MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ffc66cfdbe4780957925370962a69757cb000b30e7dfa5788f160670364a326. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GenesisStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ffc66cfdbe4780957925370962a69757cb000b30e7dfa5788f160670364a326
SHA3-384 hash: 1df5be06bcd634a9b3ee3243a9654ea2f8696c058c6cd3275435a30c2aac2c606f2b793f86afea64f2ddc740d5098a6a
SHA1 hash: 8af987afcc244a028f3367940f951fda7cf9f482
MD5 hash: 04ab297572b7888304e7a408259bc8da
humanhash: mars-fish-october-nineteen
File name:RPReplaySextapeleak2025_mymleakfullvid.mp4 Setup 2.1.1.exe
Download: download sample
Signature GenesisStealer
Create hunting rule
File size:81'105'500 bytes
First seen:2025-10-24 16:58:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:AX+BWMFDe45kK6hDRVOiw6ANnH7MZJ9HJLJ6fzoXzcA2fy7BlwhPyxQai6qr7pv:AOBFle45YhDRVe6A8HJLwfzoXzc7y7BI
TLSH T1870833053F74CE05E0E6C17E67B363D220A9B39726A5223BC97FCCAA51DCF21391A156
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe GenesisStealer infostealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RPReplaySextapeleak2025_mymleakfullvid.mp4Setup2.1.1.exe
Verdict:
Malicious activity
Analysis date:
2025-10-24 16:57:55 UTC
Tags:
arch-doc evasion discord stealer generic ims-api nodejs
Link:
https://app.any.run/tasks/9b0f73a6-6c7d-45aa-83ab-07e2ab76929d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fbb0166c859164aa63fc1f
Tags:
extens shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
Unauthorized injection to a recently created process
Loading a suspicious library
Moving a file to the %AppData% subdirectory
DNS request
Connection attempt
Possible injection to a system process
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68fbb080c85c5c5697351eb0/reports/837b297d-7159-45be-b068-ce866723d469/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/9ffc66cfdbe4780957925370962a69757cb000b30e7dfa5788f160670364a326
Verdict:
Clean
File Type:
exe x32
First seen:
2025-10-24T14:07:00Z UTC
Last seen:
2025-10-24T14:35:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/9ffc66cfdbe4780957925370962a69757cb000b30e7dfa5788f160670364a326/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1801427
Signature
Drops large PE files
Excessive usage of taskkill to terminate processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive system registry key value via command line tool
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1801427 Sample: RPReplaySextapeleak2025_mym... Startdate: 24/10/2025 Architecture: WINDOWS Score: 100 58 ip-api.com 2->58 60 github.com 2->60 62 discord.com 2->62 72 Sigma detected: Capture Wi-Fi password 2->72 74 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->74 76 Drops large PE files 2->76 78 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->78 8 RPReplaySextapeleak2025_mymleakfullvid.mp4.exe 12 2->8         started        13 RPReplaySextapeleak2025_mymleakfullvid.mp4 Setup 2.1.1.exe 12 296 2->13         started        signatures3 process4 dnsIp5 64 ip-api.com 208.95.112.1, 49691, 80 TUT-ASUS United States 8->64 66 github.com 140.82.116.4, 443, 49695 GITHUBUS United States 8->66 68 discord.com 162.159.138.232, 443, 49693, 49694 CLOUDFLARENETUS United States 8->68 46 C:\Users\user\AppData\...\cookies.sqlite-shm, data 8->46 dropped 48 C:\Users\user\AppData\Local\...\passwords.db, SQLite 8->48 dropped 82 Suspicious powershell command line found 8->82 84 Obfuscated command line found 8->84 86 Tries to harvest and steal browser information (history, passwords, etc) 8->86 88 2 other signatures 8->88 15 cmd.exe 8->15         started        18 powershell.exe 8->18         started        20 cmd.exe 8->20         started        24 84 other processes 8->24 50 RPReplaySextapelea...leakfullvid.mp4.exe, PE32+ 13->50 dropped 52 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 13->52 dropped 54 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 13->54 dropped 56 17 other files (none is malicious) 13->56 dropped 22 cmd.exe 1 13->22         started        file6 signatures7 process8 dnsIp9 90 Uses cmd line tools excessively to alter registry or file data 15->90 92 Uses netsh to modify the Windows network and firewall settings 15->92 94 Tries to harvest and steal WLAN passwords 15->94 27 conhost.exe 15->27         started        29 chcp.com 15->29         started        96 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 18->96 98 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 18->98 100 Queries memory information (via WMI often done to detect virtual machines) 18->100 31 conhost.exe 18->31         started        102 Queries sensitive system registry key value via command line tool 20->102 42 2 other processes 20->42 33 conhost.exe 22->33         started        35 tasklist.exe 1 22->35         started        37 find.exe 1 22->37         started        70 chrome.cloudflare-dns.com 172.64.41.3, 443, 49692, 60247 CLOUDFLARENETUS United States 24->70 104 Excessive usage of taskkill to terminate processes 24->104 106 Maps a DLL or memory area into another process 24->106 108 Loading BitLocker PowerShell Module 24->108 39 powershell.exe 24->39         started        44 112 other processes 24->44 signatures10 process11 signatures12 80 Loading BitLocker PowerShell Module 39->80
Score:
23%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/9ffc66cfdbe4780957925370962a69757cb000b30e7dfa5788f160670364a326
Gathering data
Verdict:
Malicious
Threat:
NetworkReferences.Malware.Generic
Link:
https://tip.neiki.dev/file/9ffc66cfdbe4780957925370962a69757cb000b30e7dfa5788f160670364a326
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t76gnt634r4asv4sknyjmktjov6laaftbz67uv4i6fqgoa3eumta._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution linux persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/251024-vhs3ksas9f/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Hide Artifacts: Ignore Process Interrupts
Enumerates processes with tasklist
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c33136da-37fb-43c5-8d68-fc96e51e51ba
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments