MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48a22412511f65753900b5d94831b132eb30f20620aa5f1abb3f64aa44b23b20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48a22412511f65753900b5d94831b132eb30f20620aa5f1abb3f64aa44b23b20
SHA3-384 hash: 781fd682d64184ffa133b9aad9f4ce5105eb1e33acd5f3763695020cfd44ca9473c9984d4ed5b2bb90f9522dde365257
SHA1 hash: 62d312d9752a0cdcf8685a867ac3e5f9c384cfff
MD5 hash: 2da19cc165b736e3955a9a4287aeefb1
humanhash: mango-pip-timing-oregon
File name:LootRush1.0.1.zip
Download: download sample
File size:89'204'927 bytes
First seen:2025-09-22 06:02:15 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: infected
ssdeep 1572864:DW001jrwKkybSTpIAkCjobGmIaNS415nld4DEo3ELImZf/oV0HBDwakjjPFBf6Y1:DWb+KA1IBuobHpSildqfULIm6V0HB8aM
TLSH T1AE183335B068A66C5F502400B80D7FDE5EB24A0E1FC06DA3FDA684B5DDB11AB1F1D36A
Magika zip
Reporter DodgeThisSec
Tags:discord exe jar LootRush stealer zip


Avatar
shotgunner101
User encountered this sample being sent via potentially compromised Discord accounts targeting VTuber's.

Upon review of sandbox reports aswell as local VM behavior in my testing it does appear that the file post-execution adds exceptions to defender, downloads files from github, and gofile and calls out to discord. It also sets scheduled tasks, kills running browsers then re-executes the browsers followed by showing signs of information stealing behavior (reading a multitude of browser's local databases, etc). Hidden powershell and system commands are also executed and a large volume of information is queried regarding context for the device that this is being executed on.

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
US US
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:LootRush1.0.1.exe
File size:89'221'285 bytes
SHA256 hash: 1018ea2c424b9e706aa7aca835102856e2f3011b519aed2bfc4b4ddda6b34943
MD5 hash: d6bc2bd51f1ed188e1520963e262d1a2
MIME type:application/x-dosexec
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d0e75672187e372c383c8f
Tags:
autorun shell sage blic
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole fingerprint installer microsoft_visual_cc nsis overlay packed
Link:
https://www.filescan.io/uploads/68d0e685390649f7a5f4d632/reports/986f8053-0f2d-44c8-9083-e94aaa5c9b09/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/48a22412511f65753900b5d94831b132eb30f20620aa5f1abb3f64aa44b23b20
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/48a22412511f65753900b5d94831b132eb30f20620aa5f1abb3f64aa44b23b20
Verdict:
Unknown
File Type:
zip
Link:
https://opentip.kaspersky.com/48a22412511f65753900b5d94831b132eb30f20620aa5f1abb3f64aa44b23b20/results?tab=lookup
Score:
80%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/48a22412511f65753900b5d94831b132eb30f20620aa5f1abb3f64aa44b23b20
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcrciesrd5sxkoiawxmuqmnrglvtb4qgecvf6gv3h5skurfshmqa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250922-jclkrsfr3z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Enumerates processes with tasklist
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

zip 48a22412511f65753900b5d94831b132eb30f20620aa5f1abb3f64aa44b23b20

(this sample)

Executable exe 1018ea2c424b9e706aa7aca835102856e2f3011b519aed2bfc4b4ddda6b34943

anyrun
any.run
https://app.any.run/tasks/aeb7d207-eed6-488d-8d58-e31b0d25dd2b
Joe
Joe Sandbox
https://www.joesandbox.com/analysis/1781619/0/html
  
X
https://x.com/BaylorBearTX/status/1969934678837625023
  
Link
https://www.virustotal.com/gui/file/1018ea2c424b9e706aa7aca835102856e2f3011b519aed2bfc4b4ddda6b34943
  
Dropping
SHA256 1018ea2c424b9e706aa7aca835102856e2f3011b519aed2bfc4b4ddda6b34943
  
Dropping
SHA256 002002E5FC6607E099CE7B287C217C1E47996086B3E7E69293F24C67B05F9765
  
Delivery method
Other
  
Dropping
MD5 82e2e23ba05a144065969b0211783966
  
Dropping
MD5 d6bc2bd51f1ed188e1520963e262d1a2

Comments