MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5819834f61295926fc68010aebbf69a42d03e168ed20808de2727c5d328daebf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 24 File information Comments

SHA256 hash: 5819834f61295926fc68010aebbf69a42d03e168ed20808de2727c5d328daebf
SHA3-384 hash: 5d8a77c0f399244004eef9c4c39d8f92aa8caff4404503c381e03f3d844494c16185ce39e296e251da4a921bf02524ce
SHA1 hash: 1c56485579fa421ec5ba1b82e7cee78164915f8e
MD5 hash: 1f67a904122c7bda5d393187f6e5dbe5
humanhash: robert-apart-island-carbon
File name:getscreen-388015028-x86.exe
Download: download sample
File size:19'059'544 bytes
First seen:2026-06-26 07:53:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d6a37e90655d8ccf0d51fa6971900c6
ssdeep 393216:HL25b0IPKra0g9M+x8vO7VE2tZqipu5j9rqNX/zt:Eb0Fg9MB0hpujS/zt
TLSH T1B417BF21B252C07ACC4111F09D3DABBF473C6F6907B446E7A2E81D686E714D2373AA97
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 61046962614c4e36
Reporter abuse_ch
Tags:exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 59d7669d35b5ab90a327d7fdd4b2b4b51d2327432a40791643cb639320bb0500
File size (compressed) :7'284'056 bytes
File size (de-compressed) :19'059'544 bytes
Format:win32/pe
Packed file: 59d7669d35b5ab90a327d7fdd4b2b4b51d2327432a40791643cb639320bb0500

Intelligence


File Origin
# of uploads :
1
# of downloads :
175
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_5819834f61295926fc68010aebbf69a42d03e168ed20808de2727c5d328daebf.exe
Verdict:
No threats detected
Analysis date:
2026-06-26 07:56:20 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Tags:
shellcode dropper remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Sending a UDP request
Creating a window
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Deleting a recently created file
Restart of the analyzed sample
Using the Windows Management Instrumentation requests
DNS request
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 crypto evasive expand fingerprint installer-heuristic keylogger lolbin microsoft_visual_cc overlay packed packed reconnaissance
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.troj
Score:
76 / 100
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Joe Sandbox ML detected suspicious sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934090 Sample: getscreen-388015028-x86.exe Startdate: 26/06/2026 Architecture: WINDOWS Score: 76 41 px-us2.getscreen.me 2->41 43 px-us1.getscreen.me 2->43 45 10 other IPs or domains 2->45 63 Joe Sandbox ML detected suspicious sample 2->63 8 getscreen-388015028-x86.exe 100 2->8         started        13 svchost.exe 2->13         started        15 chrome.exe 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 53 px-us2.getscreen.me 5.161.108.215, 3478, 40000, 40001 HETZNER-CLOUD2-ASDE United States 8->53 55 px-eu1.getscreen.me 162.55.165.163, 3478, 40000, 40001 HETZNER-ASDE Germany 8->55 59 10 other IPs or domains 8->59 39 aauwqtimrpkacgrpts...okxqqsq-elevate.exe, PE32 8->39 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->65 67 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 8->67 69 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->69 73 4 other signatures 8->73 19 getscreen-388015028-x86.exe 4 4 8->19         started        21 getscreen-388015028-x86.exe 10 8->21         started        23 getscreen-388015028-x86.exe 8->23         started        25 getscreen-388015028-x86.exe 8->25         started        71 Changes security center settings (notifications, updates, antivirus, firewall) 13->71 27 MpCmdRun.exe 13->27         started        29 chrome.exe 1 15->29         started        57 127.0.0.1 unknown unknown 17->57 file6 signatures7 process8 dnsIp9 32 conhost.exe 27->32         started        61 192.168.2.4, 138, 3478, 40000 unknown unknown 29->61 34 chrome.exe 29->34         started        37 chrome.exe 29->37         started        process10 dnsIp11 47 go.getscreen.me 148.251.219.3, 443, 49720, 49721 HETZNER-ASDE Germany 34->47 49 lb.getscreen.me 49.13.208.86, 443, 49735, 49824 HETZNER-ASDE Germany 34->49 51 19 other IPs or domains 34->51
Gathering data
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-26 07:55:47 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery persistence ransomware spyware
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
System Location Discovery: System Language Discovery
Enumerates connected drives
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Unpacked files
SH256 hash:
5819834f61295926fc68010aebbf69a42d03e168ed20808de2727c5d328daebf
MD5 hash:
1f67a904122c7bda5d393187f6e5dbe5
SHA1 hash:
1c56485579fa421ec5ba1b82e7cee78164915f8e
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_all_IPv6_variants
Author:Bierchermuesli
Description:Generic IPv6 catcher
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glasses
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MAL_Trigon_Dropper
Author:jaszzz
Description:Trigon multi-stage malicious dropper - process injection, keylogging, screenshot capture
Reference:URL|trigon
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:test_Malaysia
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 5819834f61295926fc68010aebbf69a42d03e168ed20808de2727c5d328daebf

(this sample)

Comments