MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62fb046372d16c11c57747723db6645ca6686cc5faed03335c04d98a5db78a84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Grandoreiro


Vendor detections: 12


Intelligence 12 IOCs YARA 21 File information Comments

SHA256 hash: 62fb046372d16c11c57747723db6645ca6686cc5faed03335c04d98a5db78a84
SHA3-384 hash: 2487e362cc543ea3182e273710007398d3959b22dc1126f7ca31b700de4500c04fab3ede3fc430cca5d380e7b9f385e6
SHA1 hash: 759c118f2456a69f0a6a7102cd14fa5dc2d356d3
MD5 hash: a944b8bcfc156f0ad6b52a8553b5fa09
humanhash: cardinal-don-equal-violet
File name:RMMClient.exe
Download: download sample
Signature Grandoreiro
File size:6'085'632 bytes
First seen:2026-06-12 17:56:32 UTC
Last seen:2026-06-16 10:36:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a8c4a4f37cf3c0ef08dbab272fca40c (1 x Grandoreiro)
ssdeep 49152:eWJsZT9OMhuSgA8er7lWzHLrMsgMlv+XPs9F2Ml6c6Z2IhEjGWNVFPN8S:xJsx9Oq0XrMElmfs9FzP02pFiS
TLSH T1D6567D13B7C4643AD4A71A3B8C3B9648683FBA612E15CC4B7BF40A4C1F396816D36B57
TrID 63.8% (.EXE) Inno Setup installer (107240/4/30)
24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (6522/11/2)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter johnk3r
Tags:11032026sver-blob-core-windows-net 190-102-42-108--65000 31-97-173-195 banker exe Grandoreiro oamorprevalece-com rmm

Intelligence


File Origin
# of uploads :
2
# of downloads :
189
Origin country :
BR BR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Doc-0910019.zip
Verdict:
Malicious activity
Analysis date:
2026-06-12 14:09:43 UTC
Tags:
arch-exec susp-lnk ip-check evasion websocket delphi

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Tags:
dropper delphi spawn hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug apt embarcadero_delphi fingerprint keylogger packed reconnaissance
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-11T19:22:00Z UTC
Last seen:
2026-06-12T23:55:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Generic HEUR:Trojan-Banker.Win32.BestaFera.gen
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
56 / 100
Signature
Multi AV Scanner detection for submitted file
Queries Google from non browser process on port 80
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Gathering data
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.BestaFera
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-12 16:54:01 UTC
File Type:
PE (Exe)
Extracted files:
171
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Behaviour
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Unpacked files
SH256 hash:
62fb046372d16c11c57747723db6645ca6686cc5faed03335c04d98a5db78a84
MD5 hash:
a944b8bcfc156f0ad6b52a8553b5fa09
SHA1 hash:
759c118f2456a69f0a6a7102cd14fa5dc2d356d3
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:BobSoftMiniDelphiBoBBobSoft
Author:malware-lu
Rule name:Borland
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:crime_win32_ransom_avaddon_1
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:html_auto_download_b64
Author:Tdawg
Description:html auto download
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:SR_APT_DustSquad_PE_Nov19
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments