MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Havoc

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977
SHA3-384 hash:	8838dff4dc6f74e80b9c4ba987b2caced34cee6b778f9e984670fb1c9554f85d7b4a8c8deaaa5da0bacc3320989c07f9
SHA1 hash:	2eb1f2a7a0f77c3c26489238e9cd1838592adbef
MD5 hash:	94ca3ce24c18427f84ee0b590670735a
humanhash:	lima-ink-snake-moon
File name:	file
Download:	download sample
Signature	Havoc Create hunting rule
File size:	11'281'920 bytes
First seen:	2025-12-14 09:40:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	50273325e8c998c3212647a12deb8924 (3 x MaskGramStealer, 1 x Havoc)
ssdeep	196608:B1GHysSRqAfG1bETfiqvYOKXVTtSqzaKEnnrX3Uvsn/s4Rhu:B1GcMAmbcfMOwqdr2Pz
TLSH	T190B6235A99E993D4C4D38514A78702CE70D17A8FC8ED9D2D3ECB5C026A30D1B468AEF7
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 Havoc

Bitsight

url: http://178.16.55.189/files/6053747383/oRHKvA8.exe

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-12-14 09:41:06 UTC

Tags:

svitstealer stealer

Link:

https://app.any.run/tasks/a2d7357d-7f8d-41be-b831-604ef7d941a6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44604/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693e864f838ad7e48539223f

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug mingw obfuscated packed packed vmprotect

Link:

https://www.filescan.io/uploads/693e86381eac7b9b76a979df/reports/7b753cba-8e74-4881-81af-cb7c8dc530ac/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-14T06:48:00Z UTC

Last seen:

2025-12-14T08:52:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Vidar.HTTP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Vidar.eww

Link:

https://opentip.kaspersky.com/17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/65ee4007-b8ce-4f10-93ed-ad2a734c4da9

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/94ca3ce24c18427f84ee0b590670735a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977/

Verdict:

Malicious

Threat:

Family.MASKGRAM_STEALER

Link:

https://tip.neiki.dev/file/17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977

Threat name:

Win64.Packed.VMProtect

Status:

Suspicious

First seen:

2025-12-14 09:41:08 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 38 (39.47%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4jt7vtrcrwzzomybqpg4f4yw5oyjbs7owoqgib7aehbvpf3zf3q._file

Verdict:

malicious

Label(s):

maskgramstealer

Similar samples:

error

Havoc

Result

Malware family:

maskgram_stealer

Score:

10/10

Tags:

family:maskgram_stealer discovery spyware stealer

Link:

https://tria.ge/reports/251214-lnwafsfx4b/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detects MaskGramStealer payload

MaskGramStealer

Maskgram_stealer family

Malware Config

C2 Extraction:

hazystripe2004.shop

Verdict:

Suspicious

Tags:

Suspicious_POST_body

YARA:

n/a

Link:

https://app.threat.zone/submission/b9367b22-9ce4-4bcf-bca5-ecbf9cad710e

Unpacked files

SH256 hash:

17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977

MD5 hash:

94ca3ce24c18427f84ee0b590670735a

SHA1 hash:

2eb1f2a7a0f77c3c26489238e9cd1838592adbef

Link:

https://www.unpac.me/results/cfd5bfee-384d-41ce-9ed9-f13cfee88a6e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/17133fd67114/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/17133fd671146d9cb9980c1e6e1798b75d84865f759d03203f010e1abcbbc977

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.