MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ClearWater


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746
SHA3-384 hash: 91d37ac2a7ead2d240b7590631dfd352a6c31a5a7bfc1fd456e95feb4f421006cf9a084d155ef01a5aa45df15678ff62
SHA1 hash: 82357963420e55a3e99cfe20bd5bea6ddfa32a54
MD5 hash: cf4840ae85d7acba4974d6dd55893d6c
humanhash: spring-beer-september-jersey
File name:zeksmi_x64.exe
Download: download sample
Signature ClearWater
Create hunting rule
File size:1'007'049 bytes
First seen:2026-03-31 05:32:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22e7125b95acf497b07e79559bdc556c (2 x CoinMiner, 1 x RedLineStealer, 1 x DCRat)
ssdeep 24576:bqKAJ2nZBV6vryrLYJtQubXWFl+0vdc3ax0LT:bqr8fV6vQ8JeuDW+0m3ax0LT
Threatray 21 similar samples on MalwareBazaar
TLSH T1BD2512AB36A055F4E1675078CA52D78AF3B27452073097CF12A487BA1F277E1AC3E325
TrID 48.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
19.1% (.EXE) Win64 Executable (generic) (6522/11/2)
14.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) OS/2 Executable (generic) (2029/13)
5.8% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon f6b4a8ba6492985a (2 x RedLineStealer, 1 x Pony, 1 x GuLoader)
Reporter TheRavenFile
Tags:clearwater exe Ransomware


Avatar
RakeshKrish12
Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/ClearWater%20Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
IN IN
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
_00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746.exe
Verdict:
Malicious activity
Analysis date:
2026-03-31 05:32:41 UTC
Tags:
clearwater ransomware
Link:
https://app.any.run/tasks/71620ada-ce0e-43ee-84c5-2728cddbfae4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.13916474.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cb5c616363ca5d27f005cc
Tags:
vmdetect
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Changing a file
Modifying an executable file
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching a service
Modifies multiple files
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file in the %AppData% directory
Moving a file to the %AppData% subdirectory
Launching the process to interact with network services
Preventing system recovery
Deleting volume shadow copies
Stealing user critical data
Creating a file in the mass storage device
Infecting executable files
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context clearwater filecoder fingerprint installer installer installer-heuristic keylogger lockfile microsoft_visual_cc overlay packed ransomware unsafe
Link:
https://www.filescan.io/uploads/69cb5c5f972c219c8d72f85c/reports/b64e1541-01a1-47e4-941c-39646d6fa5bd/overview
Verdict:
Malicious
Labled as:
Ransom_Win64_ClearWater_MKV_MTB
Link:
https://www.hybrid-analysis.com/sample/00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-03-26T04:32:00Z UTC
Last seen:
2026-03-27T14:51:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Ransom.Win64.Agent.gen PDM:Trojan.Win32.Generic Trojan.Win32.DelShad.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/712df6ec-a01f-4095-9d20-a1c841173f84
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout SFX 7z Win 64 Exe x64
Link:
https://app.malva.re/file/cf4840ae85d7acba4974d6dd55893d6c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746/
Verdict:
Malicious
Threat:
Trojan.Win32.DelShad
Link:
https://tip.neiki.dev/file/00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746
Threat name:
Win64.Ransomware.ClearWater
Create hunting rule
Status:
Malicious
First seen:
2026-03-26 10:14:44 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aaqcgqaqrqib2wn37m62us55nncdnqlh4pexgtahx664wfac65da._file
Verdict:
malicious
Label(s):
genericransomware
Create hunting rule
clearwaterransomware
Create hunting rule
Similar samples:
00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746
ClearWater
051c5b59b210a87fdc8fda3b2c30766dbd353ae1068692f6409cb513bd7f36a3
ClearWater
24f65e496692a64157011ed08648a853312526299131e4f819376889ff94876d
ClearWater
56642f9ed03cd60fd9a69695f098957767d9570ffe1d5d970b38ba6b6b1a2936
ClearWater
8d12376080616becc8facd72ea2deeadd30fb04696d1be9f86fda662d7582a06
ClearWater
d5d94fab267af055662624c9918d0598204da0221f8e14b956334904bee45dc8
ClearWater
error
ClearWater
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery evasion execution impact persistence ransomware spyware stealer
Link:
https://tria.ge/reports/260331-f8dy1shz7w/
Behaviour
Checks SCSI registry key(s)
Discovers systems in the same network
Interacts with shadow copies
Modifies Control Panel
Modifies data under HKEY_USERS
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Drops file in Program Files directory
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Network Share Discovery
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Deletes backup catalog
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (5281) files with added filename extension
Unpacked files
SH256 hash:
00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746
MD5 hash:
cf4840ae85d7acba4974d6dd55893d6c
SHA1 hash:
82357963420e55a3e99cfe20bd5bea6ddfa32a54
Link:
https://www.unpac.me/results/d07eaaac-6b63-45cf-94de-f32b094d2806/
SH256 hash:
a1199a1e448ea1ee3ceac6f77535e612cec1279c496a314802e2e3dfc428d27d
MD5 hash:
29145cc1b1400b4b60743a21b075bac7
SHA1 hash:
fdff5b4b2cb0147af150364ad95100e2a3a74df8
Detections:
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Link:
https://www.unpac.me/results/d07eaaac-6b63-45cf-94de-f32b094d2806/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00202340108c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ClearWater

Executable exe 00202340108c101d59bbfb3daa4bbd6b4436c167e3c9734c07bfbdcb1402f746

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/59840/
  
URLhaus
https://urlhaus.abuse.ch/url/3808925/
  
Delivery method
Distributed via web download

Comments