MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8367a1a4140a3d17f102622ab1c02b164f7209cd4506e6a7aa974a3304fbc284. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8367a1a4140a3d17f102622ab1c02b164f7209cd4506e6a7aa974a3304fbc284
SHA3-384 hash: b641907baa04d0df6b065d595f502070431ddbda4cbcb0055de99f7d3b39e7ccaa5c42b07b82f37932fc98337542a48d
SHA1 hash: 9878e0f99c2d3f32e218036ac8d96616e4a6f78b
MD5 hash: b9400b41013a078bd3cde67f73c8c6b5
humanhash: stream-winter-xray-yellow
File name:GаIaxis.exe
Download: download sample
File size:84'142'202 bytes
First seen:2025-11-23 15:07:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b2a86e8b314318c5db2758c4f1f28af9 (11 x NodeLoader)
ssdeep 393216:kWtA6byVDVYPjiAgV2wtvd7oMG5rreiTw/F9+FbVtZBxCf6/xUw4TlytoiTHoJcZ:kPrK9w+R53MlhHdkmNTbvxOtxrBp
TLSH T1B6087B52A3EA04D5E9F79A3489E65213DA73BC063F3086DF324C176A1F736E08976721
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GIaxis.exe
Verdict:
Suspicious activity
Analysis date:
2025-11-23 15:06:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/99fe90a4-982a-4adf-9837-bd58b8414f8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69232302a59c70c97d69fa72
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm crypto expand fingerprint lolbin microsoft_visual_cc nexe overlay overlay packed
Link:
https://www.filescan.io/uploads/692323365d3feebe12d82fa8/reports/d734713f-54f1-43fd-aa80-9cadf1743b95/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8367a1a4140a3d17f102622ab1c02b164f7209cd4506e6a7aa974a3304fbc284
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-23T07:02:00Z UTC
Last seen:
2025-11-23T07:37:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win64.Stealer.sb Trojan-PSW.Win64.Stealer.apdj
Link:
https://opentip.kaspersky.com/8367a1a4140a3d17f102622ab1c02b164f7209cd4506e6a7aa974a3304fbc284/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819562
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses whoami command line tool to query computer and username
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected NexeCompiled Binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1819562 Sample: G#U0430Iaxis.exe Startdate: 23/11/2025 Architecture: WINDOWS Score: 100 53 mceenzie.sbs 2->53 55 digitalservice365cloud.com 2->55 73 Antivirus detection for URL or domain 2->73 75 Yara detected NexeCompiled Binary 2->75 77 Uses known network protocols on non-standard ports 2->77 79 7 other signatures 2->79 9 G#U0430Iaxis.exe 2->9         started        13 cmd.exe 2->13         started        15 whoami.exe 1 2->15         started        signatures3 process4 dnsIp5 57 178.16.52.231, 3000, 49768, 49771 DUSNET-ASDE Germany 9->57 59 digitalservice365cloud.com 104.21.34.35, 443, 49765, 49766 CLOUDFLARENETUS United States 9->59 61 2 other IPs or domains 9->61 81 Bypasses PowerShell execution policy 9->81 83 Adds a directory exclusion to Windows Defender 9->83 85 Unusual module load detection (module proxying) 9->85 87 Uses WMIC command to query system information (often done to detect virtual machines) 9->87 17 cmd.exe 1 9->17         started        20 cmd.exe 1 9->20         started        22 cmd.exe 9->22         started        24 20 other processes 9->24 89 Uses whoami command line tool to query computer and username 13->89 signatures6 process7 signatures8 63 Suspicious powershell command line found 17->63 65 Uses cmd line tools excessively to alter registry or file data 17->65 67 Uses whoami command line tool to query computer and username 17->67 26 conhost.exe 17->26         started        29 tasklist.exe 1 17->29         started        69 Uses WMIC command to query system information (often done to detect virtual machines) 20->69 31 WMIC.exe 1 20->31         started        33 conhost.exe 20->33         started        35 powershell.exe 22->35         started        37 conhost.exe 22->37         started        71 Loading BitLocker PowerShell Module 24->71 39 net.exe 1 24->39         started        41 net.exe 1 24->41         started        43 32 other processes 24->43 process9 signatures10 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->91 93 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->93 95 Loading BitLocker PowerShell Module 35->95 45 net1.exe 1 39->45         started        47 net1.exe 1 41->47         started        49 net1.exe 43->49         started        51 net1.exe 43->51         started        process11
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8367a1a4140a3d17f102622ab1c02b164f7209cd4506e6a7aa974a3304fbc284
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win64.Stealer
Link:
https://tip.neiki.dev/file/8367a1a4140a3d17f102622ab1c02b164f7209cd4506e6a7aa974a3304fbc284
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qnt2djaubi6rp4icmivldqblczhxeconiudonj5ks5fdgbh3ykca._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251123-shlbmaxnbt/
Behaviour
Checks processor information in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4d2b9c7e-f9f9-40da-a4bc-9e4f9313f472
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments