 conhost.exe 20->41         started        43 chrome.exe 20->43         started        53 2 other processes 20->53 102 54.37.137.114, 10343, 49694 OVHFR France 27->102 120 System process connects to network (likely due to code injection or exploit) 27->120 122 Query firmware table information (likely to detect VMs) 27->122 124 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->124 126 Loading BitLocker PowerShell Module 29->126 45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 wusa.exe 31->49         started        51 conhost.exe 33->51         started        55 9 other processes 35->55 file9 signatures10 process11 file12 86 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 37->86 dropped 88 C:\Windows\System32\drivers\etc\hosts, ASCII 37->88 dropped 130 Antivirus detection for dropped file 37->130 132 Multi AV Scanner detection for dropped file 37->132 134 Query firmware table information (likely to detect VMs) 37->134 136 8 other signatures 37->136 57 powershell.exe 23 37->57         started        60 cmd.exe 1 37->60         started        62 powercfg.exe 1 37->62         started        64 12 other processes 37->64 signatures13 process14 signatures15 138 Loading BitLocker PowerShell Module 57->138 66 conhost.exe 57->66         started        68 conhost.exe 60->68         started        70 wusa.exe 60->70         started        72 conhost.exe 62->72         started        74 conhost.exe 64->74         started        76 conhost.exe 64->76         started        78 conhost.exe 64->78         started        80 8 other processes 64->80 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/cb7d153e0b6288be03b05d92c9636b04
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-08-29 15:34:34 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6eguatebvoeegqoiyloetkfusnyl5ko4mapm2c47s4fg2y26lwqq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
50dd1509cdf939140a6c4f03801ff7124d89307950aa2b003933e5b91bff55ad
Stealc
5c1926638a27441d16757c927f6795364468fa7c8fb3e18b35a0d3972caae24e
Stealc
74d21c17aeb8c5e09479a2bd4278239ed51908e673df77c847fe6f20b732aec4
Stealc
9c6b06b713f158f5aa448592d8a0e2c8ce2c5e624418c9bd8045041d4d858f58
Stealc
9dd11cef91d0ff03900e69e0c2a9bec6ea80233fea7c98a8abef3287d35cea11
Stealc
c321a25655f08b5196c3ecbb3828ee69ff951292defb91e00a262fc87666268c
Stealc
cd1b933186de9887c871bebdf8dcea3133ae253a2f6033d09d787413f68131cc
Stealc
error
Stealc
f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1
Stealc
+ 342 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:logsdillercloud discovery stealer
Link:
https://tria.ge/reports/250830-sbgd4abn9w/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Stealc
Stealc family
Malware Config
C2 Extraction:
http://trainisshit.shop
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e5a7ef22-12c1-4843-881c-d000f3bc84b0
Unpacked files
SH256 hash:
f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1
MD5 hash:
cb7d153e0b6288be03b05d92c9636b04
SHA1 hash:
1dc5beb369f0af15c1fbf792060ae782d5b7c14c
Link:
https://www.unpac.me/results/6d9f2441-d95c-43f0-959e-04cc0a7929cb/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f10d404c81ab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe f10d404c81ab884341c8c2dc49a8b49370bea9dc601ecd0b9f970a6d635e5da1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3607407/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/24275/

Comments