MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c64a1b9a4556e4ea7324dde53318f32f0a07d7ae31c370f737a72645833ec26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c64a1b9a4556e4ea7324dde53318f32f0a07d7ae31c370f737a72645833ec26
SHA3-384 hash: 8eaee54ee134597d2563db5ca79dc8c50a24a74381ff3019f5b2c3975f2d8eb69ffa0e66df90ab217f736e22a01677c6
SHA1 hash: f15b0655f78df28a2b00abbb9cda3460032a8f78
MD5 hash: 969f054044ef65d87fc63baa693f26e6
humanhash: maine-tango-mockingbird-sad
File name:RPReplaySextapeleak2025_mymleakfullvid.mp4 .exe
Download: download sample
File size:86'102'016 bytes
First seen:2025-10-26 14:44:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 764090509664248d5254caeebe1e7af5
ssdeep 393216:49FZH1IL4xeG3pkiJzZstF9dmQQu+iOwUiTZI7FrKNx+4AshdaXmc+7jy464j1i6:4ZH1RHugrIjdIDVNQr8FyRhYpgPVlcm
TLSH T1D4187D5263A609D6F9F79A348AE65213DA33BC067F3082DF324C17661F736E04976B21
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:BHWareStealer exe infostealer


Avatar
burger403
C2(s): bhware[.]store, root[.]bhware[.]store

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RPReplaySextapeleak2025_mymleakfullvid.mp4.exe
Verdict:
Malicious activity
Analysis date:
2025-10-26 14:43:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/64c36599-dcb1-4b98-8bcb-f6dacda1f4dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fe33bb6c859164aa64d1df
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% subdirectories
Creating a file
Launching the process to interact with network services
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Creating a process from a recently created file
Creating a window
Launching a tool to kill processes
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint masquerade microsoft_visual_cc
Link:
https://www.filescan.io/uploads/68fe345cacdc0d13837f0fbf/reports/ff0c10eb-d6fe-4563-a94e-36d4fa7abed6/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/2c64a1b9a4556e4ea7324dde53318f32f0a07d7ae31c370f737a72645833ec26
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-26T11:47:00Z UTC
Last seen:
2025-10-27T19:00:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win64.Stealer.sb Trojan-PSW.Win64.Stealer.aojz BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/2c64a1b9a4556e4ea7324dde53318f32f0a07d7ae31c370f737a72645833ec26/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1801965
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1801965 Sample: RPReplaySextapeleak2025_mym... Startdate: 26/10/2025 Architecture: WINDOWS Score: 76 53 root.bhware.store 2->53 59 Antivirus detection for URL or domain 2->59 61 Adds a directory exclusion to Windows Defender 2->61 63 Joe Sandbox ML detected suspicious sample 2->63 65 3 other signatures 2->65 9 RPReplaySextapeleak2025_mymleakfullvid.mp4 .exe 14 2->9         started        13 csc.exe 3 2->13         started        16 cvtres.exe 1 2->16         started        signatures3 process4 dnsIp5 55 root.bhware.store 104.21.54.211, 443, 49724, 49725 CLOUDFLARENETUS United States 9->55 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->67 69 Adds a directory exclusion to Windows Defender 9->69 18 cmd.exe 1 9->18         started        21 cmd.exe 1 9->21         started        23 cmd.exe 9->23         started        25 7 other processes 9->25 51 C:\Users\user\AppData\Local\...\or0b2zby.dll, PE32 13->51 dropped file6 signatures7 process8 signatures9 57 Adds a directory exclusion to Windows Defender 18->57 27 powershell.exe 23 18->27         started        30 conhost.exe 18->30         started        32 powershell.exe 21 21->32         started        34 conhost.exe 21->34         started        36 powershell.exe 23->36         started        38 conhost.exe 23->38         started        40 powershell.exe 25->40         started        42 powershell.exe 22 25->42         started        45 9 other processes 25->45 process10 file11 71 Loading BitLocker PowerShell Module 32->71 49 C:\Users\user\AppData\...\or0b2zby.cmdline, Unicode 42->49 dropped 47 net1.exe 1 45->47         started        signatures12 process13
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/2c64a1b9a4556e4ea7324dde53318f32f0a07d7ae31c370f737a72645833ec26
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win64.Stealer
Link:
https://tip.neiki.dev/file/2c64a1b9a4556e4ea7324dde53318f32f0a07d7ae31c370f737a72645833ec26
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-25 23:59:23 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=frskdonekvxe5jzsjxpfgmmpglyka7l24modod3tpjzgiwbt5qta._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution pyinstaller spyware stealer
Link:
https://tria.ge/reports/251026-r5p3na1pdk/
Behaviour
Kills process with taskkill
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Legitimate hosting services abused for malware hosting/C2
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1408fec0-19d0-4fbc-83f3-ed1c319c40b0
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2c64a1b9a4556e4ea7324dde53318f32f0a07d7ae31c370f737a72645833ec26

(this sample)

  
Delivery method
Distributed via web download

Comments