MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8
SHA3-384 hash: d62a2611ea9fb97f79cde1109da9f5f8a13046b8e55e8fbd95cd2162ecc2d5d769fcbb47027449c6f7bd1a2e137862ff
SHA1 hash: 2af640b52aff3b85e56bc7e0cde586aaa80d11a8
MD5 hash: 8b18d45188728b6bb652b0a7bd2f3cf5
humanhash: mango-yankee-kansas-colorado
File name:file
Download: download sample
File size:2'337'424 bytes
First seen:2026-06-24 11:54:21 UTC
Last seen:2026-06-24 12:12:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (67 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:IgwRlsU7nll3OiS62MFe9PUsut7+GqN9AalTdbpqRq+vNyVpBTHKZ:IgwRlDldON62MWcrRwNKWxbpqRJvupBu
Threatray 72 similar samples on MalwareBazaar
TLSH T1D5B53350B3E9C1B9E1803571418E17D118FFEB990F2356CB6FB84E1B4BB42D2E876896
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.8% (.EXE) Win64 Executable (generic) (6522/11/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon e0d9998898aca4b8 (4 x RemcosRAT, 2 x SalatStealer, 1 x njrat)
Reporter Bitsight
Tags:54e64e dropped-by-amadey exe


Avatar
Bitsight
url: http://91.92.242.236/files-129312398/files/file_bed02281218bd914.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
163
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Link:
https://research.acce.ciphertechsolutions.com/results/2f4f4cf3-43a1-4c7b-b035-55a790cddd85/
Malware family:
n/a
ID:
1
File name:
_2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8.exe
Verdict:
Malicious activity
Analysis date:
2026-06-24 11:59:55 UTC
Tags:
auto generic auto-reg pay2key ransomware everything tool smb
Link:
https://app.any.run/tasks/b1d8a090-3364-46b7-b2a6-5aa5b63e51de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71831/
Detection(s):
SecuriteInfo.com.PowerShell.Dropper.54.23478.29964.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3bc57f1548daf709f96694
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Creating a service
Launching a service
Сreating synchronization primitives
Creating a file
Moving a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context evasive fingerprint installer installer keylogger microsoft_visual_cc overlay packed powershell.exe ransomware reconnaissance
Link:
https://www.filescan.io/uploads/6a3bc57990632a45f7385be8/reports/f9382ef2-f12e-4350-8d58-17cb18709862/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-24T09:06:00Z UTC
Last seen:
2026-06-24T23:11:00Z UTC
Hits:
~10
Detections:
HEUR:HackTool.Win64.NoDefender.a Trojan.PowerShell.Kriptik.sba BSS:HackTool.Win32.Yzon.a Trojan.Win32.Agentb.tqma Trojan-Ransom.Win32.Mimic.sb Trojan-Ransom.Win32.Agent.sb HEUR:Trojan-Ransom.Win32.Generic
Link:
https://opentip.kaspersky.com/2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/54cf64ef-09f2-4e42-bb6e-a401524e43c5
Score:
50%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8/
Verdict:
Malicious
Threat:
HackTool.Win32.Mimic
Link:
https://tip.neiki.dev/file/2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8
Threat name:
Win32.Trojan.Runner
Create hunting rule
Status:
Malicious
First seen:
2026-06-24 11:57:41 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ey4key7zxsbjvrpbcl5x4lf23eks5wslxco7ugvsf5spz73ujtua._file
Verdict:
malicious
Label(s):
hacktool_defendnot
Create hunting rule
Similar samples:
0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
3cd2ca1a45a96733269d60397d84b451e4b4f0b7f7cdc3c152bf9e88db773199
518e83f226c9a0ab4bfd27b3561331da201041c1c88c38e17b0dcdb4c8a7b742
5a4be7cb16147df1b37015d912183431e3fc98c0d7b52d736849d1fea93f5ac5
ab960e62b411ac05fc55137a7fc0d653347c4c38ad212939c3e6a719372a7b2e
c9a5e60fd024d07aaf86a0403edc8a3d0af5fcf8bd3216925774096f6ceab326
error
fce5f95d9a8d8a4003af3fd63365d5f3a7746536d054d290534674fa8ef4b844
ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution upx
Link:
https://tria.ge/reports/260624-n292wabx6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8
MD5 hash:
8b18d45188728b6bb652b0a7bd2f3cf5
SHA1 hash:
2af640b52aff3b85e56bc7e0cde586aaa80d11a8
Detections:
triage_elpaco_ransomware
Create hunting rule
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
aa8e2d0c4e01256c9a87d812e4aed2156047f57766a7bda5dc8b80814cf915da
MD5 hash:
98b9cf27cde67c5f006f71078c61dfe5
SHA1 hash:
95d18ae221a481edad7beceeb2ff2f72593046dd
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
b6201026511b5d399ddc735eafecc18a597bf11cb101e898e8a32a6b2aba82e5
MD5 hash:
30897336ef2c9d70e82866e424c6fbb8
SHA1 hash:
d5425363aa326c0b4d4fd949cf87622ce5159605
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
569d590a83bb0d62be2b9b8004a4eb99aed6579e943782f3cac9d347d0e6b212
MD5 hash:
0f9874483270a56f3ee8971e5191928e
SHA1 hash:
09ab5e8dd71804324cfde3c076109d53eae73826
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
fe7ded437f8898ba4191ff59c08b5be4333a768c1bab3eb5a6e84be56a10843d
MD5 hash:
60dde66fd6959255956f77c23394685f
SHA1 hash:
5d829037997193db9cbd0de030c036ccbcdda02b
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
48b94b85d0ae03eb24a31404029005f9622458168b6fac6ff4e1f69eac14fefd
MD5 hash:
7d3650278a9bf7bf90cf63574f91b547
SHA1 hash:
9d1927c5b5a51b2381e4fa9c8d61ceed4b6b3d84
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
8d857e139fb4eb58c36a5d940a4b01222a225f98f8cc923e2e2dc9a7eaf7d5dc
MD5 hash:
5522df1adad44567ff84d779f5876d33
SHA1 hash:
bc201be6a5bd67e87ac93a46d4a888542b306a4e
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
49f23f83807913b84917cfdb800ac04d905fdc844f4b41b6aaf894506864355b
MD5 hash:
0faecd43382ab6f35d8b2be61939377e
SHA1 hash:
c6295657d52bc5dc16fa2542be23dac7948fa400
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
893f3254c37f2a2f10078497483039cc0a90af0811b2da2bd5294b0a72a3482a
MD5 hash:
be941bc0bdff92e37ef8c4e3f35d1c7f
SHA1 hash:
d8e1cc8cd74d503cafee499761d75b59f6d5fda7
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
f457b1cb1b146ab07117e34dc50881ef787946a0311467d82469fdaa3e54884c
MD5 hash:
52b7073101ce2f83c85ed698f1ee0445
SHA1 hash:
cd2f016c79de7d4bf20d1366cc9483b610b4ffc2
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
SH256 hash:
e273a05ae99bbf547c5f7fc0d027c416eeabe1829a8ece661f587d6d8965f8b7
MD5 hash:
91c0d86df5a6c28167839ba56c83288c
SHA1 hash:
2d2f65d854edfc55ab75dd4babf6e920a8573f48
Link:
https://www.unpac.me/results/e4828e16-94c7-40f1-b8ec-4e2643cf8ef7/
Malware family:
Mimic
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2638a263f9bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2638a263f9bc829ac5e112fb7e2cbad9152eda4bb89dfa1ab22f64fcff744ce8

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/71831/

Comments