MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01f386dacff50f5d4ed9b7fbf5bdece92d2f85f8ba3e0cc21b9c866a3d7b3ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DogeStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01f386dacff50f5d4ed9b7fbf5bdece92d2f85f8ba3e0cc21b9c866a3d7b3ad1
SHA3-384 hash: c1750eaff535b1e49698bac3bfc85411b0518dafd5bdcb79950bbdc74de497b1a5e0cefa445de6b6580f06a9ed00e8e0
SHA1 hash: 9e06d21588bfe02328e6bef886813d145193c407
MD5 hash: 0193748c38a7853e7eedcde580c341f6
humanhash: single-music-double-single
File name:Launcher.exe
Download: download sample
Signature DogeStealer
Create hunting rule
File size:76'939'153 bytes
First seen:2025-08-11 11:26:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 27f8a075898c0342804ab1dcef6774de (1 x DogeStealer)
ssdeep 393216:2QzE8nqWFK/2Cb4OF1UBTKY0kiwQE6nLr8JJhwQSI8wxSvDazn1N5VRBQiMdv8/x:2kqqwQtRPPVVKFDWhvxOtxrWU8btymP1
TLSH T18CF77B4267EA04C5F9F7AA3489E65213D673BC067F3086DB324C172A1F736E09976722
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon e0e0d0c8fcdcdc9e (1 x DogeStealer)
Reporter burger
Tags:DogeStealer exe stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6899d373c633abe3908dd13d
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Connection attempt to an infection source
Sending a TCP request to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Launching a service
Creating a window
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Labled as:
Malware/Generic
Link:
https://www.hybrid-analysis.com/sample/01f386dacff50f5d4ed9b7fbf5bdece92d2f85f8ba3e0cc21b9c866a3d7b3ad1
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1754533
Signature
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Check external IP via Powershell
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Yara detected NexeCompiled Binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1754533 Sample: Launcher.exe Startdate: 11/08/2025 Architecture: WINDOWS Score: 100 91 ip-api.com 2->91 93 github.com 2->93 95 2 other IPs or domains 2->95 127 Malicious sample detected (through community Yara rule) 2->127 129 Multi AV Scanner detection for dropped file 2->129 131 Multi AV Scanner detection for submitted file 2->131 133 9 other signatures 2->133 11 Launcher.exe 47 2->11         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 97 d1ge.com 84.32.84.33, 2053, 443, 49689 NTT-LT-ASLT Lithuania 11->97 99 github.com 140.82.112.4, 443, 49686, 49687 GITHUBUS United States 11->99 83 C:\Users\user\AppData\Local\...\svchosts.exe, PE32+ 11->83 dropped 85 C:\Users\user\AppData\...\key4.db.query, SQLite 11->85 dropped 87 C:\Users\user\AppData\...\wwPUn6LrfA.ps1, ASCII 11->87 dropped 89 7 other malicious files 11->89 dropped 149 Uses cmd line tools excessively to alter registry or file data 11->149 151 Overwrites Mozilla Firefox settings 11->151 153 Adds a directory exclusion to Windows Defender 11->153 18 Launcher.exe 11->18         started        21 cmd.exe 1 11->21         started        23 cmd.exe 1 11->23         started        25 49 other processes 11->25 101 127.0.0.1 unknown unknown 16->101 file6 signatures7 process8 signatures9 109 Overwrites Mozilla Firefox settings 18->109 111 Tries to harvest and steal browser information (history, passwords, etc) 18->111 113 Adds a directory exclusion to Windows Defender 18->113 27 cmd.exe 18->27         started        30 cmd.exe 18->30         started        32 cmd.exe 18->32         started        43 14 other processes 18->43 115 Suspicious powershell command line found 21->115 117 Uses cmd line tools excessively to alter registry or file data 21->117 119 Bypasses PowerShell execution policy 21->119 121 Uses attrib.exe to hide files 21->121 34 reg.exe 1 21->34         started        36 powershell.exe 22 23->36         started        123 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 25->123 125 Loading BitLocker PowerShell Module 25->125 39 powershell.exe 23 25->39         started        41 powershell.exe 25->41         started        45 55 other processes 25->45 process10 dnsIp11 135 Adds a directory exclusion to Windows Defender 27->135 48 powershell.exe 27->48         started        137 Uses cmd line tools excessively to alter registry or file data 30->137 60 2 other processes 30->60 139 Suspicious powershell command line found 32->139 62 2 other processes 32->62 79 C:\Users\user\AppData\...\n34tyh2r.cmdline, Unicode 36->79 dropped 141 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->141 143 Found suspicious powershell code related to unpacking or dynamic code loading 36->143 145 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 36->145 51 csc.exe 3 36->51         started        147 Loading BitLocker PowerShell Module 39->147 54 Conhost.exe 39->54         started        56 powershell.exe 43->56         started        58 powershell.exe 43->58         started        64 5 other processes 43->64 103 ip-api.com 208.95.112.1, 49694, 49706, 80 TUT-ASUS United States 45->103 105 api.ipify.org 104.26.13.205, 443, 49693, 49705 CLOUDFLARENETUS United States 45->105 66 16 other processes 45->66 file12 signatures13 process14 file15 107 Loading BitLocker PowerShell Module 48->107 77 C:\Users\user\AppData\Local\...\n34tyh2r.dll, PE32 51->77 dropped 68 cvtres.exe 1 51->68         started        70 csc.exe 56->70         started        73 Conhost.exe 58->73         started        signatures16 process17 file18 81 C:\Users\user\AppData\Local\...\evfg23vz.dll, PE32 70->81 dropped 75 cvtres.exe 70->75         started        process19
Score:
52%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/01f386dacff50f5d4ed9b7fbf5bdece92d2f85f8ba3e0cc21b9c866a3d7b3ad1
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/01f386dacff50f5d4ed9b7fbf5bdece92d2f85f8ba3e0cc21b9c866a3d7b3ad1
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-11 11:26:40 UTC
File Type:
PE+ (Exe)
Extracted files:
46
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahzynwwp6uhv2twzw757lppm5ews7bpyxi7azqq3tsdgupl3hliq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250811-nkr5qs1p15/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Program Files directory
Drops file in Windows directory
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Looks up external IP address via web service
Maps connected drives based on registry
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/773ece6e-cb34-4ee1-8efd-5b2e1e468711
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DogeStealer

Executable exe 01f386dacff50f5d4ed9b7fbf5bdece92d2f85f8ba3e0cc21b9c866a3d7b3ad1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3600763/
  
Delivery method
Distributed via web download

Comments