MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db
SHA3-384 hash:	09620b76c9d63ee1e94f3acdbd3f7f3bdfb87ed42cd6d5cedbdbcc3e8ff67c4daae5d730a260d0d02b7784d81573b3d4
SHA1 hash:	f43ec410286e33c8244686df8e3703f7f5006883
MD5 hash:	11ee6a0fdaa5e3097831fb124076fecb
humanhash:	mars-connecticut-sad-wolfram
File name:	vrc.exe
Download:	download sample
File size:	1'161'728 bytes
First seen:	2025-11-05 13:28:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:Lk1b+W4ROsT5Z5iUPvhBYcjVob9J/hoEvE9eYfci4Y394YTi9BZ:494ROY56UPvHTjiRDzYki/H
Threatray	549 similar samples on MalwareBazaar
TLSH	T12C3523952928D212E2E59BF11DA3DB3903BC6C6DD2E4E66B4DFC9FDB38117229900353
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	185-149-24-201 62-60-239-118 exe Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

vrc.exe

Verdict:

Malicious activity

Analysis date:

2025-11-05 13:37:19 UTC

Tags:

stealer purecrypter exfiltration purelogs purehvnc netreactor

Link:

https://app.any.run/tasks/2f659818-afe3-41ed-8594-628fb820dcf4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35512/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690b5141ea0f3e915c2322df

Tags:

virus krypt msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/690b5137393eed3f38e482ba/reports/d2ce9647-001d-45a1-96b3-08c8cac9851f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-05T08:58:00Z UTC

Last seen:

2025-11-05T09:47:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8e33439d-4b04-46d9-a19b-e2918791a9ca

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.22 Win 32 Exe x86

Link:

https://app.malva.re/file/11ee6a0fdaa5e3097831fb124076fecb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db/

Verdict:

Malicious

Threat:

Backdoor.MSIL.XWorm

Link:

https://tip.neiki.dev/file/5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2025-11-05 13:29:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kmimx5igpi2ldgctlrjelpq2bauwz2kslttxjd5j77er6jdp5hnq._file

Verdict:

malicious

Label(s):

unc_loader_037

purecrypter

katzstealer

054e3c0da63e2eed91ab3e0dc24350df990263e90095503f89bd3f79033d3052

5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db

58ce063b0d0fd247f0bd4386bcd11523c72d5d9845157ef6c9b9f206ca16cd7b

e052254bf3dff4bf2c660afd72a517520b410bb3ede43bc1d4e8ee2224b39e9e

e32106acd96a999a03b99006e21555b4829b2067fec0d00cd17e4235e631b621

ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6

error

+ 539 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/251105-qrg98aen2s/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

Drops file in Windows directory

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/054ed8ff-e9dd-4d65-b0d6-19e143a1f376

Unpacked files

SH256 hash:

5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db

MD5 hash:

11ee6a0fdaa5e3097831fb124076fecb

SHA1 hash:

f43ec410286e33c8244686df8e3703f7f5006883

Link:

https://www.unpac.me/results/79ce5645-8f64-4182-9141-aa875a1dd1c4/

SH256 hash:

befd8103b006439acc5353812300c047edea2cae77dc5fd0b8ff68de35ffedfe

MD5 hash:

cce6de83a1611c9f3bd7995d0c4cf820

SHA1 hash:

893691e6bb3da26f37b3ef20baeabe5bec2d0874

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/79ce5645-8f64-4182-9141-aa875a1dd1c4/

SH256 hash:

a95a91150aab45521773a440d5fd62aaba10efd33eb60fa9425606d37e13cfe2

MD5 hash:

ed8cb550a3084266fc55e404bacd92f4

SHA1 hash:

893bdab12b43b8e95ff1baccd33c18fa6e0f5093

Link:

https://www.unpac.me/results/79ce5645-8f64-4182-9141-aa875a1dd1c4/

SH256 hash:

bc2927f389e140b629c71d7cf20bec7897660d55a4ede2bee416bc7a3e90646f

MD5 hash:

52dc0590d461e02f5148961b29ac16e5

SHA1 hash:

951a795bbf23f6750db87dc657eb724e51e70f58

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/79ce5645-8f64-4182-9141-aa875a1dd1c4/

Parent samples :

ecb52ac571074c4c501344241912a964ab30356a3883ca2c1db3b3b6914399a6
5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db
86bab321000ab08a9bc5c2eb689c46f779fe62763a0a3fb44b3b79dc958b203d
2675cf7ad014da2525a0fd9ac10362a6b5f8ce33375d0225d299ed2342e196e0
d41a54ee9f6f0de81009d98955fdd03cc7458ef3089bd4d21f8a1fc167f72928
8565683618c7ee771b85070d5694bc041ec25aa7086ce04a44135a81493e3970
d7911c750b95eda25760d99dbc911f231f831492be7f55ee2620c25e85d01dee
4dd4dc6e537cd6431e9f5b84a99a81349e2aa2816dc2c95db9590ee958acd05d
9d020d9aa66b2f0f5ed13065b7d9a8413e8834fc77d78572f4e280965758ae42
45f1f0c4c76cee479f0bb2966f4d9c157e344f9749cdfeb5e4b396aa3285c18d
b2b9e06249eca4b3378f0fcc6b2dbf3fe279f8d2e803f053a406c1de4145623d
6c09b777df1a95bac8b74f67909ea7a24dd048d58847003546ccef328f72aff6
ef2ef9c4bbc252a65d09f98c7dfe0c89a004bf4df3ccc3dcf65230cfcadf580f
218828c21b545913e8527389ce353dadb66e463c9e2e2c9c98d637153bd86db4
628a3c3cbfd3a17bb69a617224e33d239729ced5665091578bf96cde788155c3
d96541e0ccbe6b139e9cc92a198fbe5e759e37369ad0fa0233828afefe8cdd34

SH256 hash:

8a707e0decb5d194041e8f273b07ee25b5df0c0597c39b62771d82497d9af40d

MD5 hash:

14b72a0f73c1fec9ebad49c71d267222

SHA1 hash:

aa1f20fe346b7b5d77b140b4a2594c8b15d8b442

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/79ce5645-8f64-4182-9141-aa875a1dd1c4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5310cbf5067a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

zgRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5310cbf5067a34b198535c5245be1a08296ce9525ce7748fa9ffc91f246fe9db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35512/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample