MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
SHA3-384 hash: 0514f9c58b2098870c96e1baa05d4ade14f92bf4122a44d46ae82cf5bfa8fa124c1e2392404accd8cec480be510be501
SHA1 hash: 6aa3a6b721d8e88102b64e7ba0c55aeead410afd
MD5 hash: fa3091f6ee478cd2f659b79aea0156d0
humanhash: potato-vermont-december-helium
File name:Retrac Unban.exe
Download: download sample
File size:698'880 bytes
First seen:2025-07-26 19:42:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 822bd1c807307818bbe667d5c8349f03
ssdeep 12288:SoyR9HGSoBtn+qon6TX2O9yf4Xye0yqz8HuOwIZOA9T5u2Gskz+Dcr:SoyR9HGSoBtnjonEGO9yAXx0yqzVaLTx
TLSH T161E47C52A3A410EDD1B7C139C5528613FBB2B8591364E7DF07A08A761F23BE5AE3B710
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
20
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Retrac Unban.exe
Verdict:
No threats detected
Analysis date:
2025-07-18 12:34:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4127568e-23b1-497f-b2e6-9f7d083a4968

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17071/
Detection(s):
Win.Tool.Zusy-10033075-0
Create hunting rule

Win.Malware.Genkryptik-10034801-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68852db30b4775fb2131a7fd
Tags:
dropper virus smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 crypto fingerprint krypt microsoft_visual_cc zusy
Link:
https://www.filescan.io/uploads/68852fdea16348d835efc0a5/reports/1f15d763-8d39-49d6-9fe4-531d3f0fc718/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
Malware family:
Khalesi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77b9d2b4-82bf-4d77-8daf-2cd2e59e661e
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1744761
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1744761 Sample: Retrac Unban.exe Startdate: 26/07/2025 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 Retrac Unban.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/fa3091f6ee478cd2f659b79aea0156d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575/
Verdict:
Malicious
Threat:
PDM:HackTool.Win32.kdmapper
Link:
https://tip.neiki.dev/file/5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
Threat name:
Win64.Trojan.DriverLoader
Create hunting rule
Status:
Malicious
First seen:
2025-04-16 00:19:57 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
16 of 35 (45.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2a2cckvmjnkrgra4bgyrob76swagnalvzcpjpqjnabaramwkv2q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250726-yffagsbr6t/
Verdict:
Malicious
Tags:
Win.Tool.Zusy-10033075-0
YARA:
n/a
Link:
https://app.threat.zone/submission/59143944-6569-46e3-ae22-52799feecde7
Unpacked files
SH256 hash:
5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
MD5 hash:
fa3091f6ee478cd2f659b79aea0156d0
SHA1 hash:
6aa3a6b721d8e88102b64e7ba0c55aeead410afd
Link:
https://www.unpac.me/results/6bfa997f-d98d-4e57-a290-5bce58d91bd5/
SH256 hash:
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
MD5 hash:
1898ceda3247213c084f43637ef163b3
SHA1 hash:
d04e5db5b6c848a29732bfd52029001f23c3da75
Detections:
PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429
Create hunting rule
Link:
https://www.unpac.me/results/6bfa997f-d98d-4e57-a290-5bce58d91bd5/
Parent samples :
d16e147eaf8a76ab283053889fff5074b75af230f52f7197765363b22fc82445
e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4
d678623c64c737fd9c8372c8e67b9fcc536845c358626065fa92e40f5fe6c6c8
04cbe1f69bcd1cb359b78e2a7029fe296e3a50020a044cd297b9cce59560b794
d0223dec05ad601e9f2f18b4a539a7e7734966835c5d36dbc9dfcdcb346a20c7
1d679b6434ca87e87c226ff908f19221a09a885d1c0a33f8c868e5d45a440e7f
2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb
a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9
dd571e92f0c0c4fce65805d39e7af60e1655a1130d29fe17de97ccac1a13f605
c650e238437e0f95b1c5b32f7188b8ade8cb73e26cf624446ef410c6cf61c069
e00dd7eb22f4c0edd534efd84e64dd0129826b4175697e925ebb551b5a33421f
62404758252b994da1b60c819fa8cbf1b6a884cd001939479a90ba4c52585363
b22a8e33c9ef66da4d9b2e087be276965340c8320bd4eb334ec1757c8df33ff7
d79de2edd86c1c07b39eb3d113adf40719fbf3b5d60f6ffd39aeb356c2d175aa
b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
2d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
9b2e6a46fde02906b7865bb6629cb5b25c53c5ff6a0c0cdf4ffdc7f7961582c2
a2a67ec1404b2fe5decf5ea86de316f8a2ca775480deab3eed28b8b0b2c34ab5
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81
dca8a2e66bfa8f85d89ca6885a68482a5e85028794a71a385819ae9d832adae4
196716eef9fca584f75ec1100956fc2d34edbe1f3e896003e2c19df32be6196a
0264425d27b1b4442f6a6d25c4634b9dca471f56bffb03bd450ec5c0bd93e7c2
b920dc19a2317f619a9d7af0935eb05b07442d2ae77f1482bd883a086a9c0513
f54d45ee37b7f40b3ae34ac11476c6d25f2a780cdc02472a3f247b7c9af9e143
27abe6f4dc371d7e7008dc5c4b079d85f6e2c5b583b2fd831674186e92d583fd
59f55834d9aec7059e957c376af57f71a8028d057b194a5567d1d95b4d7d4f6e
4a215059825f792fcb384de29a3301f3bb8422e5fa56a20e253b94ce754d6908
7d7f580de5a46d90941ed4c7db9ac24e0117a957614324647d6c528b7d2f1833
538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92
399fe041d19c3c4ce98036ee725529632aff01e9b0811c11104595589a05c7fa
d4f5c92d2602f114b7269eee1157c290d2f70efca5093f2b5d67cd526eb5f8e8
7b4ca5b780438bef6eca1d5241c5a5f9afbed7e9eacc62300c5ac64fe9e1030a
0e053da640e325971896b97f0993fbb17dd010bdc9625ca6fa4ee64c4a5f018a
5fe667b5af59c9e890f8af1049d74528ee5297c7c85036661b0cce4877ab31e5
06833640b01d9b8dcbc8001f0ff1cbc3aaa4ba1d45e08238c076b0d0d477c966
0071fd8f074a69e3145106a3a8607844e5bdafe96ad70e307d5b54c0094a0103
fc0b9e5219835acdeb8e214b62f7a77e5e55e301ae0ee78ab5e675db4a85a33b
127d87a19b7a864d8ae9b35d6d8bc81a045eb2bd43fde28d5e61d97a9f1474a6
02181904ce4b61dd19e156cc2526c36cfae46f71989c15bb3c702bd4a71adbf7
a94803828cc2bd2c4260988832d8f297b4e3eeb96f2e0a86162cc92e619159c3
48792c7901988e612893594b411a6fcb59bbff7120d63b56cbb6f9398289b057
45223efdb6920807e0a7e2e28f6b917a4a135066322df39d0af69b1a5901b49d
420e1fbd47a217f18c2729e90df4b85ac06eae21086f3af90aa38642330d5f2e
2117a22f49cc2ec80da587c770f589b16a9cbcae1a02f4758d7319535a2304d6
83b93149729486bc665fd9529751f10a0f8a46e38f06476513b2a4641e4dad33
4d7516db2c2d3fd58db5c64828949adabb51fdd418d4fc8463f4dfb63b481745
796ce4b47053840598f355fad26bd775c850a485110426656eb90607a9018b12
03445008471daab6eb3158ba4c315a89941c69e6f1714394035fcdd18472b00b
291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
b443722fd7616de2c14017ab001952c4c3bde2abd880d6dd9c5910b630d2a8a3
52e8478bb2c7ee6ccbf05f9154ac4b7619b4d986aec5e41bbd8fa752f37040a2
f3849196b9947151a7c448c51009aca0ed466ed5f21cbe9da91f8e102f8cabb9
5b4b87990e0594222c90e5328acbcc64216d96bdcac3f8b0c1aeabe904c271ca
6212a4504cbcd03e7a716176a2ad61f5babd186ca43e253a6a9362b03f027881
128bb9210cdffc2ff7cc0b5514d9feaf5ad831b575ec9c90c602f29349ee5bbb
bbd51ae9353f96a2b4c1e8b8b69b60c3d0eada919b117f0de1116d9df19424f0
2cb584856d1f4a98264a9a41327b46823442fdf89e5b07efb9e4424549bcf7f1
eaf427092f4af72f583dad5fb56f43406dac9f9ba1a0f8324da83c504f19c652
4b16f3423431cfa440d320d6ff2dd591bfbcef6d13a31408db9af233ad8509cd
4ee3ad4e4e7e262f5dd917322ab8a04f8d0afcfc05b3093230bd9ff7cca1a56d
5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
87ca3126a867be0597b75c338dd0324a5d4625fb54d34efc6082161b3dc2e744
15c0f6587e713de3cc2a87d01f4ef228ed6998b16ba6249b2238084f8a03ec32
404a9091fe42a3f8abae045fbb2a26e111a00d1af5103725e6199e2d5b8a5cb1
e5c60f1bd2f095b0d7add0b28abfb90ec9f4b89f3b1acf0844d7296241633f0f
40baa97b2e3c456d1597454d2e85715f5205033ad6998938ec3486695f5e1648
8cfb19c6297c02e5b02721980466f0a0af273767dea2de89a4d5b397782a8dc3
bdf853881bf56cac5d25fb6c2d1b0ff02fab450d57a66d39d4770c2117e7b9ae
1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274
bab174472415c490df238b18e14a22162daff026bbe828d2375f0107be662c4f
df66645cb25a87f72bdac4ee457e8b22aff036c2c6c2d3f1073088a96ecc1058
ba160a62755295ba6e21d3d4b0188ed8913497271b9af9891709a2d2840ad1e5
1d05c32d38227623d5fdd3a1d13a82e5a55b015573955de7fb3a4e6ada564031
5d53d190c150a8f0efb04cdfd9f607d0cd30452eb1c9e5b59a97d137dd47ecb5
fb7e616458509e23902258b7679d2c3959cee8ebf03f77d0a443828394f2057f
dffbd774b50dd2319bff54a998b59872b1a5a2b7dcab844e7e0e6d00bd428af3
d13a59eb615e8939ec8c815a6fae8c48ca14ee11aaddc1852701461f4a69d6f9
60f044a9155db76cb1da5d910e976654e4998828647e6ec0ff8e6b09776e94ac
00e0fcfaa4beae4ea437bead66cdbeebfcb4f4cf203901847d515c2579e8ec35
8822e22d3710e18e50c34361ecc837557f5fe22c5cdf24cfea2575e77309c36b
SH256 hash:
75147300706224e51fb4a8ca6d3d13b9aee93c25455df1aba52dd3d40b50d21d
MD5 hash:
2cbc1f1d23905a8392cec4ce06067abc
SHA1 hash:
34380552396a1db861ac1d00c7aadc21f72b37c2
Link:
https://www.unpac.me/results/6bfa997f-d98d-4e57-a290-5bce58d91bd5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17071/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
KERNEL_APIManipulates Windows Kernel & Driversntdll.dll::RtlInitUnicodeString
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
ntdll.dll::NtQuerySystemInformation
KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetConsoleTitleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::FindFirstFileW
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertAddCertificateContextToStore
CRYPT32.dll::CertCreateCertificateChainEngine
CRYPT32.dll::CertEnumCertificatesInStore
CRYPT32.dll::CertFindCertificateInStore
CRYPT32.dll::CertFindExtension
CRYPT32.dll::CertFreeCertificateChainEngine
CRYPT32.dll::CertFreeCertificateChain
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegSetKeyValueW
ADVAPI32.dll::RegDeleteTreeA
ADVAPI32.dll::RegDeleteTreeW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect

Comments