MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192
SHA3-384 hash:	f15431ba163c8bb26d1323a27f5b7ff067028d6dffef86efe529fdadbd01aaa76f0bae0187339fb209012a76d51de630
SHA1 hash:	89673fcc6c344b60c267588ed79362c355de78f8
MD5 hash:	2dd54a1a164182c0b87d9eb2b254be74
humanhash:	floor-aspen-arkansas-rugby
File name:	Trojan.exe
Download:	download sample
File size:	446'464 bytes
First seen:	2026-02-27 21:48:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a36817d78b68cd4fff8a5565537870bd
ssdeep	12288:7MSU4joci8M6PW1GVFeFd60DFUyhevYM:ASUCpM2W1Gvgmyevv
TLSH	T186947D27F6D08437D16336B9DC1B9698A929BD505D24244A3BF83E4C4F39383F92629F
TrID	69.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 0.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.4% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	BastianHein
Tags:	exe Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

Trojan.exe

Verdict:

Malicious activity

Analysis date:

2026-02-27 21:50:02 UTC

Tags:

auto-reg delphi

Link:

https://app.any.run/tasks/ebdd8014-ad57-4d6f-b8e7-e28fb354e38d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54936/

Detection(s):

Win.Malware.Atus-9659809-0

Win.Trojan.Gimemo-820

Win.Trojan.Gimemo-808

Win.Trojan.Gimemo-821

PUA.Win.Packer.BorlandDelphi-15

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a21125c950ab5d9ab2422e

Tags:

delphi gimemo

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi explorer fingerprint keylogger lockscreen lolbin packed runonce ryuk strictor

Link:

https://www.filescan.io/uploads/69a2112197feb4afd660456f/reports/cd88afe4-2cd7-40a6-b48a-550f3fc29e8e/overview

Verdict:

Malicious

Labled as:

Ransom.Ryuk.Generic

Link:

https://www.hybrid-analysis.com/sample/139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan.Win32.Agent.sb PDM:Trojan.Win32.ScreenLocker.gen PDM:Trojan.Win32.Generic Trojan-Ransom.Win32.Gimemo.cdqu HEUR:Trojan-Ransom.Win32.Blocker.gen

Link:

https://opentip.kaspersky.com/139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192/results?tab=lookup

Malware family:

Gimemo

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2c0199ff-7641-463f-8315-efaa9a737410

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192/

Verdict:

Malicious

Threat:

Trojan-Ransom.Win32.Gimemo

Link:

https://tip.neiki.dev/file/139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192

Threat name:

Win32.Trojan.Strictor

Status:

Malicious

First seen:

2026-02-27 21:48:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cokibyoevz33fodfiyfphc2ivuzpxsfgrq6gk65kyovtrfrcmgja._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/260227-1nwnjsg17e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

System Location Discovery: System Language Discovery

Adds Run key to start application

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76

MD5 hash:

5cac4fe734fc8454ccb847e030beee38

SHA1 hash:

34298fe220e35f614b2c837cf1dc2604ab0882d6

Link:

https://www.unpac.me/results/3e0f9f02-c00b-4bec-9070-db154df53e4d/

SH256 hash:

ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0

MD5 hash:

a35ee23aaab26afc575ac83df9572b57

SHA1 hash:

81ea38c694ce9702faddfb961f17c1bbf628a76d

Link:

https://www.unpac.me/results/3e0f9f02-c00b-4bec-9070-db154df53e4d/

SH256 hash:

00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb

MD5 hash:

bd1f243ee2140f2f6118a7754ea02a63

SHA1 hash:

cdf7dd7dd1771edcc473037af80afd7e449e30d9

Link:

https://www.unpac.me/results/3e0f9f02-c00b-4bec-9070-db154df53e4d/

SH256 hash:

0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4

MD5 hash:

13d3997b43c3d5cbafb0ff10b6f0dee1

SHA1 hash:

e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd

Link:

https://www.unpac.me/results/3e0f9f02-c00b-4bec-9070-db154df53e4d/

SH256 hash:

139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192

MD5 hash:

2dd54a1a164182c0b87d9eb2b254be74

SHA1 hash:

89673fcc6c344b60c267588ed79362c355de78f8

Link:

https://www.unpac.me/results/3e0f9f02-c00b-4bec-9070-db154df53e4d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/139480e1c4ae77b2b865460af38b48ad32fbc8a68c3c657baac3ab3896226192

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	WinLock Create hunting rule
Author:	@bartblaze
Description:	Identifies WinLock (aka Blocker) ransomware variants generically.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/54936/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample