MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GlassWorm


Vendor detections: 4


Intelligence 4 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362
SHA3-384 hash: cbd7e0b1ada8d917392cf93d017e640f02e12907185b8103a2c1c60695ba0cb05c56cc2147476d215430571d2fc6cccd
SHA1 hash: 6d557f4f8115221395e5e20fc4facf9cf43b89cb
MD5 hash: acdc4f9ea8b7e4f23671d7898fca841c
humanhash: four-romeo-cup-jig
File name:wave3_f_ex86_decrypted.node
Download: download sample
Signature GlassWorm
Create hunting rule
File size:1'815'552 bytes
First seen:2026-03-16 13:14:31 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 443197698c60615f7de280c35301f334 (2 x GlassWorm)
ssdeep 24576:f1n5zZGFaPhUUAPnkl/7YGsQJJ7jVrn4mLy743e0GAQcGfxh+Z0+pyuVvMI3rVYk:J+a5UYhf5y7/OGf1ivv9PisV
TLSH T1DB858E83FE4254E2EACA01F410AB57B91D361207972489E7E2D06DB899326D37E3F74D
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter tipo_deincognito
Tags:dll glassworm neon Recon Rust vscode


Avatar
tipo_deincognito
GlassWorm Wave 3 npm archive: decrypted f_ex86.node — Rust/neon N-API DLL. Reads VS Code and Cursor IDE workspace history via SQLite to enumerate developer projects.

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57642/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b8027393b644ca466a93b7
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362
Verdict:
Malicious
File Type:
dll x32
First seen:
2025-10-20T07:20:00Z UTC
Last seen:
2025-10-22T10:07:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic Trojan.Win32.Agentb.tqfk
Link:
https://opentip.kaspersky.com/415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ecefd4bd-27a2-459d-9ca7-96753ede33ed
Score:
7%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/acdc4f9ea8b7e4f23671d7898fca841c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifne6oo5spbk2x6qearure2sxf2ktkixmzbeakm4utbvzknfunra._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/260316-qhfd9sf18y/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362
MD5 hash:
acdc4f9ea8b7e4f23671d7898fca841c
SHA1 hash:
6d557f4f8115221395e5e20fc4facf9cf43b89cb
Link:
https://www.unpac.me/results/059b055d-dfe3-4019-a474-05cb54d81373/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GlassWorm

DLL dll 415a4f39dd93c2ad5fd02023489352b974a9a917664240299ca4c35ca9a5a362

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57642/

Comments