MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 15 File information Comments

SHA256 hash:	66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0
SHA3-384 hash:	72653e646b38fe492d84313ce596e6db0370282b2b18dd203eee5c76fa37c2d707ca7c1a1b663f050f088f91a4c27d2b
SHA1 hash:	d322d7e764a14c88d1cefa6925c997a86eff064f
MD5 hash:	5a378a55d2972044ba78d10a366306d0
humanhash:	lion-fruit-quebec-nineteen
File name:	steamhelper.exe
Download:	download sample
File size:	8'992'397 bytes
First seen:	2025-12-31 05:31:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1418e44b536f42ef5db8fd35c961985c (2 x DCRat, 1 x Blackmoon, 1 x Vidar)
ssdeep	196608:ZB9elWWXZ0Wa3sDcJlEQz089lGvbVOZO6KvbIv5w:b9elrZ0Wa3sDSlpzfLGTVA5w
TLSH	T1BE963321B6C49133C2B61EB86E2C926D963E7F202F1459C76BE03E891E351C25F39677
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Ling
Tags:	exe Trojan:Win32/Wacatac.F!ml wacatac

Ling

Trojan:Win32/Wacatac.F!ml

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Archives PEPacker

Details

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-31T01:36:00Z UTC

Last seen:

2025-12-31T01:53:00Z UTC

Hits:

~10

Detections:

Trojan-Spy.Win32.Stealer.fors Trojan-Spy.Stealer.TCP.C&C Trojan-Spy.Stealer.HTTP.C&C Trojan-Spy.Win32.Stealer.fort

Link:

https://opentip.kaspersky.com/66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0/results?tab=lookup

Malware family:

LogMeIn

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/64d46481-9e4a-4af9-9a10-dd463556a14b

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump)

Link:

https://app.malva.re/file/5a378a55d2972044ba78d10a366306d0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0/

Verdict:

Malicious

Threat:

Trojan-Spy.Win32.Stealer

Link:

https://tip.neiki.dev/file/66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m3aav6s5sdgc2gs4ftjoiedzmt7hozohj5z2wcmoxnoqfqduwlya._file

Gathering data

Verdict:

Malicious

Tags:

Win.Packed.Zusy-10014517-0

YARA:

n/a

Link:

https://app.threat.zone/submission/279f0134-0044-4708-a968-4e3f4746a2a1

Unpacked files

SH256 hash:

66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0

MD5 hash:

5a378a55d2972044ba78d10a366306d0

SHA1 hash:

d322d7e764a14c88d1cefa6925c997a86eff064f

Link:

https://www.unpac.me/results/c6a6643a-9266-4722-ae70-47e1d7afe4aa/

SH256 hash:

0e8501aaca4e695b5d82116e26ca55b34a28168968364a18d33626425b98e2fc

MD5 hash:

726d8c39586a9ea4751dd491253f2917

SHA1 hash:

16f0bcb542a6e66bba4f5fe0ee4dc068f15c6508

Link:

https://www.unpac.me/results/c6a6643a-9266-4722-ae70-47e1d7afe4aa/

SH256 hash:

2a07e9d82531a6e8707d010d217157303a827d8ecce36f58372401b87849728e

MD5 hash:

6564864bc27d4f1fd140648fbea35a0f

SHA1 hash:

0fbce743661919c46427c59237a2c823155eac31

Link:

https://www.unpac.me/results/c6a6643a-9266-4722-ae70-47e1d7afe4aa/

SH256 hash:

dc55202634e140b9817805094e6631b7241dd5ea31644ad6e0a39acca6db5780

MD5 hash:

fba61a3e479647477625f13e905ced7d

SHA1 hash:

633331a306237922d247482042b5d91b4ddc4902

Detections:

INDICATOR_EXE_Packed_Loader

Link:

https://www.unpac.me/results/c6a6643a-9266-4722-ae70-47e1d7afe4aa/

Parent samples :

b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9
66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0

SH256 hash:

95349cbb0ce9bd2bb939c04e611750eca5d1ac1b8baa53641c28c147a59dc725

MD5 hash:

95b2c0f892fe4c15ac1d4929bcb54df1

SHA1 hash:

b13abc14da4b7f1c0a8f5aacd98f0c6fb18873fd

Link:

https://www.unpac.me/results/c6a6643a-9266-4722-ae70-47e1d7afe4aa/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/66c00afa5d90/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Enigma Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Enigma

Rule name:	INDICATOR_EXE_Packed_Loader Create hunting rule
Author:	ditekSHen
Description:	Detects packed executables observed in Molerats

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/46630/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample