MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2820b924640b10eb028a6fb30a77db1d3c53077e368fdf204fa914306e1ecc3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2820b924640b10eb028a6fb30a77db1d3c53077e368fdf204fa914306e1ecc3a
SHA3-384 hash: 0ad8798ac5040aaee889285850e7c664ef49c1b7a52b46edca9aafde24b64b4d2a4e651a072e3c59dfb0de8b5c501243
SHA1 hash: 9d6ef6c492222548e1f6a6b5f9656d063f9c304e
MD5 hash: a77c1c41fddca9c973b2162bace0f990
humanhash: alabama-violet-friend-fillet
File name:l3.exe
Download: download sample
File size:4'417'536 bytes
First seen:2025-04-10 00:47:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e3cb97005ca0f5268c403ea4ae72c13
ssdeep 98304:0xPjLXTCXVMuYm9C36vU6upZiD6AQeo6/m/7nNYvX0CPSXl:4kMujK57iDueo6UDN+1C
TLSH T1C716335E6DCA1496F80090B4472EFAFEB2BF1DF406B2CC5D88886AC5DDB31125773686
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:ClipboardHijacker exe RaccoonClipper sst-my


Avatar
iamaachum
https://sst.my/folder/l3.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
533
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
refox_xii_full_cracked_11instmank.zip
Verdict:
Malicious activity
Analysis date:
2025-04-08 09:14:13 UTC
Tags:
autoit stealer lumma autoit-loader raccoonclipper
Link:
https://app.any.run/tasks/0e78121e-7fe9-4b9f-930c-4ee52a88f082

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1436/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f71b4071beff15dcceecfd
Tags:
vmprotect raccoon virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/2820b924640b10eb028a6fb30a77db1d3c53077e368fdf204fa914306e1ecc3a
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6faffb9c-5922-40f6-8e50-f0331f94f80c
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1661335
Signature
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Switches to a custom stack to bypass stack traces
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2820b924640b10eb028a6fb30a77db1d3c53077e368fdf204fa914306e1ecc3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2820b924640b10eb028a6fb30a77db1d3c53077e368fdf204fa914306e1ecc3a/
Threat name:
Win32.Spyware.Raccoon
Create hunting rule
Status:
Suspicious
First seen:
2025-04-07 12:34:23 UTC
File Type:
PE (Exe)
AV detection:
23 of 36 (63.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=faqlsjdebmiowaukn6zqu563du6fgb36g2h56icpvekda3q6zq5a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250410-a5tmeawrv8/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9fd15f11-24ab-4148-bcb4-404c727101fa
Unpacked files
SH256 hash:
2820b924640b10eb028a6fb30a77db1d3c53077e368fdf204fa914306e1ecc3a
MD5 hash:
a77c1c41fddca9c973b2162bace0f990
SHA1 hash:
9d6ef6c492222548e1f6a6b5f9656d063f9c304e
Link:
https://www.unpac.me/results/96d84b79-b4f7-4bcc-b090-f90ddcbb0cf9/
SH256 hash:
0b946dba685781eb5030859e090df1b9479450634381f470b1320f9032d71e83
MD5 hash:
9a4a552e98400f389e4429c08df06fe0
SHA1 hash:
f9bfff3b99b20ac16806890277a89485d6d36706
Detections:
ClipboardCryptoHijacker
Create hunting rule
Link:
https://www.unpac.me/results/96d84b79-b4f7-4bcc-b090-f90ddcbb0cf9/
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2820b924640b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2820b924640b10eb028a6fb30a77db1d3c53077e368fdf204fa914306e1ecc3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

7z 18e23bf0753989e7fd50f30fb6b2efebd5ff22fb5b510bfef6a676aca40cef65

LummaStealer

Executable exe faed5d57ba4b532b3d66330c213c7978f6082c2a6e571e253a1d8ae864b41845

Executable exe 2820b924640b10eb028a6fb30a77db1d3c53077e368fdf204fa914306e1ecc3a

(this sample)

  
Link
https://tria.ge/250410-a1cs4aw1a1/behavioral1
  
Dropped by
MD5 2326d11616da300f18ed260329ec0666
  
Dropped by
MD5 7c0aab72786ff286f475cd861f9702ef
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/1436/
  
Dropped by
SHA256 faed5d57ba4b532b3d66330c213c7978f6082c2a6e571e253a1d8ae864b41845
  
Dropped by
SHA256 fe4289d0e93af2b2bd4103c208c7887dfa2e776bc128ba00c8f5626dd386d689
  
URLhaus
https://urlhaus.abuse.ch/url/3506325/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW

Comments