MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738
SHA3-384 hash: 59bf80ef8f8a6e0b583ce0fefef9ea8b9db49a0289aa6429daff17e46e8a79fc7cf42e712b8abf1030843540e2acc967
SHA1 hash: bfed84af0e0120ee9bbc7bc26436a0d8bc53dd41
MD5 hash: a950a420680f5264c8907010e46de009
humanhash: finch-robert-delaware-hot
File name:maffia.ProcHollow.dll
Download: download sample
File size:38'400 bytes
First seen:2026-02-16 19:20:39 UTC
Last seen:2026-02-16 20:22:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 384:K4arht4aavAz/CXXfCYgVauawVRt22IIl+UXFDR5q2CBG2orH2b4NzfkRyUK5RM3:+5J6CYWaU+IlF1F5q2CB6H2k5Rv2foM
TLSH T1EC03F716B79B966CC92B5E3FC8A665440271FB8C5E33D61F314E13796D13BAF8A90302
TrID 88.5% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.4% (.EXE) Win64 Executable (generic) (6522/11/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter R4ruk
Tags:dll PhantomStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
AL AL
Vendor Threat Intelligence
Malware configuration found for:
NETReactor
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ab518f35-685d-47f1-b80d-3915d89a8eac/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53444/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69936e2e0d0369ff9979f9d1
Tags:
virus micro
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt net_reactor obfuscated obfuscated packed reconnaissance zusy
Link:
https://www.filescan.io/uploads/69936e2c981ff1d38a57eacd/reports/cc265eb6-a3a9-494c-bb70-061b2038f763/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738
Verdict:
Malicious
File Type:
executable.pe.32.dll
First seen:
2026-01-13T01:37:00Z UTC
Last seen:
2026-01-17T19:51:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/52ef1fa4-177f-4ea9-aba5-792c6439e412
Score:
54%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.96 Win 32 Exe x86
Link:
https://app.malva.re/file/a950a420680f5264c8907010e46de009
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738/
Verdict:
Malicious
Threat:
Trojan.MSIL.Agent
Link:
https://tip.neiki.dev/file/3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2026-01-13 06:21:25 UTC
File Type:
PE (.Net Dll)
Extracted files:
3
AV detection:
14 of 36 (38.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3sy2a55blbgkax7chdrmdgul66zttfc5i7oqr7qwo3bnsmly44a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/260216-x2r1qscy7e/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738
MD5 hash:
a950a420680f5264c8907010e46de009
SHA1 hash:
bfed84af0e0120ee9bbc7bc26436a0d8bc53dd41
Link:
https://www.unpac.me/results/eb31a8f5-c5b2-4dec-b8a6-e6439746f715/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PhantomStealer

PowerShell (PS) ps1 a4f76092ea71e5b746ad33d7264bc2b649780a53c7c5b593079b27e4d3e0966c

DLL dll 3ee58d03bd0ac26502ff11c7160cd45fbd99cca2ea3ee847f0b3b616c98bc738

(this sample)

  
Dropped by
SHA256 a4f76092ea71e5b746ad33d7264bc2b649780a53c7c5b593079b27e4d3e0966c
  
Delivery method
Other
  
Dropped by
MD5 99ee0035125226bb78c7636f582af1d3
  
URLhaus
https://urlhaus.abuse.ch/url/3759045/
Cape
Cape
https://www.capesandbox.com/analysis/53444/

Comments