MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2143baefd0b108fa1f6cfcfa3eb31d87578c6014117768f06bd8544dd02c8adf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments

SHA256 hash: 2143baefd0b108fa1f6cfcfa3eb31d87578c6014117768f06bd8544dd02c8adf
SHA3-384 hash: 34cd8a5c730d113ac4d5c0261448687bc0eb8b31a1aa339061903db263035e48bc5b80789d74120377c3656067ec8c69
SHA1 hash: a12a999c81f313ed7d876fc08f7a6120a9d80bc3
MD5 hash: b92adb1db4258756b82e220afc1caa57
humanhash: one-illinois-fruit-alaska
File name:Setup_Network.exe
Download: download sample
File size:75'302'472 bytes
First seen:2026-06-30 15:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (587 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep 1572864:Rde4hdV6xf1HCueCxli7oTVB/HiXbwXAwh2MBLqGA++ztI6nK:Rde4Doxft1DfO2OUwwxBOTtI6K
TLSH T1EFF7338788AC70B9F3D4FB3E075E173BD232006B4264B69593E86DB175D281E98767C2
TrID 27.0% (.EXE) Win64 Executable (generic) (6522/11/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 8203010509030382
Reporter SquiblydooBlog
Tags:exe signed

Code Signing Certificate

Organisation:F & P PARTNERS LIMITED
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2026-05-19T11:27:36Z
Valid to:2027-04-30T12:16:11Z
Serial number: 74fc5c06d52c787d6cecff46bb4ef584
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: f51a301aa700a00b9d572cf0430f565ec54978b3809b88734f8666b3d9bbe451
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
184
Origin country :
US US
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
Setup_Network.exe
Verdict:
Malicious activity
Analysis date:
2026-06-30 12:45:22 UTC
Tags:
evasion python arch-exec arch-doc stealer stealc vidar

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Running batch commands
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm crypto fingerprint installer installer installer-heuristic microsoft_visual_cc nsis packed reconnaissance signed
Gathering data
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware defense_evasion discovery execution persistence privilege_escalation ransomware spyware
Behaviour
Checks processor information in registry
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Windows directory
Executes dropped EXE
Hide Artifacts: Ignore Process Interrupts
Loads dropped DLL
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:GenesisStealer_Installer_NSIS_MaaS_Template
Author:n3r
Description:GenesisStealer NSIS installer (MaaS template). Imphash-based broad detector - also catches ScarfaceStealer / RemusStealer / VoidStealer variants sharing the same installer shell.
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments