MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e
SHA3-384 hash: 07c96dfa942e20ed8b0d611531a1e3f108618ad3d730504080a610518ee01408c2c40cae64f7ce75f7afed97e299a004
SHA1 hash: 3a278f3b90e0f101213ec020083364a810e492ae
MD5 hash: 2fd34ea519568a4011620ac5fe8cf590
humanhash: twenty-kentucky-emma-magnesium
File name:payload.zip
Download: download sample
File size:1'866'458 bytes
First seen:2026-03-05 05:56:34 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:/OkgxwYaxSrc3Ymfn6hg3Sh4gkRkegrGQ7yu8A9C:/Onxwr4w6hgiCp9grVmYC
TLSH T10685336109733040C5966FB3ADB32F52EEEE6DDBF117988309398A9F4CD43279963285
Magika zip
Reporter BlinkzSec
Tags:1poz-my zip


Avatar
BlinkzSec
The Powershell file from the reference downloads this zip file, unpacks it, and executes each .exe file.

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
GB GB
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:active_desktop_launcher.exe
File size:102'536 bytes
SHA256 hash: f712c2a8b4abf2e299a2b480020333deb0f43364e9686cda78b1243c62e4830d
MD5 hash: 1ea7d59053d8bd45bea95355b3d8d499
MIME type:application/x-dosexec
File name:active_desktop_render_x64.dll
File size:7'058'432 bytes
SHA256 hash: deeec4dcffc19380508e47f12d3902deb7d7fb999328cd79db70cd527aeacd02
MD5 hash: 572b11e996cefa7a2b93d15f677944ff
MIME type:application/x-dosexec
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/cf72d5fd-f172-4d04-b38a-bf2a5b3e4ccd/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.12893429.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a91b3de1f958bf6683cb96
Tags:
n/a
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug barys overlay packed packed packed packed unsafe upx
Link:
https://www.filescan.io/uploads/69a91b3a10e80629d4fcd372/reports/fce7b907-1de7-4190-b3d1-ff468aa05499/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
Detections:
Trojan.Win32.AntiAV.ddtd
Link:
https://opentip.kaspersky.com/6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e/results?tab=lookup
Score:
88%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e/
Verdict:
Malicious
Threat:
Trojan.Win32.AntiAV
Link:
https://tip.neiki.dev/file/6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e
Threat name:
Binary.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2026-03-05 03:56:18 UTC
File Type:
Binary (Archive)
Extracted files:
34
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nzz2okr7u7asukjufupm3bfsuuharxzyfpdtydzhi6f3iz6ba57a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion persistence privilege_escalation upx
Link:
https://tria.ge/reports/260305-gxbj7acz5k/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Access Token Manipulation: Create Process with Token
Executes dropped EXE
Loads dropped DLL
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip 6e73a72a3fa7c12a29342d1ecd84b2a50e08df382bc73c0f27478bb467c1077e

(this sample)

  
Link
https://bazaar.abuse.ch/sample/3f1154df91b9ec324943c5a72519722ddf544c8adb8ca40701124b4a05136b8e/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3789744/
  
URLhaus
https://urlhaus.abuse.ch/url/3790000/

Comments