MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7
SHA3-384 hash: cf0199c2b3772f1c918b340f6468a5c015b606288122069da555d896634880adcd6cf71cffc1d2fb8a07d19913789199
SHA1 hash: c57623685bbd50a212364f5e2dd98730a8c2a5d6
MD5 hash: ace65ce43ce1dcf29f063b12c77a17a5
humanhash: south-seven-cup-robin
File name:SecuriteInfo.com.W32.GenKryptik.DLII.tr.12147.1638
Download: download sample
File size:14'729'216 bytes
First seen:2025-08-17 12:50:47 UTC
Last seen:2025-08-17 14:21:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4726a44fe26be230276f301221d57e7a
ssdeep 196608:HVQrlkMn5eVYyQtCBJJQXZl/6DJxD3+m+V2CKso7KIAnVz4jbTvCmkT8olEFmbmz:qJV5eVYOJJtDTWoBslz4j/68oqmbmz
TLSH T112E63323663A5241F1E94831C52BBEF532F313BA9B416CF9A5F7CCC526164A4F726823
TrID 25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
19.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.1% (.EXE) Win32 Executable (generic) (4504/4/1)
7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000060c890a0
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
50
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
mimikatz
Create hunting rule
ID:
1
File name:
http://103.204.79.118:448
Verdict:
Malicious activity
Analysis date:
2025-03-13 10:55:39 UTC
Tags:
loader arch-exec redosdru mimikatz qrcode
Link:
https://app.any.run/tasks/d95bdaee-7d45-4a6a-b05c-c31c38ae26d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21826/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a1d05b8fd55a79c5286d46
Tags:
vmprotect trojware agent
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packed vmprotect
Link:
https://www.filescan.io/uploads/68a1d059abfbaec318243fc1/reports/938e9ba0-a1c3-40e1-8ab5-0312de71f20a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a59806f6-93cf-4906-9dcc-79694df92692
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/ace65ce43ce1dcf29f063b12c77a17a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7/
Verdict:
Malicious
Threat:
UDS:DangerousObject.Multi
Link:
https://tip.neiki.dev/file/72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-17 08:05:43 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
18 of 37 (48.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oiuq3flnk7snenynjuqc7ymo2uzwfn5dlrl6vcwxwv6pjanjr33q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery vmprotect
Link:
https://tria.ge/reports/250817-p3rglavn14/
Behaviour
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Enumerates connected drives
Modifies boot configuration data using bcdedit
VMProtect packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ca5f2dc4-2bbc-49c7-acd1-31f5de2ae28c
Unpacked files
SH256 hash:
72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7
MD5 hash:
ace65ce43ce1dcf29f063b12c77a17a5
SHA1 hash:
c57623685bbd50a212364f5e2dd98730a8c2a5d6
Link:
https://www.unpac.me/results/3425ac44-a08c-455d-8d67-d276165f1b55/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72290d956d57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 72290d956d57e4d2370d4d202fe18ed53362b7a35c57ea8ad7b57cf481a98ef7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3605143/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3605187/
  
URLhaus
https://urlhaus.abuse.ch/url/3605195/
Cape
Cape
https://www.capesandbox.com/analysis/21826/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiStreamOut
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA

Comments