MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MillenuimRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 17 File information Comments

SHA256 hash:	66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8
SHA3-384 hash:	600064c7159c8537534551bcc0c64c355cbc6a455b22998ed46565026e7be7c13eb631f556171e8b934c1452074ee1af
SHA1 hash:	3b1c9ed95e3fcf2439f5ba4527a68cddf4d580e7
MD5 hash:	83cc7dc0b212e8f5ae5f21f66e527e49
humanhash:	maryland-triple-yankee-jupiter
File name:	file
Download:	download sample
Signature	MillenuimRAT Create hunting rule
File size:	2'743'296 bytes
First seen:	2026-02-06 12:46:40 UTC
Last seen:	2026-02-06 13:18:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0131b5b473cafe75a5bb1e8916187db2 (1 x MillenuimRAT)
ssdeep	49152:RVYiIY9XX0FByqrRcmGWJn6RvGfgEkXA5JDh1O1jok0UmSg9MY:BtXX0a2RZGEn6RvGfT1I1j
TLSH	T1AAC59D61F782D0B2F5E301B056BFABF64D387631572594CBF2C01E6959206C27A3AB1B
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 MillenuimRAT

Bitsight

url: http://130.12.180.43/files/7924412375/upOSLDn.exe

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8.exe

Verdict:

Malicious activity

Analysis date:

2026-02-06 12:47:31 UTC

Tags:

telegram github evasion auto-reg stealer ims-api generic milleniumrat rat

Link:

https://app.any.run/tasks/05d46b98-696f-40f1-8660-2e89b108299a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52488/

Detection(s):

Win.Malware.Zusy-9774083-0

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6985e2d4ae5379bb660a1976

Tags:

infosteal dropper keylog smtp

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 cmd crypto expand fingerprint hacktool keylogger lolbin microsoft_visual_cc zusy

Link:

https://www.filescan.io/uploads/6985e2d1981ff1d38a4b443d/reports/79808934-7073-411d-a34b-ef39d6395b5f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan-PSW.Win32.Disco.gen Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb

Link:

https://opentip.kaspersky.com/66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e0d06bfc-889f-4cd1-b18b-64475a4013bc

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8/

Verdict:

Malicious

Threat:

Family.MILLENIUMRAT

Link:

https://tip.neiki.dev/file/66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m27rcebqulrc3nlvyc33pntxecdul3xywrbglo2clh2b6etpdp4a._file

Result

Malware family:

milleniumrat

Score:

10/10

Tags:

family:milleniumrat credential_access discovery rat spyware stealer

Link:

https://tria.ge/reports/260206-p1aq3adz5a/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

System Time Discovery

Contacts third-party web service commonly abused for C2

Looks up external IP address via web service

Executes dropped EXE

Reads user/profile data of web browsers

Uses browser remote debugging

Detects MilleniumRAT stealer

MilleniumRat

Milleniumrat family

Unpacked files

SH256 hash:

66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8

MD5 hash:

83cc7dc0b212e8f5ae5f21f66e527e49

SHA1 hash:

3b1c9ed95e3fcf2439f5ba4527a68cddf4d580e7

Link:

https://www.unpac.me/results/a3673e9c-90a8-4680-9da1-e7a2795338db/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/66bf111030a2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM names

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing possible sandbox analysis VM usernames

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	WIN_WebSocket_Base64_C2_20250726 Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.