MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6561ba943d100e3834c16abd8b38513bc0ea983ef02a172eb66fd7bce803ae73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash: 6561ba943d100e3834c16abd8b38513bc0ea983ef02a172eb66fd7bce803ae73
SHA3-384 hash: 38f2cc7267c507bfd91c3c014c869784ff022c2d383af8df01bef2521d1ada958693d98da6cf6237492d538ae528b550
SHA1 hash: f7aa8f17280432b47fa6d3c57d2568202b981d98
MD5 hash: d5e471c46b3e07cd14780e5b92cc4a36
humanhash: delaware-xray-kansas-mars
File name:d5e471c46b3e07cd14780e5b92cc4a36.exe
Download: download sample
File size:3'798'528 bytes
First seen:2026-07-11 06:55:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5e5be5c80bbfa5fe328363fcad3260
ssdeep 98304:5b/KgkK+7dGd91FUztjOdBEm8bILHGWCv5IjjPmgoR:Bvuq1FUzMOegv5IjjPmgo
TLSH T1D6068D17E2A350FCC12BC17C46579672A931B828C534FE7F5A94DB312E31E50AB6EB24
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
130
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_6561ba943d100e3834c16abd8b38513bc0ea983ef02a172eb66fd7bce803ae73.exe
Verdict:
Malicious activity
Analysis date:
2026-07-11 06:57:38 UTC
Tags:
auto-sch auto-reg

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Running batch commands
Сreating synchronization primitives
Setting a keyboard event handler
Connection attempt
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 cmd crypto downloader evasive expand fingerprint fingerprint hacktool keylogger lolbin netsh obfuscated packed reconnaissance runonce xor-pe
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-07-09T17:53:00Z UTC
Last seen:
2026-07-12T20:58:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.Win64.Xegumumune.olg HEUR:Trojan.Win64.Generic HEUR:Trojan.Win32.Generic
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Signature
Contains functionality to log keystrokes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious Ping/Del Command Combination
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1940885 Sample: PS2IM8x473.exe Startdate: 11/07/2026 Architecture: WINDOWS Score: 96 59 Multi AV Scanner detection for submitted file 2->59 61 Uses known network protocols on non-standard ports 2->61 63 Sigma detected: Suspicious Ping/Del Command Combination 2->63 65 Sigma detected: Files With System Process Name In Unsuspected Locations 2->65 8 PS2IM8x473.exe 1 4 2->8         started        12 SecurityHealthService.exe 2->12         started        14 SecurityHealthService.exe 2->14         started        16 SecurityHealthService.exe 2->16         started        process3 file4 51 C:\Users\user\...\SecurityHealthService.exe, PE32+ 8->51 dropped 53 SecurityHealthServ...exe:Zone.Identifier, ASCII 8->53 dropped 75 Self deletion via cmd or bat file 8->75 77 Contains functionality to log keystrokes 8->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 8->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->81 18 cmd.exe 1 8->18         started        21 SecurityHealthService.exe 2 8->21         started        24 conhost.exe 8->24         started        26 schtasks.exe 1 8->26         started        28 schtasks.exe 1 12->28         started        30 schtasks.exe 1 14->30         started        32 schtasks.exe 1 16->32         started        signatures5 process6 dnsIp7 67 Uses ping.exe to sleep 18->67 69 Uses ping.exe to check the status of other devices and networks 18->69 34 PING.EXE 1 18->34         started        37 conhost.exe 18->37         started        57 31.76.244.171, 49692, 5173 VPSPAY-ASNvpspaynetGB Germany 21->57 71 Multi AV Scanner detection for dropped file 21->71 73 Installs a global keyboard hook 21->73 39 schtasks.exe 1 21->39         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        45 conhost.exe 30->45         started        47 conhost.exe 32->47         started        signatures8 process9 dnsIp10 55 127.0.0.1 unknown unknown 34->55 49 conhost.exe 39->49         started        process11
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Verdict:
Malicious
Threat:
Trojan-Spy.Win64.Xegumumune
Threat name:
Win64.Malware.Heuristic
Status:
Malicious
First seen:
2026-07-09 20:57:40 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 36 (55.56%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
6561ba943d100e3834c16abd8b38513bc0ea983ef02a172eb66fd7bce803ae73
MD5 hash:
d5e471c46b3e07cd14780e5b92cc4a36
SHA1 hash:
f7aa8f17280432b47fa6d3c57d2568202b981d98
SH256 hash:
e857298fd2f8d1c7d48780769433f33e7b3ceaae5ea5a74c13ce8c10bcc7b690
MD5 hash:
1d04536714bb22a3e909525a7dd627f0
SHA1 hash:
affc166fa1874ff3ec0e42646e008cec972b76ab
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Rule name:SUSP_XORed_MSDOS_Stub_Message
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments