MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d537f3c864030228a1e7024a7b2f5ce91c8834d68349edcdbc52ccc125faa6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	6d537f3c864030228a1e7024a7b2f5ce91c8834d68349edcdbc52ccc125faa6c
SHA3-384 hash:	73f164f3b4d4ca705e5210c1df435baf809f2412e14806f71c0a52b2215bf3c2a2f8198405d476bd517d17f31b85db00
SHA1 hash:	3f65de07bd1d29acd6d6840673371dbe4e34ac95
MD5 hash:	f9cc037898cd7000addc1ac5a1144cf8
humanhash:	oven-video-michigan-lake
File name:	TFH.exe
Download:	download sample
File size:	34'103'729 bytes
First seen:	2026-05-16 08:20:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e715424ebef62edcf8229c713419932e (1 x HijackLoader, 1 x XWorm, 1 x ACRStealer)
ssdeep	786432:RWooBRCZu/cIKfPb/GjUKJDroHPQ7ztDV/OPH+hL7BB:gPPD0fP61tcHPODlOmLr
TLSH	T1F777335DDFB0066DF0E7993949F0DA06C7BBBC9586B2D9AF25A106534F9BA80C93C301
TrID	93.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 2.3% (.EXE) Win64 Executable (generic) (6522/11/2) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.7% (.EXE) OS/2 Executable (generic) (2029/13) 0.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	9494b494d4aeaeac (904 x DCRat, 486 x NirCmd, 172 x RedLineStealer)
Reporter	Alex_sev
Tags:	Downloader dropper exe obfuscated

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

2026-05-05_f9cc037898cd7000addc1ac5a1144cf8_cryptbot_icedid_luca-stealer_njrat_stealc.exe

Verdict:

No threats detected

Analysis date:

2026-05-16 08:21:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bd556ee9-07cd-4bf4-b62b-40422146dc86

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a0828db46d6967b3d909abc

Tags:

virus small

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint installer-heuristic microsoft_visual_cc overlay packed reconnaissance

Link:

https://www.filescan.io/uploads/6a0828e6861ee596e6381319/reports/2bad2ada-1452-4b3d-ac98-de230c236515/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/6d537f3c864030228a1e7024a7b2f5ce91c8834d68349edcdbc52ccc125faa6c

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-16T05:26:00Z UTC

Last seen:

2026-05-17T18:22:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan-Downloader.Win32.Paph.pre

Link:

https://opentip.kaspersky.com/6d537f3c864030228a1e7024a7b2f5ce91c8834d68349edcdbc52ccc125faa6c/results?tab=lookup

Score:

79%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6d537f3c864030228a1e7024a7b2f5ce91c8834d68349edcdbc52ccc125faa6c

Gathering data

Verdict:

Malicious

Threat:

Trojan-Downloader.Win32.Paph

Link:

https://tip.neiki.dev/file/6d537f3c864030228a1e7024a7b2f5ce91c8834d68349edcdbc52ccc125faa6c

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2026-05-01 14:08:04 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

11 of 36 (30.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nvjx6pegiaycfcq6oaskpmxvz2i4ra2nna2j5xg3yuwmyes7vjwa._file

Gathering data

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d537f3c864030228a1e7024a7b2f5ce91c8834d68349edcdbc52ccc125faa6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample