MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b
SHA3-384 hash: 869495c835d1321bf869ea005c72ab2bedfa2f921427d690db00d1005101719e21344e0587e48950b37c88ffc114b701
SHA1 hash: 0ac399c902304014902e674a202a843f084f91dc
MD5 hash: 86e3ea9c05e6328ece5d0d086c02c341
humanhash: victor-johnny-carbon-kentucky
File name:YomiraGame.exe
Download: download sample
File size:73'881'926 bytes
First seen:2025-04-26 02:59:58 UTC
Last seen:2025-04-26 03:00:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a3c23bdebe897a9d1a329f1d1529dbc
ssdeep 786432:aRqUwEdRmUjQf0PPoK3fTTFQnZxgI+asFuLO9Kc4+0jifX+pDS:agUwERm4PPoeTx6+h+G4Bi
TLSH T12EF7DF2ACBCC173CD3918D34419E5B5EE23269171356C91B227792F488DFED0F72AA98
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
582
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
YomiraGame.exe
Verdict:
Malicious activity
Analysis date:
2025-04-26 03:01:22 UTC
Tags:
discord stealer
Link:
https://app.any.run/tasks/e5a9044e-acb1-4bc6-a517-58ecfaa8eb84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680c4df53d067f8483996986
Tags:
autorun virus hype sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Changing a file
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypt entropy mingw overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/680c4c52218c4a98ade2bbda/reports/b13ce578-2782-4f6d-afdb-0a6c745d1591/overview
Verdict:
Suspicious
Labled as:
Win64/GenKryptik.HIFV trojan
Link:
https://www.hybrid-analysis.com/sample/2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1674608
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1674608 Sample: YomiraGame.exe Startdate: 26/04/2025 Architecture: WINDOWS Score: 48 15 Multi AV Scanner detection for submitted file 2->15 6 YomiraGame.exe 1 2->6         started        process3 process4 8 WerFault.exe 19 16 6->8         started        11 conhost.exe 6->11         started        file5 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->13 dropped
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b
Gathering data
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-04-25 23:02:08 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4vzhu35m64awt5k6jn6xzhdzoxxvsrvgkfowzw2ninjwrbrn5nq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250426-dhl6la11ez/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Looks for VMWare drivers on disk
Uses browser remote debugging
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
Verdict:
Suspicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/6c848f6e-b925-479d-ac29-33d487c4d959
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b

(this sample)

Executable exe 66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a

  
Delivery method
Distributed via web download
  
Dropping
SHA256 66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a
  
Dropping
MD5 f6a873a0af0fc519940caed00bbdcee5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_VIRTUAL_SIZEOptimize binary virtual sizemedium
Reviews
IDCapabilitiesEvidence
FFI_METHODSCan perform system-level operations via FFI_ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17h63d4f07e253e2fb0E
_ZN3std3ffi6os_str85_$LT$impl$u20$core::convert::AsRef$LT$std::ffi::os_str::OsStr$GT$$u20$for$u20$str$GT$6as_ref17hdea7f4c94081cf19E
_ZN4core3ptr125drop_in_place$LT$$LP$std::sys::pal::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$RP$$GT$17hcc8b707416edf72bE
_ZN4core3ptr137drop_in_place$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$17hfbad5da0b73e6e6bE
_ZN4core3ptr137drop_in_place$LT$alloc::collections::btree::map::IntoIter$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$17h784860ef7f8b505bE
_ZN4core3ptr165drop_in_place$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$GT$$GT$17hd8a89dff745a42a8E
_ZN4core3ptr165drop_in_place$LT$core::option::Option$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$$GT$17h850101eb63d42e02E
_ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17h22d3b58c26df89e1E
_ZN4core3ptr70drop_in_place$LT$alloc::vec::Vec$LT$std::ffi::os_str::OsString$GT$$GT$17he412b31beebb0bc3E
_ZN4core3ptr84drop_in_place$LT$$LP$std::ffi::os_str::OsString$C$std::ffi::os_str::OsString$RP$$GT$17h8c69f1e7700455e6E
_ZN4core3ptr97drop_in_place$LT$$LP$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$RP$$GT$17h5c9ffa86a7bc2767E
_ZN81_$LT$std::ffi::os_str::OsString$u20$as$u20$std::os::windows::ffi::OsStringExt$GT$9from_wide17h203e3962da86bf7fE
_ZN63_$LT$std::ffi::os_str::OsString$u20$as$u20$core::fmt::Write$GT$9write_str17h8141007801bff817E
_ZN3std3ffi6os_str95_$LT$impl$u20$core::convert::TryFrom$LT$$RF$std::ffi::os_str::OsStr$GT$$u20$for$u20$$RF$str$GT$8try_from17h528e6a2dcb08aa5fE
_ZN62_$LT$std::ffi::os_str::Display$u20$as$u20$core::fmt::Debug$GT$3fmt17h4dc5fe13cf99e3cfE
_ZN64_$LT$std::ffi::os_str::Display$u20$as$u20$core::fmt::Display$GT$3fmt17h811856d0cfe1a76bE
_ZN113_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::From$LT$std::ffi::os_str::OsString$GT$$GT$4from17h4c0fc73e151c932bE
_ZN3std3sys3pal7windows7process123_$LT$impl$u20$core::convert::From$LT$std::sys::pal::windows::process::EnvKey$GT$$u20$for$u20$std::ffi::os_str::OsString$GT$4from17he9fc3e73fcc156caE
_ZN114_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::From$LT$$RF$std::ffi::os_str::OsStr$GT$$GT$4from17h0f37164e4e2b0e5bE
_ZN111_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::AsRef$LT$std::ffi::os_str::OsStr$GT$$GT$6as_ref17h96646100aedd6aa5E
_ZN60_$LT$std::ffi::os_str::OsStr$u20$as$u20$core::fmt::Debug$GT$3fmt17h8b8f76442a007a50E
_ZN63_$LT$std::ffi::os_str::OsString$u20$as$u20$core::fmt::Debug$GT$3fmt17hacb140f73b0ea23cE
FILE_IO_READCan Read Files_ZN54_$LT$std::fs::Metadata$u20$as$u20$core::fmt::Debug$GT$3fmt17h38923b1b07140faaE
_ZN75_$LT$std::fs::ReadDir$u20$as$u20$core::iter::traits::iterator::Iterator$GT$4next17h4c6874f680e3fea0E
FILE_IO_WRITECan Create and Remove Files_ZN79_$LT$alloc::vec::Vec$LT$u8$GT$$u20$as$u20$std::io::copy::BufferedWriterSpec$GT$11buffer_size17hcbeb0bc37e17174fE
_ZN54_$LT$std::fs::DirEntry$u20$as$u20$core::fmt::Debug$GT$3fmt17h45d556366f403c75E
_ZN54_$LT$std::fs::FileType$u20$as$u20$core::fmt::Debug$GT$3fmt17hee1bb2391b606d32E
_ZN57_$LT$std::fs::Permissions$u20$as$u20$core::fmt::Debug$GT$3fmt17h5f39beff15b9cfdfE
NET_METHODSUses Network to send and receive data_ZN104_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::convert::TryFrom$LT$$LP$$RF$str$C$u16$RP$$GT$$GT$8try_from17h8db00f9388dfa5bdE
_ZN90_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::convert::TryFrom$LT$$RF$str$GT$$GT$8try_from17h6689aa2b0e49db4dE
_ZN68_$LT$std::sys_common::net::TcpStream$u20$as$u20$core::fmt::Debug$GT$3fmt17hcd3567c16aa6ef34E
_ZN70_$LT$std::sys_common::net::TcpListener$u20$as$u20$core::fmt::Debug$GT$3fmt17hf3092c759f7fb7cbE
_ZN68_$LT$std::sys_common::net::UdpSocket$u20$as$u20$core::fmt::Debug$GT$3fmt17h28292856884a474cE
_ZN91_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::iter::traits::iterator::Iterator$GT$4next17hfc864fd160b3e27cE
_ZN74_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::ops::drop::Drop$GT$4drop17h266881e36c726061E
_ZN3std10sys_common3net154_$LT$impl$u20$std::sys_common::IntoInner$LT$$LP$std::sys_common::net::SocketAddrCRepr$C$i32$RP$$GT$$u20$for$u20$$RF$core::net::socket_addr::SocketAddr$GT$10into_inner17h334cefb90073cbceE

Comments