MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a0c314a32cfbdccbaf3de35bd30ea0da6cd8c524cb2a37f9c795cef709cec47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a0c314a32cfbdccbaf3de35bd30ea0da6cd8c524cb2a37f9c795cef709cec47
SHA3-384 hash: c6cc6c6278ea2ced589a97dfc225b907d1a5dd0e31febe97c48b78bad15864144c6873f4aae26e48e9089e0291b0ba14
SHA1 hash: 5dbdc562614b7fed7c958066a8c01752a737ed96
MD5 hash: 5ddf524a99908f27d62730d16ecb01a1
humanhash: washington-six-nebraska-bakerloo
File name:ShadowSouls Setup 2.1.7.exe
Download: download sample
File size:86'058'967 bytes
First seen:2025-09-14 11:14:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:8SwbM73YJuGkLZ8vV5mIyB9VrSGvNo0xRfFmvs8wPjPOeWit9pBa:8Sw45LDI4jry2RfFMOPjGeWibza
TLSH T18618336D75B5EB33D03D2970ED6842F80C3A4D93FED04EF79A0068E82DA4527C66925E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ShadowSoulsSetup2.1.7.exe
Verdict:
Malicious activity
Analysis date:
2025-09-14 11:12:04 UTC
Tags:
anti-evasion discord stealer nodejs python arch-doc
Link:
https://app.any.run/tasks/507ef9f3-c08b-4bdc-a9d1-c06c8fe2f4a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c6a306d49ea3f1e4b587a0
Tags:
extens shell sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole fingerprint installer microsoft_visual_cc nsis overlay packed
Link:
https://www.filescan.io/uploads/68c6a410c62f699623898421/reports/76326019-8145-4ec5-9d28-f9a07a545851/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0a0c314a32cfbdccbaf3de35bd30ea0da6cd8c524cb2a37f9c795cef709cec47
Verdict:
Clean
File Type:
exe x32
First seen:
2025-09-14T01:45:00Z UTC
Last seen:
2025-09-14T01:45:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0a0c314a32cfbdccbaf3de35bd30ea0da6cd8c524cb2a37f9c795cef709cec47/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1777223
Signature
Adds a directory exclusion to Windows Defender
Attempt to bypass Chrome Application-Bound Encryption
Disables security and backup related services
Disables Windows Defender (via service or powershell)
Drops large PE files
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Potential malicious VBS script found (suspicious strings)
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Windows Service Tampering
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1777223 Sample: ShadowSouls Setup 2.1.7.exe Startdate: 14/09/2025 Architecture: WINDOWS Score: 56 83 www.myexternalip.com 2->83 85 pypi.org 2->85 87 5 other IPs or domains 2->87 101 Attempt to bypass Chrome Application-Bound Encryption 2->101 103 Potential malicious VBS script found (suspicious strings) 2->103 105 Sigma detected: Powershell Defender Disable Scan Feature 2->105 107 12 other signatures 2->107 10 ShadowSouls.exe 1002 2->10         started        15 ShadowSouls Setup 2.1.7.exe 13 301 2->15         started        17 msedge.exe 2->17         started        19 ShadowSouls.exe 2->19         started        signatures3 process4 dnsIp5 89 198.1.195.210, 3000, 49748 CRONOMAGIC-1CA Canada 10->89 91 discord.com 162.159.137.232, 443, 49723, 49724 CLOUDFLARENETUS United States 10->91 95 3 other IPs or domains 10->95 67 C:\Program Files\...\vcruntime140_1.dll, PE32+ 10->67 dropped 69 C:\Program Files\...\vcruntime140.dll, PE32+ 10->69 dropped 71 C:\Program Files\ShadowSouls\...\pythonw.exe, PE32+ 10->71 dropped 79 815 other files (none is malicious) 10->79 dropped 121 Tries to harvest and steal browser information (history, passwords, etc) 10->121 123 Modifies Windows Defender protection settings 10->123 125 Adds a directory exclusion to Windows Defender 10->125 127 2 other signatures 10->127 21 cmd.exe 10->21         started        24 cmd.exe 10->24         started        26 cmd.exe 10->26         started        35 21 other processes 10->35 73 C:\Program Files\...\ShadowSouls.exe, PE32+ 15->73 dropped 75 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 15->75 dropped 77 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 15->77 dropped 81 17 other files (none is malicious) 15->81 dropped 93 239.255.255.250 unknown Reserved 17->93 28 msedge.exe 17->28         started        31 msedge.exe 17->31         started        33 msedge.exe 17->33         started        file6 signatures7 process8 dnsIp9 109 Modifies Windows Defender protection settings 21->109 111 Adds a directory exclusion to Windows Defender 21->111 113 Disables Windows Defender (via service or powershell) 21->113 52 2 other processes 21->52 37 powershell.exe 24->37         started        40 conhost.exe 24->40         started        42 cscript.exe 26->42         started        44 conhost.exe 26->44         started        97 ln-0007.ln-msedge.net 150.171.22.17, 443, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->97 99 ax-0002.ax-msedge.net 150.171.27.11, 443, 49728 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->99 46 cscript.exe 35->46         started        48 powershell.exe 35->48         started        50 net.exe 35->50         started        54 39 other processes 35->54 signatures10 process11 signatures12 115 Adds a directory exclusion to Windows Defender 42->115 56 powershell.exe 42->56         started        59 powershell.exe 46->59         started        117 Loading BitLocker PowerShell Module 48->117 61 net1.exe 50->61         started        process13 signatures14 119 Loading BitLocker PowerShell Module 56->119 63 conhost.exe 56->63         started        65 conhost.exe 59->65         started        process15
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/0a0c314a32cfbdccbaf3de35bd30ea0da6cd8c524cb2a37f9c795cef709cec47
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bigdcsrsz664zoxt3y232mhkbwtm3dcsjszkg744pfoo64e45rdq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access defense_evasion discovery execution linux spyware stealer trojan
Link:
https://tria.ge/reports/250914-ndb5yaslz2/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Windows security bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b036e77-f94a-447c-ac42-738d73bd8873
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a0c314a32cfbdccbaf3de35bd30ea0da6cd8c524cb2a37f9c795cef709cec47

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 0a0c314a32cfbdccbaf3de35bd30ea0da6cd8c524cb2a37f9c795cef709cec47

(this sample)

Executable exe 299a2e7fa8a69c495ec19fecf55d93bb766addaa78e89a4e1ad78a9cea59b31c

  
Dropping
SHA256 299a2e7fa8a69c495ec19fecf55d93bb766addaa78e89a4e1ad78a9cea59b31c
  
Dropping
MD5 1b79040d79a0f066272aef9877683012

Comments