MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff99e0fbf4bffe07738630833155fccb0775deb29cf8e0d02a5019362072a9f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



VeilStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 42 File information Comments

SHA256 hash: ff99e0fbf4bffe07738630833155fccb0775deb29cf8e0d02a5019362072a9f5
SHA3-384 hash: 62dff780a9f4157c95b9e24285f9ee1dab49c348dee1e8bc95107aada0f3f67df3b0ba81d1d2661b5cab9d39fe09af4a
SHA1 hash: 178fb80718cd70a96f424df0fc12c5f5d6ccd419
MD5 hash: 71d21e10252a9a685cfa3e9642fa0d14
humanhash: south-beryllium-florida-hawaii
File name:ff99e0fbf4bffe07738630833155fccb0775deb29cf8e0d02a5019362072a9f5
Download: download sample
Signature VeilStealer
File size:13'839'360 bytes
First seen:2026-07-16 13:27:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ed8b780a3ce7ca4aba78a21f6bc3d4e0 (9 x VeilStealer, 4 x OverlordRAT, 2 x RodexRMM)
ssdeep 98304:Z/R1iHF48305rVyyaS55kVkDf+febQFQGlGvjXMvbIEmE:FSl483055sMPifEQFQc1D
TLSH T181D64A87ECA545D9C0EDD135CA269517BB713C996B3023D31B90BA242F37BE0AEB9704
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Threatray
Tags:exe stealer VeilStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
167
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.9%
Tags:
infosteal virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
golang stealer
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-30T11:07:00Z UTC
Last seen:
2026-07-17T19:40:00Z UTC
Hits:
~100
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Threat name:
Win64.Trojan.Egairtigado
Status:
Malicious
First seen:
2026-06-30 15:47:48 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion execution spyware stealer trojan
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ff99e0fbf4bffe07738630833155fccb0775deb29cf8e0d02a5019362072a9f5
MD5 hash:
71d21e10252a9a685cfa3e9642fa0d14
SHA1 hash:
178fb80718cd70a96f424df0fc12c5f5d6ccd419
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aix
Author:Tim Brown @timb_machine
Description:AIX binary
Rule name:command_and_control
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:dsc
Author:Aaron DeVera
Description:Discord domains
Rule name:enterpriseapps2
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Rule name:golang
Rule name:golang_binary_string
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Golang_Find_CSC846
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:grakate_stealer_nov_2021
Rule name:identity_golang
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Jupyter_infostealer
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:ldpreload
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Author:Elastic Security
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RemusStealer_GoPayload
Author:burger
Description:Detects RemusStealer Go-compiled payload
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments