MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d7888d4cc9c9ca665f8393ffb0bfa1c9a5011da61d35d8d2bcda24342dbb758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NovaShadowStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d7888d4cc9c9ca665f8393ffb0bfa1c9a5011da61d35d8d2bcda24342dbb758
SHA3-384 hash: a9d2a40a947f5a43219f02bee1f2f21f7d381104329efba3afaacdaa6e8e3b7cb34d8de0588dab277fd9d2432bce9937
SHA1 hash: e21072e612a45201e2d594a5ab7e7ceadc88951e
MD5 hash: c7bb8e629a40b50af84d8caf27236e1a
humanhash: georgia-mississippi-india-kilo
File name:Test.exe
Download: download sample
Signature NovaShadowStealer
Create hunting rule
File size:81'979'030 bytes
First seen:2025-11-04 17:55:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (566 x GuLoader, 121 x RemcosRAT, 82 x EpsilonStealer)
ssdeep 1572864:h4gPXMoAEklqzfsBwcclm4zKNDENAgVPR62W9Gz3t45pP6Q4WMA/Fixj:h4Ac3PlGa/clmcKNDRG5DW9Sd4/CQ4WW
TLSH T1A90833E7E94058BFDB4AD3B493623FA23A9A80ED4D782D833242167E59887C4470F577
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0c89001130300180 (3 x NovaShadowStealer)
Reporter burger
Tags:exe NovaShadow NovaShadowStealer RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Test.exe
Verdict:
Malicious activity
Analysis date:
2025-11-04 17:54:09 UTC
Tags:
stealer evasion anti-evasion github novashadow auto-reg auto-sch arch-doc generic nodejs auto-download
Link:
https://app.any.run/tasks/1e655266-b712-4cab-a363-4ac55ead7cbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690a3dc29942f1282ecc03e3
Tags:
vmdetect extens shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
DNS request
Connection attempt
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Searching for synchronization primitives
Unauthorized injection to a recently created process
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Loading a suspicious library
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole crypto installer installer installer-heuristic invalid-signature microsoft_visual_cc nsis overlay packed signed
Link:
https://www.filescan.io/uploads/690a3e484425b0b1fd14414e/reports/66f3464f-8105-45e9-97c1-78500ad13613/overview
Verdict:
Malicious
Labled as:
Malware_55.0
Link:
https://www.hybrid-analysis.com/sample/1d7888d4cc9c9ca665f8393ffb0bfa1c9a5011da61d35d8d2bcda24342dbb758
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-04T14:54:00Z UTC
Last seen:
2025-11-04T16:01:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/1d7888d4cc9c9ca665f8393ffb0bfa1c9a5011da61d35d8d2bcda24342dbb758/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1807993
Signature
Drops large PE files
Queries Google from non browser process on port 80
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1d7888d4cc9c9ca665f8393ffb0bfa1c9a5011da61d35d8d2bcda24342dbb758
Gathering data
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/1d7888d4cc9c9ca665f8393ffb0bfa1c9a5011da61d35d8d2bcda24342dbb758
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dv4irvgmtsokmzpyhe77wc72dsnfaeo2mhjv3djlzwregqw3w5ma._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/251104-wh6jcavnaw/
Behaviour
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
NTFS ADS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Drops file in System32 directory
Enumerates processes with tasklist
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1d0a5d07-79fe-42ec-a47c-cda457470bf1
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments