MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08639bc8b6c960aee98afe17ad18983e374611f38d1e3503c9312dccdce78b22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08639bc8b6c960aee98afe17ad18983e374611f38d1e3503c9312dccdce78b22
SHA3-384 hash: 056947d12e687406e77938e468b92ed8b358738a055f3d2bee0379a7587f808b01caf6845c3af77ee286e3b7cc334444
SHA1 hash: 572ac9cca7a871a3f048136fb97112175bba3c1c
MD5 hash: 97cbc7b8ca31e5aa87fed4ebf2be2b2a
humanhash: michigan-network-early-minnesota
File name:Sexi Atros.exe
Download: download sample
File size:415'232 bytes
First seen:2025-07-23 17:46:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 201182a0c0467d929e1920323185a545
ssdeep 6144:fDETFjytNOnpUugmIIE28BU+MaBdH2zwhbOg0NV3BuIjrTV0jmr5a9bWCjng0ITG:f6lqBI+63BuIjrTV0jmr5ujn
TLSH T1F0948D86F1A440E9D06BA07891ABB70BE575345907104ACF73E499683FF23E07AFB751
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SexiAtros.exe
Verdict:
Malicious activity
Analysis date:
2025-07-23 17:46:22 UTC
Tags:
loader
Link:
https://app.any.run/tasks/9fd3b697-1d95-4728-ad2a-c1464ba5b7b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16540/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68811fee84b37dd61ef11a75
Tags:
ransomware phishing xtreme shell
Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Restart of the analyzed sample
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd fingerprint keylogger lolbin microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/68811ff07bc45bdee1b69660/reports/eaf38351-10c8-4960-94d0-5a64b150fbea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/08639bc8b6c960aee98afe17ad18983e374611f38d1e3503c9312dccdce78b22
Malware family:
Khalesi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32ac0a8d-91e4-4885-b876-2f5fc093234d
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1742941
Signature
Antivirus detection for dropped file
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1742941 Sample: Sexi Atros.exe Startdate: 23/07/2025 Architecture: WINDOWS Score: 84 45 frozi.cc 2->45 53 Multi AV Scanner detection for submitted file 2->53 55 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->55 57 Joe Sandbox ML detected suspicious sample 2->57 59 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->59 11 Sexi Atros.exe 1 2->11         started        signatures3 process4 process5 13 cmd.exe 1 11->13         started        16 Sexi Atros.exe 1 11->16         started        18 conhost.exe 11->18         started        signatures6 67 Suspicious powershell command line found 13->67 20 cmd.exe 1 13->20         started        23 cmd.exe 1 16->23         started        process7 signatures8 61 Suspicious powershell command line found 20->61 25 powershell.exe 14 19 20->25         started        29 conhost.exe 20->29         started        31 cmd.exe 23->31         started        process9 file10 43 C:\Users\user\AppData\Roaming\BK755562.exe, PE32+ 25->43 dropped 63 Powershell drops PE file 25->63 33 BK755562.exe 25->33         started        65 Suspicious powershell command line found 31->65 36 powershell.exe 31->36         started        39 conhost.exe 31->39         started        signatures11 process12 dnsIp13 49 Antivirus detection for dropped file 33->49 51 Multi AV Scanner detection for dropped file 33->51 41 WerFault.exe 19 16 33->41         started        47 frozi.cc 104.21.16.212, 443, 49687, 49688 CLOUDFLARENETUS United States 36->47 signatures14 process15
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/97cbc7b8ca31e5aa87fed4ebf2be2b2a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08639bc8b6c960aee98afe17ad18983e374611f38d1e3503c9312dccdce78b22/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Coins
Link:
https://tip.neiki.dev/file/08639bc8b6c960aee98afe17ad18983e374611f38d1e3503c9312dccdce78b22
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-23 17:46:23 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bbrzxsfwzfqk52mk7yl22geyhy3umeptrupdka6jgew4zxhhrmra._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250723-wcg9kazqw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04a88612-84e3-4795-8aa1-37ab20bdd062
Unpacked files
SH256 hash:
08639bc8b6c960aee98afe17ad18983e374611f38d1e3503c9312dccdce78b22
MD5 hash:
97cbc7b8ca31e5aa87fed4ebf2be2b2a
SHA1 hash:
572ac9cca7a871a3f048136fb97112175bba3c1c
Link:
https://www.unpac.me/results/331602b2-154b-45c9-b62b-3281d0bdfe97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08639bc8b6c960aee98afe17ad18983e374611f38d1e3503c9312dccdce78b22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 08639bc8b6c960aee98afe17ad18983e374611f38d1e3503c9312dccdce78b22

(this sample)

Executable exe eaf427092f4af72f583dad5fb56f43406dac9f9ba1a0f8324da83c504f19c652

Cape
Cape
https://www.capesandbox.com/analysis/16540/
  
Dropping
SHA256 eaf427092f4af72f583dad5fb56f43406dac9f9ba1a0f8324da83c504f19c652
  
Dropping
MD5 8e157d250768392d7e8594574620b105

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::RevertToSelf
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::PrivilegeCheck
ADVAPI32.dll::SetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetConsoleTitleA
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW

Comments