MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f43805e7984de9622fdd68f77a4cc7e6b131dd0184c0e940ba5c09ca498c537. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f43805e7984de9622fdd68f77a4cc7e6b131dd0184c0e940ba5c09ca498c537
SHA3-384 hash: 0d75c4e24a4208ba5562816419503bdc11ac6bd353da9d2324d9190013ce453141fa9515f18973bbd8a15b2a6e1e5e3d
SHA1 hash: ddb81d3970b2d63fb0355f35f20ee5264640d85c
MD5 hash: af37d9406d134752f51882b6322d4a44
humanhash: island-uniform-lithium-eighteen
File name:4f43805e7984de9622fdd68f77a4cc7e6b131dd0184c0e940ba5c09ca498c537
Download: download sample
File size:5'769'392 bytes
First seen:2025-08-12 15:01:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep 98304:Bbf7qj89BUQEBJMkjQZhQnrcCkudsDMlo0w9lXSoxc8GgZ6VjYjOA7n0:BbfY8nUjVnrcfudRoPlrxr6VjY
TLSH T150462363636A1456E0E9C9398A33BD5231F71F698F426C3D50BBB8D026376E1B153E23
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon f8dc888898a898b8 (4 x njrat, 4 x AgentTesla, 2 x AsyncRAT)
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f43805e7984de9622fdd68f77a4cc7e6b131dd0184c0e940ba5c09ca498c537
Verdict:
Suspicious activity
Analysis date:
2025-08-07 14:03:57 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/16570d1f-3275-4b60-a8aa-9ae7a6a52e83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20918/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b5c53fca70bd90e8f20fa
Tags:
virus xworm msil
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4f43805e7984de9622fdd68f77a4cc7e6b131dd0184c0e940ba5c09ca498c537
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a87e8250-f57b-4c9d-8056-d4b3613a5aba
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4f43805e7984de9622fdd68f77a4cc7e6b131dd0184c0e940ba5c09ca498c537
Gathering data
Gathering data
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-03 19:57:09 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5byaxtzqtpjmix522hxpjgmpzvrghoqdbga5faluxajzjeyyu3q._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250812-vxztnstjv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0f871cc2-3d81-4bc8-9e7e-121da62a25fc
Unpacked files
SH256 hash:
e2e393767e2713c2619e22360af7d22fcdff167d3f9ca309fcfbfa1f52708644
MD5 hash:
0cb416468d062077330e2da6c75f3864
SHA1 hash:
6497b6d1af9dd2dc12333fdbbf7f2cdd6ef172c7
Link:
https://www.unpac.me/results/44cb5fa1-a9d3-4738-9a45-956e8ab1a834/
SH256 hash:
0fe5576c0b61ad0a71fae8d316556a212e86337508c5fcde45abb3ebbd0c92a5
MD5 hash:
98f3f4aa31c7915416983bb8dc2ef52a
SHA1 hash:
40661178d30aee346be14bbd000d818cce32ef02
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/44cb5fa1-a9d3-4738-9a45-956e8ab1a834/
SH256 hash:
ae6d0e340bbeb6735364c29a425d64677b0ac7aabc61faeff141910ef35a1e16
MD5 hash:
c57eec57792e812a775d6fcd76d11f4a
SHA1 hash:
c79d38763fe5797066dd130225ee9c8add79fafe
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/44cb5fa1-a9d3-4738-9a45-956e8ab1a834/
SH256 hash:
4f43805e7984de9622fdd68f77a4cc7e6b131dd0184c0e940ba5c09ca498c537
MD5 hash:
af37d9406d134752f51882b6322d4a44
SHA1 hash:
ddb81d3970b2d63fb0355f35f20ee5264640d85c
Link:
https://www.unpac.me/results/44cb5fa1-a9d3-4738-9a45-956e8ab1a834/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4f43805e7984de9622fdd68f77a4cc7e6b131dd0184c0e940ba5c09ca498c537

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20918/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments