ThreatFox IOC Database

You are viewing the ThreatFox database entry for sha256_hash 251037ceebfbacd419b663ebcf0e01ec80a2c46dbfc85f66492c8585b481fb8c.

Database Entry

IOC ID:	1796617
IOC:	251037ceebfbacd419b663ebcf0e01ec80a2c46dbfc85f66492c8585b481fb8c
IOC Type :	sha256_hash
Threat Type :	payload
Malware:	Stealc
Confidence Level :	Confidence level is high (100%)
Is compromised? :	False
First seen:	2026-04-23 14:00:52 UTC
Last seen:	never
UUID:	68fc6115-3f19-11f1-8759-42010aa4000a
Reporter	o_zehentleitner
Reward	5 credits from ThreatFox
Tags:	github-typosquatting nailproxy Stealc unicorn-binance-websocket-api
Reference:	https://blog.technopathy.club/nailproxy-space-github-malware-campaign

o_zehentleitner

Custom loader deployed by the nailproxy.space campaign. Masqueraded as sysconf.exe 'Microsoft Windows Management Service' (unsigned, fake version 10.0.22606.1487). MSVC 2019 build 30148, 11.1 MB, FNV-API-hashing + embedded VM. Drops StealC DLL (c27590c7…) and executes via rundll32 ,#3.