MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neutrino


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee
SHA3-384 hash: 8086969c2fa7e5cfef093c9620f02abc5447f6893e6efed56b988d817822955b84ec0d0cd871dd7c774aeb642da8b558
SHA1 hash: da1b8f3ba074f19ec949147fcc69ed7d2a76ed13
MD5 hash: 21be80c278110af8d5a3fb443dacbca8
humanhash: comet-yellow-item-network
File name:SecuriteInfo.com.Variant.Jaik.41709.18634961
Download: download sample
Signature Neutrino
Create hunting rule
File size:144'896 bytes
First seen:2026-04-19 19:37:35 UTC
Last seen:2026-04-19 20:20:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d04b0f9db9f34761ca4b26f9ee1ee78 (1 x Neutrino)
ssdeep 3072:LbUMEpifpbGRxwgGr3rofZhkxU37ZmGb:LbUMpiRigGjuhkKd
Threatray 5 similar samples on MalwareBazaar
TLSH T142E3D0427DA4C031F877023804B982639B7E75879539A55B37A92ACEDBF13D56B283C3
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe Neutrino

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
np.exe
Verdict:
Malicious activity
Analysis date:
2026-04-19 02:54:59 UTC
Tags:
api-base64 wmi-base64 stealer stealc loader delphi inno installer
Link:
https://app.any.run/tasks/a53a45e3-5af3-40b5-ac41-29104268e527

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/62297/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e52f3845787c53e53b3232
Tags:
trickbot kasidet spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Launching the process to change the firewall settings
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP POST request to an infection source
Creating a window
Creating a file in the %AppData% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Enabling a "Do not show hidden files" option
Unauthorized injection to a browser process
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-18T23:55:00Z UTC
Last seen:
2026-04-21T07:06:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Kryplod.sb Trojan-Dropper.Win32.Dapato.sb VHO:Backdoor.Win32.Androm.gen Trojan-Banker.Win32.ClipBanker.sb PDM:Trojan.Win32.Generic Trojan.Win32.Kasidet.sb Trojan.Win32.Inject.sb Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Androm.sb Trojan-PSW.Win32.Stealer.sb Trojan-Spy.Agent.HTTP.C&C Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.StealC.v2 Trojan-PSW.Win32.Mimikatz.sb HEUR:Trojan-Banker.Win32.ClipBanker.gen Backdoor.Kasidet.HTTP.C&C Trojan-PSW.Win64.StealC.sb Trojan.Win32.Agent.sb HEUR:Trojan.Win64.Agent.gen.ia HEUR:Trojan.Win32.Kasidet.gen VHO:Worm.Win32.AutoRun.gen Trojan.Scar.HTTP.C&C VHO:Trojan.Win64.Agent.gen VHO:Backdoor.Win32.Agent.gen NetTool.CopyRegistryDumpOutlook.TCP.C&C
Link:
https://opentip.kaspersky.com/0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee/results?tab=lookup
Malware family:
Neutrino Bot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be20763c-6a13-4a4a-8ccd-9543ddfc8fce
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2026-04-19 03:55:38 UTC
File Type:
PE (Exe)
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajymo3abb2nwnqm5fudmx7zlswt3kwbjnl7i4elszqab6tz2upxa._file
Verdict:
malicious
Label(s):
unc_clipper_003
Create hunting rule
neutrino
Create hunting rule
Similar samples:
2307a55ce4cd2327b3315e913e8eb77148c4e81dcd1b35b758ca0226436f0eae
Neutrino
b9a1bcaaa0067b1e242d7e56024590b579143c170280d136a588f1b60e4fd02a
Neutrino
cae6e1df4039a438142c790ee3f22a05a36f68c1662a34978631e792ddd500b6
Neutrino
error
Neutrino
Result
Malware family:
neutrino
Create hunting rule
Score:
  10/10
Tags:
family:neutrino defense_evasion discovery persistence privilege_escalation trojan
Link:
https://tria.ge/reports/260419-yclm4aes3z/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Modifies Windows Firewall
Detects Neutrino aka Kasidet payload
Family: Neutrino,Kasidet
Modifies visibility of hidden/system files in Explorer
Unpacked files
SH256 hash:
0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee
MD5 hash:
21be80c278110af8d5a3fb443dacbca8
SHA1 hash:
da1b8f3ba074f19ec949147fcc69ed7d2a76ed13
Link:
https://www.unpac.me/results/e0c03350-5c79-46ee-810f-52103479e15e/
SH256 hash:
32dc182860e6699e71eb9427a7f8159e22ee1abb0002c7af31fd793d9556424e
MD5 hash:
2e8873419aba13630cd5a6e3271ee732
SHA1 hash:
e1d8140c1c1f58e2e922d708c51a55f0bc50a1a1
Detections:
win_neutrino_g2
Create hunting rule
Link:
https://www.unpac.me/results/e0c03350-5c79-46ee-810f-52103479e15e/
Malware family:
APT28
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0270c76c010e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NeutrinoEK
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:IMPLANT_4_v5
Create hunting rule
Author:US CERT
Description:BlackEnergy / Voodoo Bear Implant by APT28
Reference:https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_neutrino_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.neutrino.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neutrino

Executable exe 0270c76c010e9b66c19d2d06cbff2b95a7b558296afe8e1172cc001f4f3aa3ee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3826093/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/62297/

Comments