MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CountLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324
SHA3-384 hash: b8dbad0fc7f79ca126c8d18bc0ef6be34b515b087471a2c2a3301ea800a8941ff400159f9012a5e56466b85464210950
SHA1 hash: 7b33e010b7a815cbf97cc04b3adbfc009791b727
MD5 hash: c2bf2a9e6beaff5b5321917475545ef4
humanhash: stairway-mississippi-winner-mobile
File name:Setup.exe
Download: download sample
Signature CountLoader
Create hunting rule
File size:2'578'432 bytes
First seen:2026-02-26 17:44:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (90 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep 49152:0DMr9DMr11BANi5fTfQiiPJw+dus/KLHG7crh2ko5SDkU0RM6twV:0Mr1MrfBA050i89QsSLHGXF5RU0RM6+V
TLSH T137C5124276C053FAE878C632F0770A521F72FD7AD7901AAF15DCF17904921B1693AB2A
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:185-90-162-118 37-221-66-27 AsgardProtector CountLoader DeepLoad exe forest-entity-cc microservice-gl


Avatar
iamaachum
https://ifdvnburj8.pro/ => https://mega.nz/file/Q2JEEaBL#3mpkMN3x3KSx2zEWBpVSrUV9dooBt7w0KI9E5TncnGs

CountLoader C2:
microservice.gl
forest-entity.cc
Unknown malware C2: 185.90.162.118:25180
DeepLoad C2: 37.221.66.27:3000

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/27515aba-ed54-40aa-9b0b-ae796cf0ec7c/
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Suspicious activity
Analysis date:
2026-02-26 17:31:00 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/1b6ba049-afe4-4edb-8887-1727f09c8642

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54731/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a08352c950ab5d9ab1e1d4
Tags:
autoit emotet
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context at autoit CAB explorer installer installer installer-heuristic lolbin microsoft_visual_cc obfuscated packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/69a0867010e80629d4f41936/reports/d2c3a385-7f39-479b-a548-1752897dd2ec/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Detections:
Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb
Link:
https://opentip.kaspersky.com/6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d090fda3-db04-463a-b368-5608039af2d7
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875499
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected CypherIt Packer
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Tries to access browser extension known for cryptocurrency wallets
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1875499 Sample: Setup.exe Startdate: 26/02/2026 Architecture: WINDOWS Score: 100 109 microservice.gl 2->109 111 forest-entity.cc 2->111 113 6 other IPs or domains 2->113 129 Suricata IDS alerts for network traffic 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Antivirus detection for URL or domain 2->133 135 11 other signatures 2->135 13 Setup.exe 1 8 2->13         started        17 mshta.exe 2->17         started        19 mshta.exe 2->19         started        21 rundll32.exe 2->21         started        signatures3 process4 file5 101 C:\Users\user\AppData\Local\Temp\...\Stuck, DOS 13->101 dropped 103 C:\Users\user\AppData\Local\...\Chevy.iso, DOS 13->103 dropped 163 Uses schtasks.exe or at.exe to add and modify task schedules 13->163 23 cmd.exe 1 13->23         started        26 at.exe 1 13->26         started        165 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->165 167 Bypasses PowerShell execution policy 17->167 169 Tries to access browser extension known for cryptocurrency wallets 17->169 171 2 other signatures 17->171 28 powershell.exe 17->28         started        32 WmiPrvSE.exe 17->32         started        105 C:\Users\user\...\Config_Asia__91[1].pdf, HTML 19->105 dropped signatures6 process7 dnsIp8 145 Detected CypherIt Packer 23->145 34 cmd.exe 3 23->34         started        37 cmd.exe 1 23->37         started        39 conhost.exe 23->39         started        41 conhost.exe 26->41         started        119 forest-entity.cc 78.128.114.182 TAMATIYA-ASBG Bulgaria 28->119 107 C:\Users\user\Downloads\filemanager.exe, PE32+ 28->107 dropped 43 filemanager.exe 28->43         started        47 conhost.exe 28->47         started        file9 signatures10 process11 dnsIp12 97 C:\Users\user\AppData\...\Considered.exe, PE32 34->97 dropped 49 Considered.exe 1 34->49         started        53 cmd.exe 2 34->53         started        55 cmd.exe 1 34->55         started        57 2 other processes 34->57 115 37.221.66.27 FIRSTDC-ASRU Russian Federation 43->115 147 Found strings related to Crypto-Mining 43->147 149 Tries to harvest and steal browser information (history, passwords, etc) 43->149 file13 signatures14 process15 file16 93 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 49->93 dropped 125 Writes to foreign memory regions 49->125 127 Injects a PE file into a foreign processes 49->127 59 RegAsm.exe 4 49->59         started        63 RegAsm.exe 49->63         started        95 C:\Users\user\AppData\Local\Temp\...\J, DOS 53->95 dropped 65 findstr.exe 1 55->65         started        signatures17 process18 dnsIp19 117 185.90.162.118, 25180, 49703 MEER-ASmeerfarbigGmbHCoKGDE Germany 59->117 151 Found many strings related to Crypto-Wallets (likely being stolen) 59->151 153 Tries to harvest and steal browser information (history, passwords, etc) 59->153 67 cmd.exe 1 59->67         started        70 powershell.exe 34 59->70         started        72 cmd.exe 59->72         started        74 chrome.exe 59->74         started        155 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 63->155 signatures20 process21 signatures22 137 Uses ping.exe to check the status of other devices and networks 67->137 76 mshta.exe 67->76         started        80 conhost.exe 67->80         started        139 Creates a thread in another existing process (thread injection) 70->139 141 Injects a PE file into a foreign processes 70->141 143 Powershell drops PE file 70->143 82 csc.exe 3 70->82         started        85 conhost.exe 70->85         started        87 PING.EXE 72->87         started        89 conhost.exe 72->89         started        process23 dnsIp24 121 microservice.gl 45.156.87.31 SKYLINKNL Germany 76->121 157 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 76->157 159 Tries to access browser extension known for cryptocurrency wallets 76->159 161 Writes or reads registry keys via WMI 76->161 99 C:\Users\user\AppData\Local\...\lhc0c534.dll, PE32 82->99 dropped 91 cvtres.exe 1 82->91         started        123 1.0.0.1 CLOUDFLARENETUS Australia 87->123 file25 signatures26 process27
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324/
Verdict:
Malicious
Threat:
Trojan.Win32.Autoit
Link:
https://tip.neiki.dev/file/6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=noqtv4bghtlb7fl7ftttqeqmrjaz4hvrk7sitpdz6hkxvwbhomsa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/260226-wa9wssav6b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Adds Run key to start application
Deletes itself
Executes dropped EXE
Unpacked files
SH256 hash:
6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324
MD5 hash:
c2bf2a9e6beaff5b5321917475545ef4
SHA1 hash:
7b33e010b7a815cbf97cc04b3adbfc009791b727
Link:
https://www.unpac.me/results/de307e6e-735e-4657-b9fc-1522f96816fb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CountLoader

Executable exe 6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324

(this sample)

  
Link
https://tria.ge/260226-vxzhxah14f/behavioral3
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/54731/

Comments