MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36c5f14241106fde788c2f4ed1d9c7d6739a450a3fe25ad1cb3efbb4d59be624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RONINGLOADER


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36c5f14241106fde788c2f4ed1d9c7d6739a450a3fe25ad1cb3efbb4d59be624
SHA3-384 hash: 3025ae9176eed25fbce123a855a704643f296659124f671a07971629a23ca556ad1d8b485251b2601aaedabd96d0f883
SHA1 hash: 40a04e0dcb9101b01a44821afab93f408ac3f74e
MD5 hash: 719444e789ebe9d388778f65301e7732
humanhash: nuts-mirror-virginia-early
File name:Lestenmsy.exe
Download: download sample
Signature RONINGLOADER
Create hunting rule
File size:51'627'231 bytes
First seen:2026-01-05 12:43:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46ce5c12b293febbeb513b196aa7f843 (15 x GuLoader, 6 x RemcosRAT, 5 x VIPKeylogger)
ssdeep 1572864:sjuRphMoWZM1J7Um+YguQ+DOLqO1dWfciLwkGpRg+D:sjunhuMUzX+yLqO1dWHskw1D
Threatray 61 similar samples on MalwareBazaar
TLSH T161B733767C6AEC0CF6760B72E4012AE6C9D52DDB6480902D9AA67873F23CE13915FC53
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter smica83
Tags:exe RONINGLOADER

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/879bf02d-f033-45e8-9f78-4d89f4864de1/
Malware family:
n/a
ID:
1
File name:
_36c5f14241106fde788c2f4ed1d9c7d6739a450a3fe25ad1cb3efbb4d59be624.exe
Verdict:
Malicious activity
Analysis date:
2026-01-05 12:46:55 UTC
Tags:
roning loader anti-evasion
Link:
https://app.any.run/tasks/0f90e4c6-b760-4979-9fb5-42eb526790ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695bb1f0d2357cccc3df9d73
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a service
Launching a service
Loading a system driver
Creating a file in the Windows directory
Creating a file in the Windows subdirectories
Launching a process
Loading a suspicious library
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a file in the system32 directory
Creating a file in the system32 subdirectories
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole fingerprint installer installer installer-heuristic microsoft_visual_cc nsis overlay packed
Link:
https://www.filescan.io/uploads/695bb1e68d1aa9829e2ad3dc/reports/2f6b628f-0b2b-4255-863a-5be8c5dcf802/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/36c5f14241106fde788c2f4ed1d9c7d6739a450a3fe25ad1cb3efbb4d59be624
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-05T09:25:00Z UTC
Last seen:
2026-01-05T11:33:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Loader.dmq Trojan.Win32.PoolInject.sba Trojan.Win32.DLLhijack.addh Trojan.Win32.Arkmblk.agf Trojan.DLLhijack.TCP.ServerRequest Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/36c5f14241106fde788c2f4ed1d9c7d6739a450a3fe25ad1cb3efbb4d59be624/results?tab=lookup
Result
Threat name:
KeyLogger
Create hunting rule
Detection:
malicious
Classification:
spre.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1844862
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found driver which could be used to inject code into processes
Found evasive API chain checking for user administrative privileges
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to access browser extension known for cryptocurrency wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1844862 Sample: Lestenmsy.exe Startdate: 05/01/2026 Architecture: WINDOWS Score: 80 97 yandex.com 2->97 99 www.yandex.com 2->99 101 10 other IPs or domains 2->101 129 Suricata IDS alerts for network traffic 2->129 131 Found driver which could be used to inject code into processes 2->131 133 Bypasses PowerShell execution policy 2->133 135 4 other signatures 2->135 9 Lestenmsy.exe 2 27 2->9         started        12 regsvr32.exe 1 2->12         started        15 svchost.exe 2->15         started        17 7 other processes 2->17 signatures3 process4 file5 89 C:\Program Files\Zou\...\iNHKvsb5.exe, PE32+ 9->89 dropped 91 C:\Program Files\Zou\guP7xhiS\...\W9JCu4.exe, PE32 9->91 dropped 93 C:\Users\user\...\nsis_tauri_utils.dll, PE32 9->93 dropped 95 2 other files (none is malicious) 9->95 dropped 19 iNHKvsb5.exe 3 22 9->19         started        24 W9JCu4.exe 10 303 9->24         started        149 Writes to foreign memory regions 12->149 151 Allocates memory in foreign processes 12->151 153 Creates a thread in another existing process (thread injection) 12->153 26 elevation_service.exe 1 12->26         started        28 cmd.exe 1 12->28         started        155 Changes security center settings (notifications, updates, antivirus, firewall) 15->155 30 WmiPrvSE.exe 17->30         started        signatures6 process7 dnsIp8 103 www.wshifen.com 103.235.46.115, 49690, 80 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 19->103 105 127.0.0.1 unknown unknown 19->105 73 C:\Users\user\AppData\Local\...\vmservice.sys, PE32+ 19->73 dropped 75 C:\Users\user\AppData\Local\...\vally3dka.sys, PE32+ 19->75 dropped 77 C:\ProgramData\DiamondAge\diamondage.exe, PE32+ 19->77 dropped 85 6 other files (1 malicious) 19->85 dropped 137 Writes to foreign memory regions 19->137 139 Allocates memory in foreign processes 19->139 141 Sample is not signed and drops a device driver 19->141 143 Found direct / indirect Syscall (likely to bypass EDR) 19->143 32 svchost.exe 163 1 19->32 injected 36 ClipUp.exe 1 19->36         started        38 cmd.exe 2 19->38         started        79 C:\Program Files (x86)\...\tap0901.sys, PE32+ 24->79 dropped 81 C:\...\AddWindowsSecurityExclusion.ps1, ASCII 24->81 dropped 83 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 24->83 dropped 87 222 other files (none is malicious) 24->87 dropped 40 powershell.exe 24->40         started        42 tapinstall.exe 24->42         started        145 Maps a DLL or memory area into another process 26->145 147 Creates a thread in another existing process (thread injection) 26->147 44 ctfmon.exe 2 26->44 injected 47 tasklist.exe 1 28->47         started        49 conhost.exe 28->49         started        51 17 other processes 28->51 file9 signatures10 process11 dnsIp12 69 C:\Windows\Temp\vally3dka.sys, PE32+ 32->69 dropped 109 Benign windows process drops PE files 32->109 111 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->111 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->113 125 3 other signatures 32->125 53 dllhost.exe 32->53         started        55 dllhost.exe 32->55         started        71 C:\ProgramData\Microsoft\...\MsMpEng.exe, Unicode 36->71 dropped 115 Infects executable files (exe, dll, sys, html) 36->115 57 conhost.exe 36->57         started        59 conhost.exe 38->59         started        117 Loading BitLocker PowerShell Module 40->117 61 conhost.exe 40->61         started        63 conhost.exe 40->63         started        65 conhost.exe 42->65         started        107 104.233.255.50, 49691, 49697, 5551 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK United States 44->107 119 Contains functionality to inject threads in other processes 44->119 121 Contains functionality to capture and log keystrokes 44->121 123 Contains functionality to inject code into remote processes 44->123 127 6 other signatures 44->127 67 svchost.exe 44->67         started        file13 signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/36c5f14241106fde788c2f4ed1d9c7d6739a450a3fe25ad1cb3efbb4d59be624
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.TCP
Link:
https://tip.neiki.dev/file/36c5f14241106fde788c2f4ed1d9c7d6739a450a3fe25ad1cb3efbb4d59be624
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3c7cqsbcbx546emf5hndwoh2zzzurikh7rfvuolh353jvm34ysa._file
Verdict:
malicious
Label(s):
swordldr
Create hunting rule
roningloader
Create hunting rule
Similar samples:
26cac2ab8683aa18cb4e7932de11c86e78fb91253af15572de7bddc96f5a8312
RONINGLOADER
3218d686f3a0ba0023a7fa4bbe6de07e2b1c470d16473c09b62429c748a15f71
RONINGLOADER
3353b527278eb5ae8bd88208713e242b915c3973b1b03407e164439da18c13bd
RONINGLOADER
5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662
RONINGLOADER
61384828a758382e02a459aab3b87cad8d039c956271d789354daeee3d8167af
RONINGLOADER
77e3aa52af76164ecf15fe59fc7e69ea046dd6e182aa12b8f4516f765124eee4
RONINGLOADER
7ecc66f3acc217ed6d753252d029cb0843ad575f9ab024e5b00d08413065d2f8
RONINGLOADER
d378fabc30fb2defa95124ca6220497dcdc0f95253afaf0f209810ba68db64a5
RONINGLOADER
d50d571877adadf7c0b550b2e30b180821d5851197a4c59f6ef49e2302260c58
RONINGLOADER
error
RONINGLOADER
f82642748a408a33da205c657ddc9bb41f720d09e19b22ca3165d347361ee99e
RONINGLOADER
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence privilege_escalation spyware trojan
Link:
https://tria.ge/reports/260105-px8tpafj9y/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Adds Run key to start application
Checks installed software on the system
Network Service Discovery
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cb0d2a47-ed0b-43d9-8e91-3724b0eb65ed
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36c5f1424110/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36c5f14241106fde788c2f4ed1d9c7d6739a450a3fe25ad1cb3efbb4d59be624

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:EDR_Killer_EDR_Freeze_Tool
Create hunting rule
Author:Valton Tahiri (cybee.ai)
Description:Detects EDR-Freeze tool in memory - EDR/AV freezing malware
Reference:https://www.linkedin.com/in/valton-tahiri/
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Gh0st_9e4bb0ce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments