MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MetaStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5
SHA3-384 hash:	e59440f0fce26c8493364d8c904f614e53ef7eff4796eac8fd3aef0f4e57239e987db0e7be749613799af5452c3ae1e2
SHA1 hash:	5aa3f448131f388b7d91b8f22d0ce62b7cdc2744
MD5 hash:	56b7a94539b3e9e34d4842ca4cf47e0e
humanhash:	robert-mountain-april-idaho
File name:	237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5
Download:	download sample
Signature	MetaStealer Create hunting rule
File size:	1'292'288 bytes
First seen:	2025-08-12 14:20:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:5tb20pkaCqT5TBWgNQ7aNr7fBhCuu8T8iDpvYhtI6A:KVg5tQ7aNr7fBYU7ShO5
TLSH	T1BE55D01373DE8361C3B25273BA25B7416EBF782506B1F96B2FD4093DE920122525EB63
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	adrian__luca
Tags:	exe metastealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5

Verdict:

No threats detected

Analysis date:

2025-08-12 18:47:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/efb2b09e-7494-42e0-8ffb-8b19836459a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20612/

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689b4f6fc633abe3908e4f08

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Restart of the analyzed sample

Launching a process

BSOD occurred

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce8c7b7e-5859-49ae-ba75-f647d7cf21ec

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-07-25 04:19:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=en5s6rfj3n4ig6iag75axh73j53fy5sjt7khgktho7qtkahm7s2q._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250812-s2x5jaskw6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b7781975-3cae-4027-b689-a2b30a4275b3

Unpacked files

SH256 hash:

237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5

MD5 hash:

56b7a94539b3e9e34d4842ca4cf47e0e

SHA1 hash:

5aa3f448131f388b7d91b8f22d0ce62b7cdc2744

Link:

https://www.unpac.me/results/27300469-8faf-4b44-a9c2-081e433c32b0/

SH256 hash:

321c0ecba7d8bfa67b3e3a47fb3978bc9c0d86babad2fd196becbcc5ce6ca5a4

MD5 hash:

4e37a6d4a1d072f448a41929a4fff0f2

SHA1 hash:

54ec55b1f8151fa5cbd66fcd704fe167871e4d7b

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/27300469-8faf-4b44-a9c2-081e433c32b0/

Parent samples :

0094fc5c570fbe55996557919c14a19aef098d14823b68a815f8d41757cb3684
e74447674de0d55b2b2cde2c6bde58806c411c3f0304d518630bf850145f2cef
8338252e1b1b007bfb5317df49e88c9aeb3b7f8206465c2e84f9d2d949e7cf95
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
eaf06d0161d881f32c23d38ed02cc8112f302367b96b588724541b0c7788a0c8
b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e
0568496f5fe35ca41b4a979106cac8a6ef15f5a0a6725fd4786795c1d2de152c
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
8b4e5f9c54d037c26559bf5c120c1a8a6f4a9c214c4f20ac44368857ac1bf260
5731c236ea34601df844e56e5a06681f2b56ad2c00066e10049bb16a5700630f
1220ac02f58b92353d39a8835a05d509f42244112eea97a789712aee5c22eb85
237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5
14e7936882debada11baf4d5075cb0f81c89257464a35a53012ddd4c18fefd63
55edd2620490e0aa9f0a40f4183a5959a1a5e35bef971399b6703cdc5e817894
ce241e344c9db9df9c0f257fd145c6a676429d315bd0748f89a4ab8657697798

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/237b2f44a9db7883790037fa0b9ffb4f765c76499fd4732a6777e13500ecfcb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20612/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample