MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1a9ab1bd8b2d3738c6abfcb2b84820efa405f09915884da57aa421fc42dafdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ScarfaceStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1a9ab1bd8b2d3738c6abfcb2b84820efa405f09915884da57aa421fc42dafdf
SHA3-384 hash: d4fcd21fa35e6ac0408fd3414bfe788e57e5024b5c5efa00978411cb0254386ccd78cf4bba94429287672fc037d3747b
SHA1 hash: c2cd27f149f8d17891a9901c52da9735be188906
MD5 hash: 3daab85e693f6545ed547b14ef0993a6
humanhash: carpet-pluto-lithium-echo
File name:KIDDIONS MENU.exe
Download: download sample
Signature ScarfaceStealer
Create hunting rule
File size:90'254'336 bytes
First seen:2026-03-19 16:49:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bf3f5698d1c8e5d8bbe8d194ac5d544 (41 x ScarfaceStealer)
ssdeep 786432:bAZqtFi3zQzwBs6vNtcZY5Dfw3pgPVlcmXW:bAZui3zQz2jOZKft
TLSH T15F187D03B3A705D5E8F7DA3196E65223A932BC066F3085DF324C17262F73AE05A76B51
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon f8b8f0d8d0e498f2 (1 x ScarfaceStealer)
Reporter burger
Tags:exe ScarfaceStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'349
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/469f8753-34e4-4717-ae57-24ce1f77f8e0/
Malware family:
n/a
ID:
1
File name:
KIDDIONSMENU.exe
Verdict:
Suspicious activity
Analysis date:
2026-03-19 16:48:16 UTC
Tags:
susp-powershell
Link:
https://app.any.run/tasks/1d069308-fa2e-4b19-8593-2e07b2c3159c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bc289c88c80c01586c163b
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Connection attempt to an infection source
Creating a file in the %temp% subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69bc295b2000fc76c3edb457/reports/34839319-097c-43e8-b84c-f1e03d61e5a7/overview
Verdict:
Malicious
Labled as:
Trojan.Win64.Downloader.oa
Link:
https://www.hybrid-analysis.com/sample/f1a9ab1bd8b2d3738c6abfcb2b84820efa405f09915884da57aa421fc42dafdf
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-Downloader.Win32.Paph.phx PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/f1a9ab1bd8b2d3738c6abfcb2b84820efa405f09915884da57aa421fc42dafdf/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1886498
Signature
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1886498 Sample: KIDDIONS MENU.exe Startdate: 19/03/2026 Architecture: WINDOWS Score: 60 32 Multi AV Scanner detection for submitted file 2->32 34 Suspicious powershell command line found 2->34 36 Encrypted powershell cmdline option found 2->36 38 Joe Sandbox ML detected suspicious sample 2->38 10 KIDDIONS MENU.exe 1 2->10         started        12 svchost.exe 1 1 2->12         started        process3 dnsIp4 15 KIDDIONS MENU.exe 10->15         started        18 conhost.exe 10->18         started        30 127.0.0.1 unknown unknown 12->30 process5 signatures6 40 Suspicious powershell command line found 15->40 42 Encrypted powershell cmdline option found 15->42 20 tasklist.exe 1 15->20         started        22 powershell.exe 4 15->22         started        process7 process8 24 conhost.exe 20->24         started        process9 26 MpCmdRun.exe 2 24->26         started        process10 28 conhost.exe 26->28         started       
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/f1a9ab1bd8b2d3738c6abfcb2b84820efa405f09915884da57aa421fc42dafdf
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/f1a9ab1bd8b2d3738c6abfcb2b84820efa405f09915884da57aa421fc42dafdf
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gu2wg6ywljxhddkx7fsxbecb35eaxyjsfmijwsxvjbb7rbnv7pq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260319-vcj8gsgz6k/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments