MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3
SHA3-384 hash:	3dc5434c9ac45a07479139ebd88cf025a32a4b937155f6a87be63dba9a078112f70a8374ef62f00387dba2486a0c01e6
SHA1 hash:	6659ff2b5cdb8c49dd54e30df95393d540753ef3
MD5 hash:	7f24dd0329eb9306f8dce6f2548c3929
humanhash:	xray-rugby-batman-violet
File name:	file
Download:	download sample
File size:	350'149 bytes
First seen:	2026-04-16 10:04:16 UTC
Last seen:	2026-04-16 10:51:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ea6918034a83f5956b9482486b6620f6
ssdeep	6144:8Itw1C+ut28dMR1P8QEJfsZNTz/hb0AF2U2sFAizI2Q2+01UFv5F94G4aUtWehet:8huFyR10QERKjhb0AF2U2sFAizI2Q2+5
TLSH	T118742949FB4700F0E6179BB18DEFD7B7C6147A644126EAB7FB4EDA42B4336072844286
TrID	39.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 21.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 8.3% (.EXE) Win64 Executable (generic) (6522/11/2) 6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	Bitsight
Tags:	c dropped-by-gcleaner exe MIX4.file

Bitsight

url: http://158.94.209.95/service

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3.exe

Verdict:

Malicious activity

Analysis date:

2026-04-16 10:05:18 UTC

Tags:

anti-evasion

Link:

https://app.any.run/tasks/41c76625-41f6-4704-9699-a11979c5c94b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61858/

Detection(s):

SecuriteInfo.com.FileRepMalware.36711299.UNOFFICIAL

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69e0b43bf68adfe1003a57f3

Tags:

ransomware injection

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm exploit overlay packed packed

Link:

https://www.filescan.io/uploads/69e0b4355ea31bc68a30827d/reports/3d4e20f8-c1e7-4e7a-ba33-8fb9be46d1f3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3

Verdict:

Clean

File Type:

exe x32

Link:

https://opentip.kaspersky.com/194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8cf63a4d-ccc5-4e4d-8171-60f6de16e4a1

Score:

89%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3

Threat name:

Win32.Trojan.Yomal

Status:

Malicious

First seen:

2026-04-16 10:04:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dfhmingru2kl7btqddhmx62k442xfxoa2k6bqpu4vc6rufvangrq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution

Link:

https://tria.ge/reports/260416-l39fmacv6j/

Behaviour

Enumerates system info in registry

Kills process with taskkill

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Checks installed software on the system

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Unpacked files

SH256 hash:

194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3

MD5 hash:

7f24dd0329eb9306f8dce6f2548c3929

SHA1 hash:

6659ff2b5cdb8c49dd54e30df95393d540753ef3

Link:

https://www.unpac.me/results/6ee073a1-c1e8-47ac-8c2d-903bf70a4a27/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 194ec434d1a694bf867018cecbfb4ae73572ddc0d2bc183e9ca8bd1a16a069a3

(this sample)

Dropped by

Gcleaner

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/61858/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample