MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CredentialFlusher


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0
SHA3-384 hash: 5a21c116f33ded0d1f88bae782483b30e0807876aea75e2e17b6fe69f1f4d84ff9ddb24b6a86f3cdd7acc9f6ea430295
SHA1 hash: 32dce256a057b8db15016fcc5aeeef81f026f7ba
MD5 hash: c218cd8e0e13d23a41eb1117201cea7d
humanhash: venus-winner-early-west
File name:random.exe
Download: download sample
Signature CredentialFlusher
Create hunting rule
File size:2'335'232 bytes
First seen:2025-09-17 12:52:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:o9BlQsZiJ0jZUctMlkUj7WxRlTd9Hsl7Ra2tD3DmsKCCPdO39YSxjqfYJ2B:o9BlQKa0tWGUjKHpVstRNtDzqPUNxxeD
TLSH T1CCB5334471E55CBAC459F771A29ED94D98333CF21A86BA3D8BCCB60D389009BA543E1F
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:CredentialFlusher exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-17 09:46:36 UTC
Tags:
credentialflusher autoit themida
Link:
https://app.any.run/tasks/09e2146a-cdd0-4ea9-8821-0ab51d52edb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27916/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ca837b88b95443924725f2
Tags:
malcrypt spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a window
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Searching for the browser window
Connection attempt
DNS request
Sending a custom TCP request
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated overlay overlay packed packed themidawinlicense zero
Link:
https://www.filescan.io/uploads/68caaf8edbc6f5a29c49bed7/reports/be993f90-cb17-4843-b707-5548391c465e/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-17T07:05:00Z UTC
Last seen:
2025-09-17T07:05:00Z UTC
Hits:
~10
Detections:
VHO:Trojan.Win32.Phpw.bwkd HEUR:Trojan.Win32.Generic Trojan.Win32.Phpw.bwkd
Link:
https://opentip.kaspersky.com/3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0949fc38-e958-40ac-b801-af6ebe2b475d
Result
Threat name:
Credential Flusher
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779250
Signature
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Credential Flusher
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779250 Sample: random.exe Startdate: 17/09/2025 Architecture: WINDOWS Score: 100 48 youtube.com 2->48 50 youtube-ui.l.google.com 2->50 52 78 other IPs or domains 2->52 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected Credential Flusher 2->64 66 2 other signatures 2->66 9 random.exe 2->9         started        12 firefox.exe 2->12         started        signatures3 process4 signatures5 68 Detected unpacking (changes PE section rights) 9->68 70 Binary is likely a compiled AutoIt script file 9->70 72 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->72 74 5 other signatures 9->74 14 firefox.exe 1 9->14         started        16 taskkill.exe 1 9->16         started        18 taskkill.exe 1 9->18         started        22 4 other processes 9->22 20 firefox.exe 12->20         started        process6 process7 24 firefox.exe 3 435 14->24         started        28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 conhost.exe 22->36         started        dnsIp8 54 play.google.com 142.250.188.238, 443, 49756, 55017 GOOGLEUS United States 24->54 56 youtube.com 142.250.189.14, 443, 49695, 58553 GOOGLEUS United States 24->56 58 19 other IPs or domains 24->58 44 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 24->44 dropped 46 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 24->46 dropped 38 firefox.exe 1 24->38         started        40 firefox.exe 24->40         started        42 firefox.exe 24->42         started        file9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/c218cd8e0e13d23a41eb1117201cea7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0/
Verdict:
Malicious
Threat:
Trojan.Win32
Link:
https://tip.neiki.dev/file/3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-09-17 09:46:37 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzsaaunxhn7bflr4w2jj472q6hv6l6hkywb65arzlsf4ynny7wqa._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/250917-p43agsztas/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e7789bdb-82c1-47d4-8567-1fd8c3a91555
Unpacked files
SH256 hash:
3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0
MD5 hash:
c218cd8e0e13d23a41eb1117201cea7d
SHA1 hash:
32dce256a057b8db15016fcc5aeeef81f026f7ba
Link:
https://www.unpac.me/results/5ea0a09a-e5e6-44aa-8716-90b016774521/
SH256 hash:
4d5e52f84b6f364d47b843719fc0fcb809603175ca7e49dfcae782a622d20625
MD5 hash:
68059d6a1fcfb1d8be1a03fbccdd9d55
SHA1 hash:
dfc7d5ddce00ebee1b22ee66b19718771926d0c0
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/5ea0a09a-e5e6-44aa-8716-90b016774521/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CredentialFlusher

Executable exe 3e640051b73b7e12ae3cb6929e7f50f1ebe5f8eac583ee82395c8bcc35b8fda0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3622234/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27916/

Comments