MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ChromElevator


Vendor detections: 14


Intelligence 14 IOCs YARA 51 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4
SHA3-384 hash: 5ea718f5677e54575ff8db1489c52413baf63b23392e7d5f85d4492a620770491c807ac7b67e9e38fa4d502c05f6d842
SHA1 hash: f57f00a64768da1cd89b232712b3f0a0405de561
MD5 hash: 2255564b5ee8dcba52fe10759530f74c
humanhash: three-texas-helium-montana
File name:2255564b5ee8dcba52fe10759530f74c.exe
Download: download sample
Signature ChromElevator
Create hunting rule
File size:12'439'552 bytes
First seen:2026-06-14 11:25:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (443 x Vidar, 95 x Stealc, 92 x Rhadamanthys)
ssdeep 98304:w1vGiNs2SpVmD0LZeHhnTs7XZ5Pq6yLiezKCojPJw80Rp7XcO1VEv:wlZs2SHmD2YSPqnxtUJB0HXZgv
Threatray 33 similar samples on MalwareBazaar
TLSH T15BC66C47E8A546E9C0AAD175CA229253BA717C885F3063D32B90F7352F37BD0AE79740
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:ChromElevator exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4.exe
Verdict:
Malicious activity
Analysis date:
2026-06-14 11:25:48 UTC
Tags:
evasion ip-check stealer telegram arch-doc
Link:
https://app.any.run/tasks/dbc42f20-3b3c-463a-b8f2-5de86778c14b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70665/
Detection(s):
Win.Ransomware.Crinal-10056425-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2e8fb5a15110463ee599d7
Tags:
virus shell lien sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Reading critical registry keys
Creating a file in the %temp% subdirectories
Launching the process to change network settings
Creating a process with a hidden window
Creating a process from a recently created file
DNS request
Running batch commands
Launching a process
Сreating synchronization primitives
Forced system process termination
Deleting a recently created file
Creating a window
Launching the process to interact with network services
Searching for synchronization primitives
Stealing user critical data
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto golang overlay packed packed
Link:
https://www.filescan.io/uploads/6a2e8fbebf16337e43c6030b/reports/6afb144b-3bfb-4f72-a8c2-c46d3d1bb538/overview
Verdict:
Malicious
Labled as:
TStealer.A.Generic
Link:
https://www.hybrid-analysis.com/sample/00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-08T19:30:00Z UTC
Last seen:
2026-06-09T00:29:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Inject.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.MSIL.Typhon.sb Trojan.Win64.Agent.sb HEUR:HackTool.Win64.RustiveDump.gen HackTool.Win64.BroHack.sb Trojan.Win64.Reflo.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan-PSW.Win32.Generic HackTool.Win64.BroHack.hn Trojan-PSW.Win64.Agent.sb Trojan-PSW.MSIL.Stealer.sb HackTool.Win64.RustiveDump.sb
Link:
https://opentip.kaspersky.com/00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7ed28e12-50ba-4d48-a7eb-071ccf15d096
Result
Threat name:
Telegram Stealer, chromElevator
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1927720
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Sigma detected: Capture Wi-Fi password
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses WMIC command to query system information (often done to detect virtual machines)
Writes to foreign memory regions
Yara detected chromElevator
Yara detected Telegram RAT
Yara detected Telegram Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1927720 Sample: QDr8U69Al7.exe Startdate: 14/06/2026 Architecture: WINDOWS Score: 100 54 ip-api.com 2->54 56 api.ipify.org 2->56 84 Suricata IDS alerts for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 8 other signatures 2->90 9 QDr8U69Al7.exe 20 2->9         started        14 svchost.exe 2->14         started        signatures3 process4 dnsIp5 58 149.154.166.110, 443, 49699 TELEGRAMVG United Kingdom 9->58 60 ip-api.com 208.95.112.1, 49693, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 9->60 62 api.ipify.org 104.26.13.205, 443, 49692 CLOUDFLARENET-CloudflareIncUS Canada 9->62 50 C:\Users\user\AppData\...\chrome_injector.exe, PE32+ 9->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\lss.exe, PE32+ 9->52 dropped 92 Installs new ROOT certificates 9->92 94 Found many strings related to Crypto-Wallets (likely being stolen) 9->94 96 Uses netsh to modify the Windows network and firewall settings 9->96 98 3 other signatures 9->98 16 chrome_injector.exe 9 9->16         started        19 cmd.exe 1 9->19         started        21 lss.exe 2 9->21         started        23 7 other processes 9->23 64 127.0.0.1 unknown unknown 14->64 file6 signatures7 process8 file9 66 Multi AV Scanner detection for dropped file 16->66 68 Writes to foreign memory regions 16->68 70 Allocates memory in foreign processes 16->70 82 2 other signatures 16->82 26 conhost.exe 16->26         started        40 2 other processes 16->40 72 Uses ping.exe to sleep 19->72 74 Uses ping.exe to check the status of other devices and networks 19->74 76 Uses WMIC command to query system information (often done to detect virtual machines) 19->76 28 WMIC.exe 1 19->28         started        30 conhost.exe 19->30         started        78 Found direct / indirect Syscall (likely to bypass EDR) 21->78 32 conhost.exe 21->32         started        48 C:\Users\user\AppData\...\Screenshot.png, PNG 23->48 dropped 80 Performs a network lookup / discovery via ARP 23->80 34 net.exe 1 23->34         started        36 net.exe 1 23->36         started        38 conhost.exe 23->38         started        42 9 other processes 23->42 signatures10 process11 process12 44 net1.exe 34->44         started        46 net1.exe 36->46         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4/
Verdict:
Malicious
Threat:
Trojan-PSW.Win64.BroHack
Link:
https://tip.neiki.dev/file/00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4
Threat name:
Win64.Trojan.TStealer
Create hunting rule
Status:
Malicious
First seen:
2026-06-09 00:48:22 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=adhrbrljpus7i2wiiwgo5yj5qtrlgzvgbeialunos6l5hkwbod2a._file
Verdict:
malicious
Label(s):
chromelevator
Create hunting rule
Similar samples:
1f78da8451f16f8f5d2a11ae1052182d7ec5fe33afbfb73b6ac119ff33d5cf34
ChromElevator
3b5563c3993f051887091959e0be6c01412d6a9b0ec4c7ee4d2c1cfe71c465c8
ChromElevator
3d9cf30c5e02300cb05c27dd3f1b5cac4acf6fa0a550cf384ff09647b73c0381
ChromElevator
62728b506804574c9745049db8687594daaa89fd540503bb4f5b0ccc3fc019d4
ChromElevator
6ecfa2074296bb826d16aade4336946b7c05086843262a38a53f9d7710628eb5
ChromElevator
9d131221d75045975839e599ed890e1e4e58631127021ef432a4ba3366fea04c
ChromElevator
b23d5bcacb234485189955a78e2e776d052d2df47d97de779fad0a566786197f
ChromElevator
b90911b23eee913a11dc19e983910497c3822f2c0f12722672cb790cadf3f4fa
ChromElevator
d2d9e59002ff6db865674230b245026d2578fcd6ee875f6fe63468f42c6976a6
ChromElevator
e6a410f3eee922cc0faa84c06121b838f3f5fe2488ebd6013f1e65f15cfcf645
ChromElevator
error
ChromElevator
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/260614-nj3vvaes5j/
Behaviour
GoLang User-Agent
Modifies system certificate store
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Looks up external IP address via web service
Network Service Discovery
Executes dropped EXE
Reads user/profile data of web browsers
Grants admin privileges
Unpacked files
SH256 hash:
00cf10c5697d25f46ac8458ceee13d84e2b366a6091005d1ae9797d3aac170f4
MD5 hash:
2255564b5ee8dcba52fe10759530f74c
SHA1 hash:
f57f00a64768da1cd89b232712b3f0a0405de561
Link:
https://www.unpac.me/results/a649f8b7-31dc-42b3-9664-c73b9c3f3d8d/
SH256 hash:
e857298fd2f8d1c7d48780769433f33e7b3ceaae5ea5a74c13ce8c10bcc7b690
MD5 hash:
1d04536714bb22a3e909525a7dd627f0
SHA1 hash:
affc166fa1874ff3ec0e42646e008cec972b76ab
Link:
https://www.unpac.me/results/a649f8b7-31dc-42b3-9664-c73b9c3f3d8d/
Malware family:
ChromElevator
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00cf10c5697d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AIX binary
Rule name:ClearWater_Ransomware
Create hunting rule
Author:Arrbat
Description:Detects ClearWater ransomware using a mix of family-specific names, 7-Zip SFX metadata, and anti-recovery indicators
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RemusStealer_GoPayload
Create hunting rule
Author:burger
Description:Detects RemusStealer Go-compiled payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:Windows_Trojan_Generic_9997489c
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70665/

Comments