MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333
SHA3-384 hash: 82b113b93722d667420a5d037354fa06ac350ad6e39eb563861c4be8bab8c6ab3f67983f2ea120937fb3066259b441ef
SHA1 hash: 46f13e35baf6a6fc8281a5da23078a5252560d46
MD5 hash: 317f79e621dd1361eda08cad1f3a852e
humanhash: shade-nevada-network-apart
File name:1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333
Download: download sample
File size:7'514'904 bytes
First seen:2025-02-08 08:12:20 UTC
Last seen:2025-02-08 09:22:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f052f84efefe84f64ac7fab273eb8464 (9 x LummaStealer, 2 x Stealc, 2 x RemcosRAT)
ssdeep 196608:GxB6stW8D0TsFFtbsjY6PpfeE3xeCtTtSx0USapM7lxB:q33oIQJfroiTt/
Threatray 17 similar samples on MalwareBazaar
TLSH T1B176D0137690803EE5AA01314C5FAF6481A97D739A318157F6E0FF1D2DF1982B627B2B
TrID 69.0% (.AX) DirectShow filter (201555/2/20)
19.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon 5b3931b29cd1631d (9 x LummaStealer, 3 x RemcosRAT, 2 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe MIKA LLC signed

Code Signing Certificate

Organisation:MIKA LLC
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2024-12-30T15:47:27Z
Valid to:2025-12-31T15:47:27Z
Serial number: 15363337ce1fdc16444d8df3
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 1edf1df15f84129e6e64ad3236b39107578448f1a1919ee81f5d75621e1da1c5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
442
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333
Verdict:
No threats detected
Analysis date:
2025-02-08 08:21:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b91bfb23-55c4-41a0-8bac-46f10a30ff6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop29.4431.12376.26325.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a712fbd010e522d1b7f05b
Tags:
shellcode dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
Launching cmd.exe command interpreter
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
GenCBL.FNS trojan
Link:
https://www.hybrid-analysis.com/sample/1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/67b20584-8daa-4471-a707-5e64d3b43c5d
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.troj
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/1610048
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1610048 Sample: 9YKFpRKy9m.exe Startdate: 08/02/2025 Architecture: WINDOWS Score: 66 47 skirtgrippys.com 2->47 49 shunstriderk.net 2->49 51 9 other IPs or domains 2->51 59 Suricata IDS alerts for network traffic 2->59 61 Antivirus detection for URL or domain 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 3 other signatures 2->65 10 9YKFpRKy9m.exe 29 2->10         started        signatures3 process4 file5 31 C:\Users\user\...\9YKFpRKy9m.exe (copy), PE32 10->31 dropped 33 C:\Users\user\AppData\...\9YKFpRKy9m.exe, PE32 10->33 dropped 35 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->35 dropped 37 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 10->37 dropped 13 9YKFpRKy9m.exe 54 10->13         started        process6 file7 39 C:\Users\user\AppData\...\vlc.exe (copy), PE32+ 13->39 dropped 41 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 13->41 dropped 43 C:\Users\user\AppData\Local\...\vlcBCC2.tmp, PE32+ 13->43 dropped 45 14 other files (none is malicious) 13->45 dropped 16 vlc.exe 1 13->16         started        19 ISBEW64.exe 13->19         started        21 ISBEW64.exe 13->21         started        23 4 other processes 13->23 process8 signatures9 55 Maps a DLL or memory area into another process 16->55 57 Found direct / indirect Syscall (likely to bypass EDR) 16->57 25 cmd.exe 1 16->25         started        process10 dnsIp11 53 steamcommunity.com 104.102.49.254, 443, 49716 AKAMAI-ASUS United States 25->53 67 Switches to a custom stack to bypass stack traces 25->67 29 conhost.exe 25->29         started        signatures12 process13
Score:
12%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=da43becixh64sq6kyt7tlk6opdhj4xqynib42k6p5w5rurudomzq._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
blister
Create hunting rule
Similar samples:
1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333
51ff966b38d83811450bdb3f0d0298df9c94ff316529c4b12f4a6d360815511d
59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
81ef49f096ce2f6c458daaa54e9d5b23643a594327fa0c2bfc85b55eb01c00f2
ad0756e532f5dc6d4d77ffc8c36526be8da1acce4943ff5ef34cfe134d7ff314
e9d69675ec56f72930a0a7bc9f43a7cb36231d67ad1e71278943fd3426ae51a6
eae494c5e20eb044971beaab59491b5339b37be0dd5978624d2a2513a3c2dd06
error
+ 7 additional samples on MalwareBazaar
Gathering data
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/199014e2-4aeb-463c-8651-be5177a0ecea
Unpacked files
SH256 hash:
1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333
MD5 hash:
317f79e621dd1361eda08cad1f3a852e
SHA1 hash:
46f13e35baf6a6fc8281a5da23078a5252560d46
Link:
https://www.unpac.me/results/97739f3e-0a6a-4b06-a24a-43e6d3db7fb1/
SH256 hash:
a01709a3c9d5eaacc6ca6ca47ef2e4e4e00d883289621c5bfff96620bfd93d8c
MD5 hash:
a89bf69cd0836e08a79d5c216ae776ed
SHA1 hash:
7d7ff6143a729726f200b2201c4a0e7358d2274b
Link:
https://www.unpac.me/results/97739f3e-0a6a-4b06-a24a-43e6d3db7fb1/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1839b09048b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1839b09048b9fdc943cac4ff35abce78ce9e5e186a03cd2bcfedbb1a46837333

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
ADVAPI32.dll::SetSecurityDescriptorOwner
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowExW
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments