MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c
SHA3-384 hash: f9dacc976a7fbf110f022cde1799695ac9bfcc125401a6b7b440cd392670b08cd1d9078f829543f73f49d5d319498785
SHA1 hash: 1518ee013bf99bdbd6224e2c2578ea7442bdf0ee
MD5 hash: 68ce4422c9ed0dfda38c55f3b3e46cb6
humanhash: happy-nineteen-football-december
File name:Velroyth Setup 1.0.0.exe
Download: download sample
File size:93'562'217 bytes
First seen:2026-01-03 20:49:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (535 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:fHYxcnyo0h4a01+/9pWbFKT4fL0PHWDyPICnw81Wjo0V2Rg/8K:fAUyo0hZ0wrWRKkQP2D8/nw4ooo2e/8K
TLSH T1E32833D6B2B7DB75CD5B1A3D7474284B83294B4E6A5388C34BD622FB4CF2B205F58821
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
GB GB
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/1edb5d2c-96e7-46a7-ae67-cf354476ed5c/
Malware family:
n/a
ID:
1
File name:
_09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c
Verdict:
Malicious activity
Analysis date:
2026-01-03 20:54:25 UTC
Tags:
silentstealer stealer python generic nodejs
Link:
https://app.any.run/tasks/19bd500b-5b76-4a17-852c-332eae928640

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69598120d2357cccc3df121f
Tags:
vmdetect xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
Unauthorized injection to a recently created process
Moving a file to the %AppData% subdirectory
Loading a suspicious library
Running batch commands
Creating a process with a hidden window
Launching the process to interact with network services
Launching a process
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole fingerprint installer installer installer-heuristic microsoft_visual_cc nsis overlay packed
Link:
https://www.filescan.io/uploads/69598117127d6a14e0ce7a05/reports/3ceeb716-1b95-4d1b-a17a-e17a5c09a77e/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c
Verdict:
Clean
File Type:
exe x32
First seen:
2025-12-31T17:01:00Z UTC
Last seen:
2026-01-04T08:57:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c/results?tab=lookup
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c
Gathering data
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhbeve456o6jsyzfgk72y5lt7wu7mdb3iiusk3kwmffysbi2qzoa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260106-kjge3aylgz/
Behaviour
Kills process with taskkill
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Adds Run key to start application
Checks installed software on the system
Indicator Removal: Clear Persistence
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads ssh keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/006a1a75-70db-4bb2-8400-7bc2ae20905d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 09c24a939df3bc99632532bfac7573fda9f60c3b4229256d56614b89051a865c

(this sample)

  
Delivery method
Distributed via web download

Comments