MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e0bc6b4ca402ad64e3abc117db20e85e1c14daca8bbad08b244e1fb8dd0511f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e0bc6b4ca402ad64e3abc117db20e85e1c14daca8bbad08b244e1fb8dd0511f
SHA3-384 hash: 02562b5d932e16889fca8bca67e0c8b63095397d393ff8e9e0ee10aaaab16b252172a7bfd737a676403de2189f2a5cc1
SHA1 hash: f70a2dae4601e2c7a5ba8fc208165c80617f0cdd
MD5 hash: 2f43f7899acab657414e9b42e57dd1eb
humanhash: failed-nitrogen-lemon-zulu
File name:CrimsonLoader.exe
Download: download sample
File size:90'432'512 bytes
First seen:2025-12-23 15:51:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bf3f5698d1c8e5d8bbe8d194ac5d544
ssdeep 786432:4AZqtFi3zQzwBs6vNtcZY5Dfw3pgPVlcmXW:4AZui3zQz2jOZKft
TLSH T129187D03B3A705D5E8F7DA3196E65223A932BC066F3085DF324C17262F73AE05A76B51
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
826
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/b8b3a323-dfd6-4ebc-a07d-3ba3d46608a1/
Malware family:
n/a
ID:
1
File name:
CrimsonLoader.exe
Verdict:
Suspicious activity
Analysis date:
2025-12-23 15:50:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/414ab095-591b-4d58-ae49-2d0744950ba4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694aba58038f10550b551060
Tags:
shell virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint microsoft_visual_cc
Link:
https://www.filescan.io/uploads/694abab6e126b9ff438e8d19/reports/517be1ec-14d9-4c5a-856c-38e30b61445e/overview
Verdict:
Malicious
Labled as:
JS_Packed_Agent_AGen_A_suspicious
Link:
https://www.hybrid-analysis.com/sample/4e0bc6b4ca402ad64e3abc117db20e85e1c14daca8bbad08b244e1fb8dd0511f
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-22T19:42:00Z UTC
Last seen:
2025-12-24T03:01:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win64.Stealer.sb Trojan.Win32.Inject.sb Trojan.Win32.Inject.aqvso BSS:Trojan.Win32.Generic RiskTool.BitCoinMiner.TCP.C&C
Link:
https://opentip.kaspersky.com/4e0bc6b4ca402ad64e3abc117db20e85e1c14daca8bbad08b244e1fb8dd0511f/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1838299
Signature
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Potential WinAPI Calls Via CommandLine
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1838299 Sample: CrimsonLoader.exe Startdate: 23/12/2025 Architecture: WINDOWS Score: 60 27 Multi AV Scanner detection for submitted file 2->27 29 Joe Sandbox ML detected suspicious sample 2->29 31 Sigma detected: Potential WinAPI Calls Via CommandLine 2->31 8 CrimsonLoader.exe 1 2->8         started        11 svchost.exe 1 1 2->11         started        process3 dnsIp4 33 Suspicious powershell command line found 8->33 14 CrimsonLoader.exe 8->14         started        17 conhost.exe 8->17         started        25 127.0.0.1 unknown unknown 11->25 signatures5 process6 signatures7 35 Suspicious powershell command line found 14->35 19 tasklist.exe 1 14->19         started        21 powershell.exe 4 14->21         started        process8 process9 23 conhost.exe 19->23         started       
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/4e0bc6b4ca402ad64e3abc117db20e85e1c14daca8bbad08b244e1fb8dd0511f
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Inject
Link:
https://tip.neiki.dev/file/4e0bc6b4ca402ad64e3abc117db20e85e1c14daca8bbad08b244e1fb8dd0511f
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-23 01:08:29 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyf4nngkiavnmtr2xqix3mqoqxq4ctnmvc522cfsitq7xdoqkepq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/251223-trsmqswmhv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/45a9cc94-9706-4bbc-9f1d-77edb03e611a
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments