MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c99d520759ef772681cddf4a9b83a6f12c11b491715eacd1174a1cff4e40071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c99d520759ef772681cddf4a9b83a6f12c11b491715eacd1174a1cff4e40071
SHA3-384 hash: db0d7366772ac1fb591a7ff728f497635de735b2373b586752f6be081916965d5e1b26973737c5571bf23012ab523a9e
SHA1 hash: 4971b2bd205c611134f52e9a66a318fa5a93f1da
MD5 hash: 1cd705ce502e4c50a1ddd4faddb84f23
humanhash: hot-bluebird-one-jig
File name:CrimsonLoader.exe
Download: download sample
File size:92'165'632 bytes
First seen:2025-12-17 18:49:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bf3f5698d1c8e5d8bbe8d194ac5d544
ssdeep 786432:5pNzhI+nsVt6mHaIvAN6v+s4pgPVlcmg:5DNI+nsPcN6v+A
TLSH T10B187D13B3A704D5E8F7DA7496E65223A932BC062F3085DF324C47261F73AE05A76B61
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'970
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d3b02db6-08f4-4fbb-b599-b1a69d3c1e75/
Malware family:
n/a
ID:
1
File name:
CrimsonLoader.exe
Verdict:
Suspicious activity
Analysis date:
2025-12-17 18:48:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/448cd644-1230-4aba-b764-a87dccbe8d86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6942fb83c97f4a807a3b9390
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a process with a hidden window
Launching a process
Creating a file
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
DNS request
Connection attempt to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint microsoft_visual_cc
Link:
https://www.filescan.io/uploads/6942fb71e126b9ff438574fd/reports/c96fd7d4-9a30-4282-ba6b-1f554f149467/overview
Verdict:
Malicious
Labled as:
Trojan.Win64.GenPSW
Link:
https://www.hybrid-analysis.com/sample/5c99d520759ef772681cddf4a9b83a6f12c11b491715eacd1174a1cff4e40071
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-17T15:56:00Z UTC
Last seen:
2025-12-17T16:46:00Z UTC
Hits:
~1000
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/5c99d520759ef772681cddf4a9b83a6f12c11b491715eacd1174a1cff4e40071/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1835164
Signature
Sigma detected: Potential WinAPI Calls Via CommandLine
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1835164 Sample: CrimsonLoader.exe Startdate: 17/12/2025 Architecture: WINDOWS Score: 48 22 Sigma detected: Potential WinAPI Calls Via CommandLine 2->22 8 CrimsonLoader.exe 1 2->8         started        process3 signatures4 24 Suspicious powershell command line found 8->24 11 CrimsonLoader.exe 1 8->11         started        14 conhost.exe 8->14         started        process5 signatures6 26 Suspicious powershell command line found 11->26 16 tasklist.exe 1 11->16         started        18 powershell.exe 4 11->18         started        process7 process8 20 conhost.exe 16->20         started       
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5c99d520759ef772681cddf4a9b83a6f12c11b491715eacd1174a1cff4e40071
Gathering data
Verdict:
Malicious
Threat:
AuxiliaryAnalysis.Malware.Generic
Link:
https://tip.neiki.dev/file/5c99d520759ef772681cddf4a9b83a6f12c11b491715eacd1174a1cff4e40071
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-17 18:48:56 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsm5kidvt33xe2a43x2ktob2n4jmcg2jc4k6vtirosq475heabyq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/251217-xg45kadx2e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4bb98f73-14fe-40b6-9362-20ed8f2a418f
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments