MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlackShades

Vendor detections: 15

Intelligence 15 IOCs YARA 13 File information Comments

SHA256 hash:	336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60
SHA3-384 hash:	7b93919bfcefa8edb0eef0c3788600403fedbee76362735eb733fd03faea41e61b3d99da6c331516c8346655bc79e43e
SHA1 hash:	f0ebbf55a3a7a2397a3a65d875a0950029a3e119
MD5 hash:	cbb44cbda24c6c4eeba5e1e15e7970eb
humanhash:	east-march-idaho-east
File name:	hitclub.nagoya_119e0e0c_h_java-update.exe
Download:	download sample
Signature	BlackShades Create hunting rule
File size:	23'040 bytes
First seen:	2026-06-10 10:42:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'016 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	384:SBa4zd9rh29OPLS+Dze4LOLSgrrVwTlDCjfOhZwlU90goJgA3:SQ4zd9rs9uG+DfLqqcfc90z
TLSH	T127A24B05F7D88315E6FE8BB8ACB747444132F2479913DB9F0CCA506D6E267E08B50AA7
TrID	70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win64 Executable (generic) (6522/11/2) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	mgoku
Tags:	BlackShades

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

exe

Verdict:

Suspicious activity

Analysis date:

2026-06-10 10:43:17 UTC

Tags:

auto-reg

Link:

https://app.any.run/tasks/39c35783-7f79-4ce5-98c2-98ad6a9af609

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CoreBot

Link:

https://www.capesandbox.com/analysis/70471/

Detection(s):

Win.Trojan.Barys-1

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a293fa4a15110463ee46f86

Tags:

nanocore nymeria

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 cmd crypto csc fingerprint keylogger lolbin reconnaissance runonce vbc vbnet

Link:

https://www.filescan.io/uploads/6a29413b8161ac6cb55e65e2/reports/8c908c13-e9f3-4422-9670-9dba2ffde50e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-06-10T07:08:00Z UTC

Last seen:

2026-06-10T07:38:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan.Win32.Generic Trojan.MSIL.Agent.sb Trojan-Downloader.MSIL.Voda.sb

Link:

https://opentip.kaspersky.com/336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60/results?tab=lookup

Malware family:

Styx

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1e6a6c99-7114-48d4-a4e0-ff53e5840e63

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60/

Threat name:

ByteCode-MSIL.Trojan.Jalapeno

Status:

Malicious

First seen:

2026-06-10 10:42:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gnwo4ib4slx6rkagp6odvvy6hv75fvzddzv45a4b2xwaeq57dzqa._file

Verdict:

malicious

Label(s):

litehttp

Similar samples:

error

BlackShades

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/260610-mr1vsaaw8q/

Behaviour

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Unpacked files

SH256 hash:

336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60

MD5 hash:

cbb44cbda24c6c4eeba5e1e15e7970eb

SHA1 hash:

f0ebbf55a3a7a2397a3a65d875a0950029a3e119

Detections:

win_blackshades_w0

win_litehttp_g0

Link:

https://www.unpac.me/results/57f16678-b909-4848-b499-c585a7f340f3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BlackShades_4 Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	BlackShades

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	MALWARE_Win_CoreBot Create hunting rule
Author:	ditekSHen
Description:	Detects CoreBot

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	win_blackshades_w0 Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/70471/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample