MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2
SHA3-384 hash: 9b5387963ce0017a23c4592a220f2f3c2a3c2eb0bcb105b73063625f80bb962790750d7c0ea262d683728cbf5e7c57f3
SHA1 hash: 70b70a8a61ece829ae3eb9348fdf11ad3309ce8b
MD5 hash: ce6a18a42bbd1e3d01b9f46997dcf978
humanhash: charlie-gee-speaker-oscar
File name:csrss.exe
Download: download sample
File size:86'016 bytes
First seen:2026-04-30 18:06:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'880 x AgentTesla, 19'800 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 1536:pXS1giApyy9H8YCb1KPI+2QJ5x7c3U9SI9i/Snw/:pXegig9HwboPI+245xgU9SIMqnw/
TLSH T159834C18BBF84E15E9BE877D14F242010BB0F4265927E74E0EC51ADD2ABB7A0CD507A7
TrID 53.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win64 Executable (generic) (6522/11/2)
3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
GB GB
Vendor Threat Intelligence
Malware configuration found for:
DetaRAT
Details
Link:
https://research.acce.ciphertechsolutions.com/results/9d31d81d-e605-410e-957b-34be80cad3b0/
Malware family:
n/a
ID:
1
File name:
csrss.exe
Verdict:
Malicious activity
Analysis date:
2026-04-30 18:00:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a283c969-495f-4b0d-846f-79d07b31ec80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Infinity
Create hunting rule
Link:
https://www.capesandbox.com/analysis/64125/
Detection(s):
Win.Packed.Passwordstealera-6872839-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 blackworm cmd evasive fingerprint infinity lolbin rat rat reconnaissance runonce vbnet worm
Link:
https://www.filescan.io/uploads/69f39a5886e92bda70197c94/reports/0fe46fa5-af9a-4a59-ae5c-fb35b64afbfb/overview
Verdict:
Malicious
Labled as:
MSIL.PasswordStealerA.Generic
Link:
https://www.hybrid-analysis.com/sample/84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2/results?tab=lookup
Malware family:
Infinity
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/738d3d1d-31ce-4366-94c9-bbe14c27f522
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2/
Verdict:
Malicious
Threat:
Backdoor.MSIL.Diamond
Link:
https://tip.neiki.dev/file/84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2
Threat name:
ByteCode-MSIL.Dropper.Njrat
Create hunting rule
Status:
Malicious
First seen:
2026-04-30 18:07:18 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 35 (80.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qquh3ontlpvu47so5mv52iqmkfcvoxuoer6rmxd37laxa4fzwpra._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/260430-wqd43ags9w/
Behaviour
Suspicious use of SetWindowsHookEx
Drops startup file
Unpacked files
SH256 hash:
84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2
MD5 hash:
ce6a18a42bbd1e3d01b9f46997dcf978
SHA1 hash:
70b70a8a61ece829ae3eb9348fdf11ad3309ce8b
Link:
https://www.unpac.me/results/2a4bc74b-9850-4939-8f58-6768ab6497a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RAT_Infinity
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects Infinity RAT
Reference:http://malwareconfig.com/stats/Infinity
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://any.run/report/84287db9b35beb4e7e4eeb2bdd220c5145575e8e247d165c7bfac17070b9b3e2/a283c969-495f-4b0d-846f-79d07b31ec80
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/64125/

Comments