MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb
SHA3-384 hash:	aedfee192d1b2f96e8e08853d23dfa97b20368d5ff6006176bf9c6b37a88c8238e31a768c9f6e3fb288a8a130266ae0f
SHA1 hash:	fce803326027484b2277c33e100deb9b93afd116
MD5 hash:	271e231f44532a381dcf33481b134cae
humanhash:	utah-fourteen-shade-colorado
File name:	64thService.exe
Download:	download sample
File size:	12'180'928 bytes
First seen:	2025-08-03 12:29:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4b1631af7ca421e7e204ec449ae66226 (8 x AsyncRAT)
ssdeep	196608:P+3CsoRul14acNH9X7H+YwVvMfwYLotrysf21YH/ocAjxRpK3xZehp45r:P+3LXlmaaX7eE4Ysrtf21Ywc+K3Po8
TLSH	T1F1C623DA09E952F490A74710618A438F78C2AACC81FD4E1D3DE45C435B5CDAE258EFFA
TrID	25.4% (.ICL) Windows Icons Library (generic) (2059/9) 25.0% (.EXE) OS/2 Executable (generic) (2029/13) 24.7% (.EXE) Generic Win/DOS Executable (2002/3) 24.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	skocherhan
Tags:	99-237-150-124 exe signed

Code Signing Certificate

Organisation:	Winamp SA
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-06-15T00:00:00Z
Valid to:	2024-06-12T23:59:59Z
Serial number:	08d4bf5a529c725997e0f6c526495d2f
Intelligence:	45 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	db796af1ce42a1f71907fc7f6c06313f29fda38a2059dadfb09bf21943338286
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

skocherhan

http://99.237.150.124:5500/64/64thService.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

64thService.exe

Verdict:

Malicious activity

Analysis date:

2025-08-03 06:06:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/54a48bb3-f0d2-490d-9602-beae356d8da6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18558/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688efc4eaf3050dc8d33b967

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

Connection attempt

Sending an HTTP GET request

Creating a file in the system32 directory

Sending a custom TCP request

Creating a process from a recently created file

Сreating synchronization primitives

Creating a window

Using the Windows Management Instrumentation requests

DNS request

Creating a file

Adding an exclusion to Microsoft Defender

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

expired-cert obfuscated packed packed signed vmprotect

Link:

https://www.filescan.io/uploads/688f566873b8ef6f4afc34fb/reports/971c7f96-0c55-488c-9328-d42a3f316ecf/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c7e529f4-9a44-4b60-84ca-e04699885678

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PE (Portable Executable) Win 64 Exe x64

Link:

https://app.malva.re/file/271e231f44532a381dcf33481b134cae

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb/

Verdict:

Malicious

Threat:

Win64.Malware.Heuristic

Link:

https://tip.neiki.dev/file/67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb

Threat name:

Win64.Trojan.Barys

Status:

Malicious

First seen:

2025-08-03 06:06:05 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m7rfukde2jmpb7yuadctczsrmwjj6jsq4gfnsdiv4vrjvzndv7fq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

execution

Link:

https://tria.ge/reports/250803-ppqcda1ycz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

ConfuserEx .NET packer

Drops file in System32 directory

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Verdict:

Malicious

Tags:

JS_Nemucod_M_gen JS_Nemucod

YARA:

n/a

Link:

https://app.threat.zone/submission/ae7e2208-e267-4cb9-90ce-ce382b4142cf

Unpacked files

SH256 hash:

67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb

MD5 hash:

271e231f44532a381dcf33481b134cae

SHA1 hash:

fce803326027484b2277c33e100deb9b93afd116

Link:

https://www.unpac.me/results/5346999b-dae3-4d15-97d1-d30cfd5700e8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/67e25a2864d2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_MalCert_65514fe0 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 67e25a2864d258f0ff1400c531665165929f2650e18ad90d15e5629ae5a3afcb

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3593813/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/18558/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW
WIN32_PROCESS_API	Can Create Process and Threads	WININET.dll::InternetCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::SetConsoleScreenBufferSize

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample