MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b439debd24d965d005b155b7573788de5dfb9677c956a91db53649b4906749a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b439debd24d965d005b155b7573788de5dfb9677c956a91db53649b4906749a
SHA3-384 hash: b19af23c22d80df4c5bb7e42e212bf3c9561570e24a9a82c1abcddea7c42a9b318beb068765835ef1072f65574fa7376
SHA1 hash: b17aa221f189330e68e41c378e492e40b1c43ce6
MD5 hash: eb39ee02ed87c227e5cedcd75f6e4e2d
humanhash: jig-undress-winner-summer
File name:v2discordid.exe
Download: download sample
File size:97'446'133 bytes
First seen:2026-01-03 15:26:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (535 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:8ZTczLHc8vUAwU1C1YumGLKpe1R6Q7yK98CuZEHPDTLKGSplDiSyAwOu+Cxg89LZ:8ZwvvoKrumGL3WsyK9kEv/LKPXDGAz9W
TLSH T1262833A74D1A4C13D8D2F979A3C097FA4B436A1BD8C359938AD39C10BF5681ADBD0DC2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/36c87cc9-3ae1-4dd7-b6cc-b0b02e9a8f5b/
Malware family:
n/a
ID:
1
File name:
v2discordid.exe
Verdict:
Malicious activity
Analysis date:
2026-01-03 15:26:16 UTC
Tags:
loader nodejs
Link:
https://app.any.run/tasks/0e6384cc-d466-42fb-b1a7-a21072b6aa79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69593516e148d42004dee80e
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm blackhole fingerprint installer installer installer-heuristic malicord microsoft_visual_cc nsis overlay packed
Link:
https://www.filescan.io/uploads/69593557127d6a14e0ce4440/reports/6a9b2144-54fd-4926-a4b4-2dccccdc9c22/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0b439debd24d965d005b155b7573788de5dfb9677c956a91db53649b4906749a
Verdict:
Clean
File Type:
exe x32
First seen:
2026-01-03T12:35:00Z UTC
Last seen:
2026-01-03T12:44:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0b439debd24d965d005b155b7573788de5dfb9677c956a91db53649b4906749a/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1844218
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Disables Windows Defender (via service or powershell)
Drops large PE files
Drops PE files with benign system names
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Sigma detected: Disable Windows Defender AV Security Monitoring
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Suspicious powershell command line found
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1844218 Sample: v2discordid.exe Startdate: 03/01/2026 Architecture: WINDOWS Score: 100 72 Sigma detected: Powershell Defender Disable Scan Feature 2->72 74 Modifies Windows Defender protection settings 2->74 76 Adds a directory exclusion to Windows Defender 2->76 78 7 other signatures 2->78 9 v2discordid.exe 12 197 2->9         started        process3 file4 60 C:\Program Files\launcher\launcher.exe, PE32+ 9->60 dropped 62 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->62 dropped 64 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->64 dropped 66 17 other files (none is malicious) 9->66 dropped 94 Drops large PE files 9->94 13 launcher.exe 9->13         started        18 powershell.exe 23 9->18         started        20 powershell.exe 19 9->20         started        22 powershell.exe 21 9->22         started        signatures5 process6 dnsIp7 70 172.67.169.134 CLOUDFLARENETUS United States 13->70 68 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 13->68 dropped 96 Suspicious powershell command line found 13->96 98 Uses cmd line tools excessively to alter registry or file data 13->98 100 Modifies Windows Defender protection settings 13->100 102 Adds a directory exclusion to Windows Defender 13->102 24 cmd.exe 13->24         started        27 cmd.exe 13->27         started        29 cmd.exe 13->29         started        37 17 other processes 13->37 104 Loading BitLocker PowerShell Module 18->104 31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        file8 signatures9 process10 signatures11 82 Suspicious powershell command line found 24->82 84 Uses cmd line tools excessively to alter registry or file data 24->84 86 Bypasses PowerShell execution policy 24->86 54 2 other processes 24->54 88 Modifies Windows Defender protection settings 27->88 90 Disables Windows Defender (via service or powershell) 27->90 39 powershell.exe 27->39         started        42 conhost.exe 27->42         started        92 Adds a directory exclusion to Windows Defender 29->92 44 powershell.exe 29->44         started        46 conhost.exe 29->46         started        48 powershell.exe 37->48         started        50 powershell.exe 37->50         started        52 powershell.exe 37->52         started        56 27 other processes 37->56 process12 signatures13 80 Loading BitLocker PowerShell Module 44->80 58 net1.exe 54->58         started        process14
Score:
66%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/0b439debd24d965d005b155b7573788de5dfb9677c956a91db53649b4906749a
Gathering data
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/0b439debd24d965d005b155b7573788de5dfb9677c956a91db53649b4906749a
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-03 15:26:19 UTC
File Type:
PE (Exe)
Extracted files:
173
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnbz326sjwlf2ac3cvnxk43yrxs57olhpskwveo3knsjwsigosna._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/260106-khsfyaylcs/
Behaviour
Checks processor information in registry
Gathers network information
Kills process with taskkill
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Hide Artifacts: Ignore Process Interrupts
Enumerates processes with tasklist
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e43fcdaa-4687-443b-9126-99a9318d5d0c
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 0b439debd24d965d005b155b7573788de5dfb9677c956a91db53649b4906749a

(this sample)

Java Script (JS) js eaf35044a770394428479b090ae6c2268efa53b16c5adf509e41c18a21a4694c

  
Dropping
SHA256 eaf35044a770394428479b090ae6c2268efa53b16c5adf509e41c18a21a4694c
  
Dropping
SHA256 9121cabf48e81cf194bc75950664b1750cc4a2d71d98374d8b56ce4041ad8c30
  
Dropping
SHA256 c428e77e96b9de385e31bb580906220283f70087542ea8561095aa1a656d8f17
  
Dropping
SHA256 4a4aea5de7b193beff8da6611e9d11ee27ec53fc4fcc27356200b109aeff2ab4
  
Dropping
SHA256 f5ca61a19dbd943317f9c116c6feb063ade779f2ef5a5d12a08dbd2254b49fcf
  
Dropping
SHA256 8c4834ee36adc6afcdf4ae9408d7852a16dcf2df70e8e0983c95074cfcedd2e8
  
Dropping
SHA256 34a800f7ebe6b8d14e2f36a3f7f3c2aa07130891b43e6b81229521e77284d367
  
Dropping
SHA256 ef8ecadff909f6f04990db64e7f2efbfaacd8fd6b89a0f3e9bf7631e1dfb4460
  
Dropping
SHA256 5cbb885c283a2ca08171b641f9c85f28e21571841a92fbf722205d9554336ef7
  
Dropping
SHA256 2223ad4dd430fa6969ed61460000d8849521974361b8067aa37d51878f42c30f
  
Dropping
SHA256 5714a9676eb8e40d7fd65feed408b4a1a924759d337821ab8ae505a9e2512736
  
Dropping
SHA256 166181b2ea9dfc55a81eb0e9bcacce097edea7acbb7058c7a0b7d94e894fc290
  
Dropping
MD5 f47554d14a3156e4073de28dfbf82afe
  
Dropping
MD5 9088c2b0355dbb01455a1f9d8e0a9c55
  
Dropping
MD5 48534fe7d5e9672aca363ea1440be724
  
Dropping
MD5 cd0da699ddbcc1ef047890ca70417b4e
  
Dropping
MD5 0bf3aaceb7b702d677c3efbaf132ed0d
  
Dropping
MD5 e5fe204c3741dc0ae199f0579b6310ce
  
Dropping
MD5 9594de159f3e2fa24227f41bf81790a0
  
Dropping
MD5 78b2b856288a519457669b5cfe4dc728
  
Dropping
MD5 0732f51fa6643cf01b7ba99130abf6fe
  
Dropping
MD5 67c67091feb0a7df4f6961dea8a1aa8c
  
Dropping
MD5 1fa45e1f41bb3dd4c227d132b851d45a
  
Dropping
MD5 42a47769a47d9753d5d062dc865dc48f
  
Dropping
SHA256 81cb363766b77333ecd83f68a24eaa7e167cfdd2ac8826e13cfbec5d89e9144b
  
Dropping
MD5 45c77d6557372b6a9e46ed9c61257279

Comments