MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MilleniumRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 18 File information Comments

SHA256 hash:	307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1
SHA3-384 hash:	89056e8987b975de4c97a79b3eed221c17035e859d168849bc1cac14435df11f7ef2aeb6e86a9a1817097397f8fe622e
SHA1 hash:	73a5a94c1222fd333bf3be1322dd09e896159f1a
MD5 hash:	6dc5e2f50900ba1e7a4ee87f950fa409
humanhash:	maryland-undress-arizona-oxygen
File name:	307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1
Download:	download sample
Signature	MilleniumRAT Create hunting rule
File size:	2'690'560 bytes
First seen:	2025-10-04 16:48:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bfc94987b9a21a61fae666713d43dafc (4 x MilleniumRAT)
ssdeep	49152:1x3ohDyZ5FtDsBsslHw84eRGMPiBD3mzaMKRhpjjIrpHDnYhEmP4M:roA/shhJ4eRGa0hlIryh
TLSH	T135C58D62F786C0B2E5D301B052AEABF71D787634533594CBE3C01E6A59305D37A3AB1A
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Anonymous
Tags:	exe MilleniumRAT

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

undercut-f1-3.3.1.zip

Verdict:

Malicious activity

Analysis date:

2025-09-25 14:39:51 UTC

Tags:

arch-exec arch-doc

Link:

https://app.any.run/tasks/7c8bdf50-ff86-46e4-a6b1-618d4a66a0f1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/30560/

Detection(s):

Win.Malware.Zusy-9774083-0

Win.Packed.Jalapeno-10038472-0

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e14fe6a057c2dafb271465

Tags:

infosteal dropper stealer smtp

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Setting a keyboard event handler

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm cmd crypto expand fingerprint hacktool keylogger lolbin microsoft_visual_cc obfuscated remote threat zusy

Link:

https://www.filescan.io/uploads/68e14fd3c74bd2958b1590f7/reports/3b6a908d-5c1f-4226-93bc-4f31a035bf4a/overview

Verdict:

Malicious

Labled as:

Trojan.Malware.Generic

Link:

https://www.hybrid-analysis.com/sample/307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-13T14:26:00Z UTC

Last seen:

2025-10-04T16:12:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/03ab37d0-2911-4a2c-b77a-4db684e8174a

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/6dc5e2f50900ba1e7a4ee87f950fa409

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1/

Verdict:

Malicious

Threat:

Family.MILLENIUMRAT

Link:

https://tip.neiki.dev/file/307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-08-13 18:08:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gb4wj3ic6nf76tsayvaczsjwxyd73gkx55aalfvewprm3ggfb3aq._file

Result

Malware family:

milleniumrat

Score:

10/10

Tags:

family:milleniumrat credential_access discovery rat spyware stealer

Link:

https://tria.ge/reports/251004-vbdz3sznw5/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Executes dropped EXE

Reads user/profile data of web browsers

Uses browser remote debugging

Detects MilleniumRAT stealer

MilleniumRat

Milleniumrat family

Verdict:

Malicious

Tags:

Win.Malware.Zusy-9774083-0

YARA:

n/a

Link:

https://app.threat.zone/submission/d7b84df4-14c6-42e5-ac5d-94c69fcfc257

Unpacked files

SH256 hash:

307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1

MD5 hash:

6dc5e2f50900ba1e7a4ee87f950fa409

SHA1 hash:

73a5a94c1222fd333bf3be1322dd09e896159f1a

Link:

https://www.unpac.me/results/a772e7fe-8ee4-4c1c-905e-ab8c7ebc6e09/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/307964ed02f3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Sandworm_ArguePatch_Apr_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM names

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM usernames

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	WIN_WebSocket_Base64_C2_20250726 Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/30560/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample