MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 344b008fd380a81369d6c40dedc9d49c0b6b49532f928ee4c14cd812fac18cdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	344b008fd380a81369d6c40dedc9d49c0b6b49532f928ee4c14cd812fac18cdd
SHA3-384 hash:	47e363c603e61183b45212c735684839b4961679ad6669d5f3b8b8bcfae0afcfca63cd7a8837f1a0b5d18506559f8513
SHA1 hash:	891a0ffb5acdd6fb77b815151c015bab7551a3c3
MD5 hash:	384ac221dd7c10fb083e422643088507
humanhash:	blue-bravo-pasta-crazy
File name:	file
Download:	download sample
File size:	368'128 bytes
First seen:	2026-02-01 17:00:27 UTC
Last seen:	2026-02-01 22:01:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c546646952cb160243a67da7651da44c (1 x ClipBanker)
ssdeep	6144:XnsuD9WKIz8Ht/zVcTVQgvVHytj23vf/tRW00NnT5VxZ:XnsuhIz8HVDuVHytj2/tRWdNn
TLSH	T18B747C56BAA418F9E57B853CC9530A06D7F2BC660760DBDF03A046961F277E08E3DB21
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	01x02x2026 dropped-by-Stealc exe

Bitsight

url: http://196.251.107.130/Loader.exe

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-02-01 17:02:27 UTC

Tags:

auto-sch auto-reg

Link:

https://app.any.run/tasks/71a046e2-cc00-4368-9968-f574866f7bdc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697f86c4d93e7233498c617f

Tags:

autorun cobalt emotet

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm exploit explorer fingerprint lolbin microsoft_visual_cc schtasks

Link:

https://www.filescan.io/uploads/697f86bc981ff1d38a43b766/reports/f0284be8-38cd-4059-a228-0c110ef58e85/overview

Verdict:

Malicious

Labled as:

Trojan.Loader.Marte.6.Generic

Link:

https://www.hybrid-analysis.com/sample/344b008fd380a81369d6c40dedc9d49c0b6b49532f928ee4c14cd812fac18cdd

Result

Gathering data

Malware family:

MuddyWater

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/389b9149-f878-42ba-a08f-8755c8fa64bd

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/344b008fd380a81369d6c40dedc9d49c0b6b49532f928ee4c14cd812fac18cdd

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/384ac221dd7c10fb083e422643088507

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/344b008fd380a81369d6c40dedc9d49c0b6b49532f928ee4c14cd812fac18cdd/

Verdict:

Malicious

Threat:

Trojan.Win32.Agent

Link:

https://tip.neiki.dev/file/344b008fd380a81369d6c40dedc9d49c0b6b49532f928ee4c14cd812fac18cdd

Threat name:

Win64.Infostealer.ClipBanker

Status:

Malicious

First seen:

2026-02-01 17:00:49 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 36 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=grfqbd6tqcubg2owyqg63soutqfwwsktf6ji5zgbjtmbf6wbrtoq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

execution persistence

Link:

https://tria.ge/reports/260201-vjbvpaas8c/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Unpacked files

SH256 hash:

344b008fd380a81369d6c40dedc9d49c0b6b49532f928ee4c14cd812fac18cdd

MD5 hash:

384ac221dd7c10fb083e422643088507

SHA1 hash:

891a0ffb5acdd6fb77b815151c015bab7551a3c3

Link:

https://www.unpac.me/results/6328401e-461e-4763-bb92-1d907cc64e26/

SH256 hash:

92fb8efae425893d65e36ce1a991c1ebc26a6512929921c835a37fafe8306874

MD5 hash:

fb6dcfc53ffb3d1e75f5ac84eeb42171

SHA1 hash:

89c0ddde7c9d3b14cb7fd3dfc367563659ba0b67

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/6328401e-461e-4763-bb92-1d907cc64e26/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/344b008fd380/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 344b008fd380a81369d6c40dedc9d49c0b6b49532f928ee4c14cd812fac18cdd

(this sample)

Dropped by

StealC

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/51114/

URLhaus

https://urlhaus.abuse.ch/url/3767348/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample