MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 24 File information Comments

SHA256 hash:	3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e
SHA3-384 hash:	14022414452b302c7450ed630cfaefd6092d2bb08ee774f38d3fe285d2b235e09144000c5d85277b553a56a240607349
SHA1 hash:	3b97e08ad97d5e30f219f31f6e48e02f36a5db6e
MD5 hash:	44775c5bffae3d05b732b3b36b83276a
humanhash:	black-hawaii-uranus-zulu
File name:	mpclient.dll
Download:	download sample
File size:	4'073'648 bytes
First seen:	2026-06-29 19:45:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d8b31f8c03e0c76ff245ed05a15ffe6c (87 x Vidar, 12 x RemusStealer, 4 x Stealc)
ssdeep	49152:pO4LmYWM1g0Rwb12vhY+EcRMcWpIQnvwFwYJ3p0dVr/1YVty526:pLxo+m+VMppISvwFwY5p0dVrX26
Threatray	27 similar samples on MalwareBazaar
TLSH	T199169D0BBDD18979C4AA933589B706427B7CBC1D4B3627D32E50B23A2E367D05D7AB04
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	kejult
Tags:	dll exe signed Stealc stealer vidar

Code Signing Certificate

Organisation:	auburn.edu
Issuer:	auburn.edu
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-06-29T11:19:19Z
Valid to:	2027-06-29T11:19:19Z
Serial number:	7f494734f9d1c009
Thumbprint Algorithm:	SHA256
Thumbprint:	fdb9521ae1fe68027db79c4cfc87af31339f85c18a00b753be207b0b009f2d05
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

vidar

ID:

File name:

mpclient.dll

Verdict:

Malicious activity

Analysis date:

2026-06-29 19:43:50 UTC

Tags:

stealer stealc vidar golang

Link:

https://app.any.run/tasks/18ce9ddc-4a77-4cd4-9986-07c593ef6c52

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/72390/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.15186482.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a42cb7b1548daf709fb0edc

Tags:

injection obfusc virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Launching a service

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm base64 crypto golang masquerade mingw overlay packed signed

Link:

https://www.filescan.io/uploads/6a42cb6e515df40059b3ee0c/reports/680b96c9-34f5-4cdb-911a-2a563e6ddef3/overview

Verdict:

Malicious

Labled as:

Win64/GenKryptik.HRGN trojan

Link:

https://www.hybrid-analysis.com/sample/3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e

Verdict:

Malicious

File Type:

dll x64

First seen:

2026-06-29T12:40:00Z UTC

Last seen:

2026-06-30T02:14:00Z UTC

Hits:

~100

Detections:

VHO:Backdoor.Win64.Gsb.gen Trojan.Win64.Agent.sb Trojan-PSW.Stealerc.TCP.C&C Trojan-PSW.Stealerc.HTTP.C&C Backdoor.Win64.Gsb.chf Backdoor.Win64.Gsb.sb

Link:

https://opentip.kaspersky.com/3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d65af214-311c-4108-88c6-d7e98a74ffc7

Score:

61%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hr5ffp6n2lphyg43rmury2uys5rt2zw2dco32ms4jfpyu5xnhkpa._file

Verdict:

malicious

Label(s):

vidar

147c4f3da4b13ba13048e762128aeaf1270a9c9a47c7caf481feb947e4428794

1fd846232a824c1a06a36ca88ac968fa11d169a0986071d1fc0c8b132d7e3aec

2e41e1e4a45fdd39a18af69832092b848f3abe3cb94b085326ccbc450186c842

a3fed15f05903e3bb645f059a65f5e56ffeab45ab02f535d6df263d4363a6628

be31cb864127a72378b5eb989a68f4ef52b2f09430170fd1d4d090f272d2235e

c097558130cf957989c38f44e1a542412c4964d380fdba85197d83d5a83a8c56

e9c6dda67b1da1be30f8b0d4c7ff329c6b9831ae2c413742bbe59cc66690a630

eb6e197aac617db26ef7441d616baa523fff9eace9f7330da70c830494afd455

error

+ 17 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

credential_access discovery spyware stealer

Link:

https://tria.ge/reports/260629-ygtt9sez7r/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Time Discovery

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks installed software on the system

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Badlisted process makes network request

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e

MD5 hash:

44775c5bffae3d05b732b3b36b83276a

SHA1 hash:

3b97e08ad97d5e30f219f31f6e48e02f36a5db6e

Link:

https://www.unpac.me/results/9e59bbe6-16e4-479f-9aef-4e0744cd0c37/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/3c7a52bfcdd2de7c1b9b8b291c6a9897633d66da189dbd325c495f8a76ed3a9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/