MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 562cfdeae9adc7a27558e5e0a2b1e2a3d8cecf55e1e07ae1224634c2fea86fdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 562cfdeae9adc7a27558e5e0a2b1e2a3d8cecf55e1e07ae1224634c2fea86fdd
SHA3-384 hash: f0ee16c7a0e260f99b32736561371cf3e85dc834161756cdb5b2a6cd12352cb6ddf074461d0e912380aacad1d247a09a
SHA1 hash: e1a586554b42a4d302d86af4162815895e21bddb
MD5 hash: 657a981677aed48db7404686e0b2ffb7
humanhash: four-lion-black-lamp
File name:ezfn luncher.exe
Download: download sample
File size:103'014'194 bytes
First seen:2026-04-24 12:19:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (8 x OffLoader, 8 x ValleyRAT, 3 x Gh0stRAT)
ssdeep 1572864:yrZjC0CF8ztTjkSM1W5wnSLK8Rbz4LOte0I6T2KedYEtZmv/U0bDZqFgT1RzmL5t:C1CsaSQW5wr8RbzwLafEpg/U0bRqLx
Threatray 512 similar samples on MalwareBazaar
TLSH T12238337FF38F723AE42A5A3672B2A24580372A25C5021C5B96ECF48CDB257311D3D796
TrID 50.8% (.EXE) Inno Setup installer (107240/4/30)
20.4% (.EXE) InstallShield setup (43053/19/16)
19.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.0% (.EXE) Win64 Executable (generic) (6522/11/2)
2.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (112 x Adware.Generic, 73 x OffLoader, 43 x LummaStealer)
Reporter burger
Tags:exe VexxStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/57571c22-ef71-48a2-a1cf-e2d6ba8f8436/
Malware family:
n/a
ID:
1
File name:
ezfnluncher.exe
Verdict:
Malicious activity
Analysis date:
2026-04-24 12:18:48 UTC
Tags:
delphi inno installer stealer vexxstealer arch-doc evasion anti-evasion discord
Link:
https://app.any.run/tasks/62154a8a-d9e6-4f72-8822-9469fb269eac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69eb5f6b4aed15d0792fd9e0
Tags:
shellcode dropper delphi blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/69eb603b4cc9288c910a7c1e/reports/ead601ab-3917-430a-8ca8-1dc8a0423939/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/562cfdeae9adc7a27558e5e0a2b1e2a3d8cecf55e1e07ae1224634c2fea86fdd
Verdict:
Clean
File Type:
exe x32
Link:
https://opentip.kaspersky.com/562cfdeae9adc7a27558e5e0a2b1e2a3d8cecf55e1e07ae1224634c2fea86fdd/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1903937
Signature
Drops large PE files
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the windows firewall
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive system registry key value via command line tool
Sigma detected: Capture Wi-Fi password
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses WMIC command to query system information (often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1903937 Sample: ezfn luncher.exe Startdate: 24/04/2026 Architecture: WINDOWS Score: 64 69 www.python.org 2->69 71 ipwho.is 2->71 73 6 other IPs or domains 2->73 91 Sigma detected: Capture Wi-Fi password 2->91 93 Sigma detected: Suspicious PowerShell Encoded Command Patterns 2->93 95 Joe Sandbox ML detected suspicious sample 2->95 97 2 other signatures 2->97 9 msiexec.exe 249 234 2->9         started        13 ezfn luncher.exe 2 2->13         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\ezfnskin.exe.exe, PE32+ 9->59 dropped 61 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->61 dropped 63 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->63 dropped 67 8 other files (none is malicious) 9->67 dropped 117 Drops large PE files 9->117 15 ezfnskin.exe.exe 7 9->15         started        65 C:\Users\user\AppData\...\ezfn luncher.tmp, PE32 13->65 dropped 19 ezfn luncher.tmp 20 11 13->19         started        signatures6 process7 dnsIp8 75 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 15->75 77 dualstack.python.map.fastly.net 151.101.0.223, 443, 49759 FASTLYUS United States 15->77 79 4 other IPs or domains 15->79 83 Suspicious powershell command line found 15->83 85 Obfuscated command line found 15->85 87 Tries to harvest and steal browser information (history, passwords, etc) 15->87 89 4 other signatures 15->89 22 cmd.exe 15->22         started        25 cmd.exe 15->25         started        27 cmd.exe 15->27         started        31 90 other processes 15->31 53 C:\Windows\unins000.exe (copy), PE32 19->53 dropped 55 C:\Windows\is-WNW25XAP9D.tmp, PE32 19->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->57 dropped 29 msiexec.exe 14 19->29         started        file9 signatures10 process11 dnsIp12 99 Uses cmd line tools excessively to alter registry or file data 22->99 101 Encrypted powershell cmdline option found 22->101 103 Uses netsh to modify the Windows network and firewall settings 22->103 111 3 other signatures 22->111 34 conhost.exe 22->34         started        36 chcp.com 22->36         started        38 powershell.exe 25->38         started        41 conhost.exe 25->41         started        105 Tries to harvest and steal WLAN passwords 27->105 43 conhost.exe 27->43         started        45 netsh.exe 27->45         started        81 chrome.cloudflare-dns.com 172.64.41.3, 443, 49729 CLOUDFLARENETUS United States 31->81 107 Uses WMIC command to query system information (often done to detect virtual machines) 31->107 109 Loading BitLocker PowerShell Module 31->109 47 powershell.exe 31->47         started        49 powershell.exe 31->49         started        51 99 other processes 31->51 signatures13 process14 signatures15 113 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 38->113 115 Loading BitLocker PowerShell Module 38->115
Score:
11%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/562cfdeae9adc7a27558e5e0a2b1e2a3d8cecf55e1e07ae1224634c2fea86fdd
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/562cfdeae9adc7a27558e5e0a2b1e2a3d8cecf55e1e07ae1224634c2fea86fdd
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kywp32xjvxd2e5ky4xqkfmpcupmm5t2v4hqhvyjciy2mf7vin7oq._file
Verdict:
malicious
Label(s):
novablight
Create hunting rule
shellcode_loader_008
Create hunting rule
Similar samples:
555f42c53dfd9c633f242ef3baca797365c2daee9af2475db2171d6fc2cd2b57
562cfdeae9adc7a27558e5e0a2b1e2a3d8cecf55e1e07ae1224634c2fea86fdd
6968840ce1b13d50d13f7f0320a2e5d66bfd97073f325231edc58ec85e694b6b
7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea
8994d6ba13561a3fca2fca333213a65b7173103c646416508b6755d500ad52e1
96ad97bd3816ebd44d00a42a667b31dec54fce719d07c6bcad5625d1791f887c
b0d8888f52eb7652d792a3baef6e73445c9ee234359e14ded43054a3c3e425b0
cdd5b658271b5319df355aba7fbf4d19ec13e185cbb5d6b189e2fc87309cd88f
d418420aa4accfb887be12a22b277a1ea14a74bbb074debd1dc2cd341117ec1a
error
+ 502 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution installer persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/260424-pjenpahw8z/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Launches sc.exe
Enumerates processes with tasklist
Adds Run key to start application
Badlisted process makes network request
Checks installed software on the system
Contacts third-party web service commonly abused for C2
Drops desktop.ini file(s)
Enumerates connected drives
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments