MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34a3a030d178596f4c711d0f0a1318f00508e5602d625a38aee12a52cdfb9d29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34a3a030d178596f4c711d0f0a1318f00508e5602d625a38aee12a52cdfb9d29
SHA3-384 hash: daf2db51a89cba9fdb6909e5c84d71719f69b33d909998a55a57f436593cfafcf0da516bc9330633ac0f9c07e647e3d1
SHA1 hash: 7972c46219d78e58418d74efae000dcf1326e86d
MD5 hash: d2d1cd2f323fba58d98107ac4d998939
humanhash: neptune-thirteen-orange-quebec
File name:Xtc Sab.exe
Download: download sample
File size:44'980'472 bytes
First seen:2026-02-27 09:32:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0486e7e054aa57188c99b0f71783b75 (3 x NodeLoader, 2 x LummaStealer, 1 x DiscordTokenStealer)
ssdeep 786432:R3on1HvSzxAMNLFZArYsXLEfpPv9B7OZyf5KI8:RYn1HvSpNLXmXLENz/H8
TLSH T184A7BF03B2A501E5E4B7D1388AA75203D772B8674731CACF325D02161FBBAE09A7F765
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe signed stealer

Code Signing Certificate

Organisation:Winsider Seminars & Solutions, Inc.
Issuer:Winsider Seminars & Solutions, Inc.
Algorithm:sha256WithRSAEncryption
Valid from:2026-02-26T09:59:43Z
Valid to:2027-02-26T10:09:43Z
Serial number: 19ac5a2f70bd0fac4f1f8ddc3c2d0dfc
Thumbprint Algorithm:SHA256
Thumbprint: d0043d074e688bc20413d12df22e7c174fa927dc43f2f07881e73e8265790b5d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/858b2af5-b23b-478e-bf44-ae9578578c5f/
Malware family:
n/a
ID:
1
File name:
XtcSab.exe
Verdict:
Malicious activity
Analysis date:
2026-02-27 09:31:26 UTC
Tags:
auto-sch stealer doenerium evasion discord nodejs
Link:
https://app.any.run/tasks/b9c246cc-3d4d-4e0a-92a2-c6920f0fb5e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a164568fffa866e3b2b0ba
Tags:
obfuscate autorun shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto doenerium expand fingerprint lolbin microsoft_visual_cc overlay packed pkg signed
Link:
https://www.filescan.io/uploads/69a164aa97feb4afd65ef5fa/reports/77c3c3b1-f255-4931-b83e-33b78e750e1b/overview
Verdict:
Malicious
Labled as:
Trojan.Win64.Doenerium
Link:
https://www.hybrid-analysis.com/sample/34a3a030d178596f4c711d0f0a1318f00508e5602d625a38aee12a52cdfb9d29
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-Dropper.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Xploder.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb
Link:
https://opentip.kaspersky.com/34a3a030d178596f4c711d0f0a1318f00508e5602d625a38aee12a52cdfb9d29/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875844
Signature
AI detected suspicious PE digital signature
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Potential Privilege Escalation using Task Scheduler highest RunLevel
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Schedule VBS From Appdata
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1875844 Sample: Xtc Sab.exe Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 66 mrbfederali.cam 2->66 68 ip-api.com 2->68 70 2 other IPs or domains 2->70 92 Sigma detected: Schedule VBS From Appdata 2->92 94 Obfuscated command line found 2->94 96 Sigma detected: MSHTA Suspicious Execution 01 2->96 98 6 other signatures 2->98 10 Xtc Sab.exe 75 2->10         started        15 wscript.exe 2->15         started        signatures3 process4 dnsIp5 76 ip-api.com 208.95.112.1, 49726, 80 TUT-ASUS United States 10->76 78 discord.com 162.159.136.232, 443, 49727 CLOUDFLARENETUS United States 10->78 80 mrbfederali.cam 172.67.205.179, 443, 49728, 49729 CLOUDFLARENETUS United States 10->80 58 C:\Users\user\AppData\...\lipIZd2r.vbs, ASCII 10->58 dropped 60 C:\Users\user\AppData\...\Yq3mH57P.xml, data 10->60 dropped 62 C:\Users\user\AppData\...\WofQHq1x.exe, PE32+ 10->62 dropped 64 2 other files (none is malicious) 10->64 dropped 100 Obfuscated command line found 10->100 102 Tries to harvest and steal browser information (history, passwords, etc) 10->102 17 cmd.exe 1 10->17         started        20 cmd.exe 1 10->20         started        22 cmd.exe 10->22         started        26 10 other processes 10->26 104 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->104 106 WScript reads language and country specific registry keys (likely country aware script) 15->106 24 WofQHq1x.exe 15->24         started        file6 signatures7 process8 signatures9 84 Suspicious powershell command line found 17->84 86 Obfuscated command line found 17->86 88 Encrypted powershell cmdline option found 17->88 90 4 other signatures 17->90 28 net.exe 1 17->28         started        30 conhost.exe 17->30         started        32 powershell.exe 37 20->32         started        35 conhost.exe 20->35         started        44 2 other processes 22->44 37 cmd.exe 24->37         started        39 cmd.exe 1 26->39         started        41 curl.exe 26->41         started        46 18 other processes 26->46 process10 dnsIp11 48 net1.exe 1 28->48         started        82 Loading BitLocker PowerShell Module 32->82 50 net.exe 37->50         started        52 conhost.exe 37->52         started        54 mshta.exe 39->54         started        72 catbox.moe 108.181.20.35, 443, 49725 ASN852CA Canada 41->72 74 127.0.0.1 unknown unknown 41->74 signatures12 process13 process14 56 net1.exe 50->56         started       
Score:
19%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/34a3a030d178596f4c711d0f0a1318f00508e5602d625a38aee12a52cdfb9d29
Gathering data
Verdict:
Malicious
Threat:
Family.DOENERIUM
Link:
https://tip.neiki.dev/file/34a3a030d178596f4c711d0f0a1318f00508e5602d625a38aee12a52cdfb9d29
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsr2amgrpbmw6tdrduhqueyy6acqrzlafvrfuofo4evfftp3tuuq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260227-lhtjnsbx2f/
Behaviour
Checks processor information in registry
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Command and Scripting Interpreter: PowerShell
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34a3a030d178596f4c711d0f0a1318f00508e5602d625a38aee12a52cdfb9d29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202409_html_FedEx_phish
Create hunting rule
Author:abuse.ch
Description:Detects potential HTML FedEx phishing forms
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Pkg
Create hunting rule
Author:nwunderly
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments