MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21
SHA3-384 hash: 185624b97e53ab4886b2eba0781acbfa477fdb2fb0de9d3b8359fa424fe9db7cc4605a9f0e71aa55c12a75465d214af2
SHA1 hash: cdcd9dfd68e047a0ed635297127a2476a400c56c
MD5 hash: 27e9def766a2c37653d446141c302088
humanhash: zulu-undress-potato-carolina
File name:27e9def766a2c37653d446141c302088.exe
Download: download sample
File size:347'136 bytes
First seen:2026-04-13 12:31:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c59b379fe0b813ba434c2a225c8fce49 (1 x Stealc)
ssdeep 6144:rdnTQIGOEzuYzN9NcvgY+MFbnHTfXDt12CKNNHQB/ay:rz/2cFHFbnHj72tFQha
Threatray 67 similar samples on MalwareBazaar
TLSH T11B746B55B6A408F9E967823CC9A34A06D7F2BC560770EBCF03A046965F277D09E3E721
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
Diamotrix
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d6a6fe56-4d37-4e14-a24f-63b6c0e82732/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
HMC_2.3.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 03:17:06 UTC
Tags:
auto-sch stealc stealer auto-reg amadey botnet loader generic golang fsg upx vmprotect themida
Link:
https://app.any.run/tasks/2b7f7208-edd4-42ff-90ed-fe173b7bf1c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61363/
Detection(s):
Win.Keylogger.Clipbanker-10059291-0
Create hunting rule

Win.Trojan.Lazy-10059292-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dce233f68adfe100395e1b
Tags:
cobalt emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug clipbanker exploit explorer keylogger lolbin microsoft_visual_cc similar-threat
Link:
https://www.filescan.io/uploads/69dce2315ea31bc68a26016b/reports/63bf8749-84d2-4ba8-8df2-66eb3ebac3ec/overview
Verdict:
Malicious
Labled as:
Trojan.Loader.Marte.6.Generic
Link:
https://www.hybrid-analysis.com/sample/1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-12T22:20:00Z UTC
Last seen:
2026-04-14T23:27:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Androm.sb Trojan.Win32.Agent.sb VHO:Backdoor.Win32.Androm.gen Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.ClipBanker.sb Trojan-Banker.Win32.ClipBanker.aicn PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/42a848df-e8e9-419a-8bf4-224d11e888bd
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1897331
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21/
Verdict:
Malicious
Threat:
VHO:Backdoor.Win32.Androm
Link:
https://tip.neiki.dev/file/1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-04-13 03:19:36 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dps5p3gfiac3vxy4ys6wka55q5y6ot5svvopnxr7nebrmisof4qq._file
Verdict:
malicious
Label(s):
unc_clipper_003
Create hunting rule
Similar samples:
13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d
1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21
423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38
7b2620cf008268fa8eff18c136ca020fa948634e646f7301ab48a5dd936033fd
7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c
8f9e7b559aa9c2aedc0453bde8ac2eb966d00e43fd9fbdbfe50fba5591020887
bed6af9ba6758303763a09b019dee3c61dcc3a5bbd3af631bcdbcf74b63f23c0
ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59
error
+ 57 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/260413-pqdd7scy4n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21
MD5 hash:
27e9def766a2c37653d446141c302088
SHA1 hash:
cdcd9dfd68e047a0ed635297127a2476a400c56c
Link:
https://www.unpac.me/results/b2fc07c0-28a2-45e5-8dec-17118a67dc12/
SH256 hash:
efd7a7b24c10671221d29cfe2e10325e619d95cdb50e3d2ece63dc678e9f8894
MD5 hash:
1ba3576afd867cdbf7076d19e31e2cdb
SHA1 hash:
8918ec86a9f7d5efc8b0b21800ae458832507234
Detections:
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/b2fc07c0-28a2-45e5-8dec-17118a67dc12/
Parent samples :
1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21
1c99507c21061f21ab8e7b6a28df09579859a97ded37c05f2ea219ac9c24fabf
7b5393d8d7a7a6d1edf9493edbbb5f0b037206ee254c47a25530705c75838a62
46a734ef77c291ff74dc18872ad39c74139efe2abe9234591f80551bb5ac2920
f8e7c3df513d88989ccad1b2a17f88c7effff717e8038cf9a88e7fee7be7ef5c
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1be5d7ecc540/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1be5d7ecc54005badf1cc4bd6503bd8771e74fb2ad5cf6de3f690316224e2f21

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/61363/
  
URLhaus
https://urlhaus.abuse.ch/url/3817769/
  
Delivery method
Distributed via web download

Comments