MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7
SHA3-384 hash: 2582691820ddf33d35d44808a4b60549d46c4d6d2831813ca6529de7f92d6fc6fea34c3b86785165ee3767185096a9d3
SHA1 hash: 86ede5c786546486053059874856fd5eee370051
MD5 hash: 7688be1f5352ff7e709d9c66e7848630
humanhash: ceiling-leopard-autumn-april
File name:7688be1f5352ff7e709d9c66e7848630.exe
Download: download sample
File size:1'092'608 bytes
First seen:2025-09-16 07:55:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 44d8a197c84278da32b54956d7f26e65 (6 x LummaStealer, 1 x StormKitty, 1 x Vidar)
ssdeep 12288:sdnH7ERw/GKsrko679S2k3A/8cNuob2OT4xqmGQV7aZUnx0IzdiNiumDKAMtkXJO:sdnbERqg3AJnGk1hUxxBJA+J/222Cc
TLSH T11C35D019E8B990D7FCE740B0A7154211E533BD678F246ADB42E88B91161BDED0B3E336
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7688be1f5352ff7e709d9c66e7848630.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 08:00:27 UTC
Tags:
diamotrix clipper auto-reg
Link:
https://app.any.run/tasks/993d2717-d0fc-42b0-aaea-d8ce46d5e44c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27675/
Detection(s):
Win.Packed.Lazy-10057857-0
Create hunting rule

Verdict:
Clean
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c9180ce579c633a4b59a59
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68c9180273287948292b8a19/reports/c83a5257-f109-441f-b327-21b2357b9b5a/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-15T17:22:00Z UTC
Last seen:
2025-09-15T17:22:00Z UTC
Hits:
~100
Detections:
VHO:Trojan-PSW.Win32.Convagent.gen Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Injuke.pcbl Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm
Link:
https://opentip.kaspersky.com/03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f7e11e32-cb57-49bf-ac0c-9e516773c612
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778297
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1778297 Sample: 5yrH6yaYKQ.exe Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Clipboard Hijacker 2->36 38 Joe Sandbox ML detected suspicious sample 2->38 9 5yrH6yaYKQ.exe 2->9         started        process3 signatures4 60 Contains functionality to inject threads in other processes 9->60 62 Contains functionality to inject code into remote processes 9->62 64 Sets debug register (to hijack the execution of another thread) 9->64 66 2 other signatures 9->66 12 5yrH6yaYKQ.exe 1 3 9->12         started        process5 file6 28 C:\Users\user\AppData\Roaming\...\System.exe, PE32+ 12->28 dropped 30 C:\Users\user\...\System.exe:Zone.Identifier, ASCII 12->30 dropped 68 Changes memory attributes in foreign processes to executable or writable 12->68 70 Injects code into the Windows Explorer (explorer.exe) 12->70 72 Writes to foreign memory regions 12->72 74 3 other signatures 12->74 16 explorer.exe 35 2 12->16 injected signatures7 process8 process9 18 System.exe 16->18         started        21 System.exe 16->21         started        signatures10 40 Multi AV Scanner detection for dropped file 18->40 42 Contains functionality to inject threads in other processes 18->42 44 Modifies the context of a thread in another process (thread injection) 18->44 23 System.exe 3 18->23         started        46 Injects a PE file into a foreign processes 21->46 26 System.exe 3 21->26         started        process11 signatures12 48 Changes memory attributes in foreign processes to executable or writable 23->48 50 Injects code into the Windows Explorer (explorer.exe) 23->50 52 Writes to foreign memory regions 23->52 54 Allocates memory in foreign processes 26->54 56 Creates a thread in another existing process (thread injection) 26->56 58 Injects a PE file into a foreign processes 26->58
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/7688be1f5352ff7e709d9c66e7848630
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7/
Verdict:
Malicious
Threat:
Trojan.Win32.Injuke
Link:
https://tip.neiki.dev/file/03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 00:01:45 UTC
File Type:
PE+ (Exe)
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ap66yl5saikl2jajfhv3ifmbw7asg3rbf4x2yd4fou7paazn4d3q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/250916-jskcmshn2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fb0915c0-f04a-44ae-a736-d2bf2493036a
Unpacked files
SH256 hash:
03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7
MD5 hash:
7688be1f5352ff7e709d9c66e7848630
SHA1 hash:
86ede5c786546486053059874856fd5eee370051
Link:
https://www.unpac.me/results/659203fe-7e1d-46fa-b4c5-adb00ba62c4f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03fdec2fb202/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 03fdec2fb20214bd240929ebb41581b7c1236e212f2fac0f85753ef0032de0f7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/27675/
  
URLhaus
https://urlhaus.abuse.ch/url/3624966/
  
Delivery method
Distributed via web download

Comments