MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f62857fcc24f17c6fa05f3fcf44f7d5de734f329e27a374f27204e305517cac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash: 1f62857fcc24f17c6fa05f3fcf44f7d5de734f329e27a374f27204e305517cac
SHA3-384 hash: 9d291cb6424a8161797cb6d02ff0072f36e9ff6a450b51e3f1c239f6aad8dbc34f04b57479865db297ddcba836b771fc
SHA1 hash: 19038b0108050538faf8b511795eb50333461d5b
MD5 hash: 956fa823e5029b6d396bca8b42cfd884
humanhash: twelve-apart-sad-twenty
File name:Voltix.exe
Download: download sample
File size:1'254'920 bytes
First seen:2026-06-22 07:49:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba028ec6d8e2bcde182b2571d10c180a
ssdeep 24576:himJtSg7oS7cp3DuhTE8Y3s2IfY80RYkpofFk:hiGtdy3sTE8Yc2qYPRnv
TLSH T18B45F003BF40C546D59A5E3099B5D7F86330FC58AA26874B30E6AE2BBDDD6C34E122D4
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon d4e879b2b271e8d4
Reporter burger
Tags:exe signed

Code Signing Certificate

Organisation:Recent File Hash Checker
Issuer:Recent File Hash Checker
Algorithm:sha512WithRSAEncryption
Valid from:2026-06-21T13:23:59Z
Valid to:2029-06-21T13:33:59Z
Serial number: 4528fc4ece95ac8a449b9943c21de059
Thumbprint Algorithm:SHA256
Thumbprint: 213c48fd9cae8e10b236d21ae595fe35cf6b607cb5e50036df81be2f41bcd1b1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
121
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://share.google/d2ZtaWcsFVErINL02
Verdict:
Malicious activity
Analysis date:
2026-06-21 17:41:46 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mingw packed signed
Verdict:
Clean
File Type:
exe x64
First seen:
2026-06-21T17:52:00Z UTC
Last seen:
2026-06-23T23:46:00Z UTC
Hits:
~10
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates / moves files in alternative data streams (ADS)
Creates an undocumented autostart registry key
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (exiting after language check)
Hides threads from debuggers
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries DNS domain through GetComputerNameExW (potential sandbox evasion)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931630 Sample: Voltix.exe Startdate: 22/06/2026 Architecture: WINDOWS Score: 100 42 meta.study-run.xyz 2->42 44 polygon.field-crew12.one 2->44 46 2 other IPs or domains 2->46 58 Suricata IDS alerts for network traffic 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for dropped file 2->62 66 5 other signatures 2->66 9 Voltix.exe 14 2->9         started        signatures3 64 Performs DNS queries to domains with low reputation 42->64 process4 dnsIp5 52 meta.study-run.xyz 172.67.147.204, 443, 49716 CLOUDFLARENET-CloudflareIncUS Canada 9->52 54 158.94.208.44, 49720, 80 OMEGATECH-ASSC Germany 9->54 56 litter.catbox.moe 108.181.20.36, 443, 49705 AS40676-PsychzNetworksUS United States 9->56 34 C:\Users\user\AppData\...\mjt17gikr8.exe, PE32+ 9->34 dropped 36 C:\Users\user\AppData\...\hdtycxlg6p.exe, PE32+ 9->36 dropped 76 Creates / moves files in alternative data streams (ADS) 9->76 78 Tries to harvest and steal browser information (history, passwords, etc) 9->78 80 Sets debug register (to hijack the execution of another thread) 9->80 82 8 other signatures 9->82 14 hdtycxlg6p.exe 1 9 9->14         started        18 mjt17gikr8.exe 97 9->18         started        21 chrome.exe 9->21         started        file6 signatures7 process8 dnsIp9 38 C:\Users\user\...\AppReadiness8bbe01.exe, PE32+ 14->38 dropped 40 :x (copy), PE32+ 14->40 dropped 84 Antivirus detection for dropped file 14->84 86 Multi AV Scanner detection for dropped file 14->86 88 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->88 98 3 other signatures 14->98 23 AppReadiness8bbe01.exe 14->23         started        48 polygon.drpc.org 104.18.10.59, 443, 49721 CLOUDFLARENET-CloudflareIncUS Canada 18->48 50 polygon.field-crew12.one 104.21.89.94, 443, 49722, 49723 CLOUDFLARENET-CloudflareIncUS Canada 18->50 90 Suspicious powershell command line found 18->90 92 Tries to steal Crypto Currency Wallets 18->92 94 Installs a global keyboard hook 18->94 96 Queries DNS domain through GetComputerNameExW (potential sandbox evasion) 18->96 26 powershell.exe 15 18->26         started        28 explorer.exe 79 4 18->28 injected 30 chrome.exe 21->30         started        file10 signatures11 process12 signatures13 68 Antivirus detection for dropped file 23->68 70 Multi AV Scanner detection for dropped file 23->70 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->72 74 Found evasive API chain (exiting after language check) 23->74 32 conhost.exe 26->32         started        process14
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Threat name:
Win64.Trojan.Ulise
Status:
Malicious
First seen:
2026-06-21 17:20:37 UTC
File Type:
PE+ (Exe)
Extracted files:
7
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
1f62857fcc24f17c6fa05f3fcf44f7d5de734f329e27a374f27204e305517cac
MD5 hash:
956fa823e5029b6d396bca8b42cfd884
SHA1 hash:
19038b0108050538faf8b511795eb50333461d5b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments