MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24c0ba6060643f5428f88a293ff4ee911bc1a3cb06e077468b3042b7700537f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GenesisStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24c0ba6060643f5428f88a293ff4ee911bc1a3cb06e077468b3042b7700537f0
SHA3-384 hash: c022ae0072f11cb1b8edc16ede4bda7dab29dada5ad73f4f31ef7a76175ab98671d3c7317e32662330f8f021df5ba397
SHA1 hash: f5896c02af58cd6e6c6791691fe4b4ac101a056c
MD5 hash: 75ddcecd61e497005b78ad198c83f859
humanhash: fruit-sink-ink-yankee
File name:KalyLauncher Setup 1.0.0.exe
Download: download sample
Signature GenesisStealer
Create hunting rule
File size:82'250'747 bytes
First seen:2025-08-19 14:37:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:4p+BWqL9BHXd4xiLwbzwiGnvsUiZEeOSAInIxVWyqeI:4AB193wbUiv/Xn2Ml/
TLSH T146083315BBE0E1BEF4B5FA7E61E578500336FAC789F167072D8E80890635B1D2C29992
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 0c327073d4d4ec9c (1 x GenesisStealer)
Reporter burger
Tags:exe GenesisStealer stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KalyLauncherSetup1.0.0.exe
Verdict:
Malicious activity
Analysis date:
2025-08-19 14:34:10 UTC
Tags:
discord evasion stealer arch-doc generic ims-api nodejs
Link:
https://app.any.run/tasks/e4dd6a0e-a8b4-41ce-8e35-07ce45d871f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a48c948fd55a79c5293e2a
Tags:
extens shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process
Sending a custom TCP request
Loading a suspicious library
Moving a file to the %AppData% subdirectory
Changing a file
Possible injection to a system process
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/68a48deaf516093e09c6367e/reports/149927a2-2090-4878-a033-da1df9c65842/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/24c0ba6060643f5428f88a293ff4ee911bc1a3cb06e077468b3042b7700537f0
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1760313
Signature
Drops large PE files
Excessive usage of taskkill to terminate processes
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1760313 Sample: KalyLauncher Setup 1.0.0.exe Startdate: 19/08/2025 Architecture: WINDOWS Score: 60 62 ip-api.com 2->62 64 discord.com 2->64 66 api.gofile.io 2->66 76 Drops large PE files 2->76 8 KalyLauncher.exe 21 2->8         started        13 KalyLauncher Setup 1.0.0.exe 12 396 2->13         started        signatures3 process4 dnsIp5 68 ip-api.com 208.95.112.1, 49694, 80 TUT-ASUS United States 8->68 70 api.gofile.io 160.202.167.55, 443, 49696 DEDICATEDUS New Zealand 8->70 72 discord.com 162.159.128.233, 443, 49695, 49697 CLOUDFLARENETUS United States 8->72 46 C:\Users\user\AppData\...\cookies.sqlite-shm, data 8->46 dropped 48 C:\Users\user\AppData\Local\...\Cookies.query, SQLite 8->48 dropped 50 C:\Users\user\AppData\...\Login Data.query, SQLite 8->50 dropped 58 3 other malicious files 8->58 dropped 78 Tries to harvest and steal browser information (history, passwords, etc) 8->78 80 Excessive usage of taskkill to terminate processes 8->80 15 cmd.exe 8->15         started        18 cmd.exe 8->18         started        20 cmd.exe 8->20         started        24 18 other processes 8->24 52 C:\Users\user\AppData\...\KalyLauncher.exe, PE32+ 13->52 dropped 54 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 13->54 dropped 56 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 13->56 dropped 60 17 other files (none is malicious) 13->60 dropped 22 cmd.exe 1 13->22         started        file6 signatures7 process8 dnsIp9 84 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 15->84 27 WMIC.exe 15->27         started        30 conhost.exe 15->30         started        86 Excessive usage of taskkill to terminate processes 18->86 40 2 other processes 18->40 42 2 other processes 20->42 32 conhost.exe 22->32         started        34 tasklist.exe 1 22->34         started        36 find.exe 1 22->36         started        74 chrome.cloudflare-dns.com 162.159.61.3, 443, 49699, 53244 CLOUDFLARENETUS United States 24->74 88 Query firmware table information (likely to detect VMs) 24->88 38 conhost.exe 24->38         started        44 29 other processes 24->44 signatures10 process11 signatures12 82 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 27->82
Score:
54%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/24c0ba6060643f5428f88a293ff4ee911bc1a3cb06e077468b3042b7700537f0
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/24c0ba6060643f5428f88a293ff4ee911bc1a3cb06e077468b3042b7700537f0
Threat name:
Win32.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-18 03:26:43 UTC
File Type:
PE (Exe)
Extracted files:
3438
AV detection:
2 of 24 (8.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etaluydamq7vikhyriut75hosen4di6la3qhorulgbblo4afg7ya._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution spyware stealer
Link:
https://tria.ge/reports/250819-r5hctavmv6/
Behaviour
Checks processor information in registry
Collects information from the system
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies trusted root certificate store through registry
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0f2391d8-bc1f-4310-ac46-888097c641be
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GenesisStealer

Executable exe 24c0ba6060643f5428f88a293ff4ee911bc1a3cb06e077468b3042b7700537f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3607146/
  
Delivery method
Distributed via web download

Comments