MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74fef06cff2bb57ccfa1916228ff751ffda777c37f03fc92c46139311020900d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 28 File information Comments

SHA256 hash: 74fef06cff2bb57ccfa1916228ff751ffda777c37f03fc92c46139311020900d
SHA3-384 hash: 402cfcee1bf70d116e92061bb9fb52bf06b128f8736ff10a6a5943835cb5f1434c180b90ca180d1abbc8ed5a42901cec
SHA1 hash: 973502bf2fb6319e18573f589daa99be9900dd77
MD5 hash: 7716e278a4fa0db12ef08524f3815fa1
humanhash: asparagus-cardinal-yankee-ack
File name:wdatasvc.exe
Download: download sample
File size:55'239'680 bytes
First seen:2026-07-10 12:02:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b51ccfc346077e98b4127daaef96f8e5
ssdeep 393216:85T/1bCIC5CQaeXpiboTf9SDW7v9RAOqUGQswQiz:taeYbw9t0Ojq
TLSH T162C76BC09F02E5689AF7BD720949633DF38603214CB287799962F615797896FF343B0A
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon f0f0aacecceed8f8
Reporter smica83
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
158
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_74fef06cff2bb57ccfa1916228ff751ffda777c37f03fc92c46139311020900d.exe
Verdict:
Malicious activity
Analysis date:
2026-07-10 12:05:15 UTC
Tags:
telegram auto-sch auto-reg stealer ip-check evasion discord golang

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
autorun xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Launching a process
Changing the Zone.Identifier stream
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Sending a UDP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 cmd crypto evasive expand explorer fingerprint golang hacktool keylogger lolbin microsoft_visual_cc obfuscated obfuscated packed reconnaissance rundll32 schtasks update xor-pe
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-07-10T09:11:00Z UTC
Last seen:
2026-07-11T23:19:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Disco.sb HEUR:Trojan-PSW.Win32.Disco.gen Trojan.Win32.Qhost Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Agent.sba PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.sb Trojan.Win32.Agent.sb Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Gomal.sb NetTool.TelegramSendMessage.HTTP.C&C
Result
Threat name:
Gocoder
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Signature
Contains functionality to hide user accounts
Creates / moves files in alternative data streams (ADS)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Potential Privilege Escalation using Task Scheduler highest RunLevel
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Gocoder ransomware
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1940519 Sample: wdatasvc.exe Startdate: 10/07/2026 Architecture: WINDOWS Score: 100 59 protocol-v2.argotunnel.com 2->59 61 cfd-features.argotunnel.com 2->61 63 8 other IPs or domains 2->63 81 Suricata IDS alerts for network traffic 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 89 7 other signatures 2->89 8 wdatasvc.exe 3 11 2->8         started        13 WmiPrvSE.exe 5 2->13         started        15 WmiPrvSE.exe 1 2->15         started        17 2 other processes 2->17 signatures3 87 Performs DNS TXT record lookups 61->87 process4 dnsIp5 77 api.telegram.org 149.154.166.110, 443, 49683, 49710 TELEGRAMVG United Kingdom 8->77 79 ntfy.sh 159.203.148.75, 443, 49708, 49717 DIGITALOCEAN-ASN-DigitalOceanLLCUS United States 8->79 51 C:\Users\user\AppData\...\WmiPrvSE.exe, PE32+ 8->51 dropped 53 C:\Users\user\AppData\Local\...\~dfrgui.exe, PE32+ 8->53 dropped 55 C:\Users\user\AppData\Local\...\DwmCache.bin, PE32+ 8->55 dropped 57 2 other malicious files 8->57 dropped 95 Creates / moves files in alternative data streams (ADS) 8->95 97 Contains functionality to hide user accounts 8->97 19 cmd.exe 1 8->19         started        22 DwmCache.bin 1 8->22         started        25 cmd.exe 1 8->25         started        33 2 other processes 8->33 99 Tries to harvest and steal browser information (history, passwords, etc) 13->99 27 DwmCache.bin 1 13->27         started        29 cmd.exe 13->29         started        35 3 other processes 13->35 101 Multi AV Scanner detection for dropped file 15->101 31 conhost.exe 15->31         started        37 2 other processes 17->37 file6 signatures7 process8 dnsIp9 91 Uses schtasks.exe or at.exe to add and modify task schedules 19->91 93 Potential Privilege Escalation using Task Scheduler highest RunLevel 19->93 39 schtasks.exe 1 19->39         started        65 api.trycloudflare.com 104.16.231.132, 443, 49697, 49711 CLOUDFLARENET-CloudflareIncUS Canada 22->65 67 api.cloudflare.com 104.19.192.174, 443, 49703, 49715 CLOUDFLARENET-CloudflareIncUS Canada 22->67 73 4 other IPs or domains 22->73 41 conhost.exe 22->41         started        43 schtasks.exe 1 25->43         started        69 198.41.192.57, 61961, 7844 CLOUDFLARENET-CloudflareIncUS Canada 27->69 71 198.41.192.67, 49712, 61959, 7844 CLOUDFLARENET-CloudflareIncUS Canada 27->71 75 2 other IPs or domains 27->75 45 conhost.exe 27->45         started        47 schtasks.exe 1 29->47         started        49 schtasks.exe 1 35->49         started        signatures10 process11
Gathering data
Threat name:
Win64.Trojan.Znyonm
Status:
Malicious
First seen:
2026-07-10 07:35:07 UTC
File Type:
PE+ (Exe)
Extracted files:
8
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion execution persistence spyware stealer trojan
Behaviour
Disables Windows logging functionality
Modifies system certificate store
NTFS ADS
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Executes dropped EXE
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_decoding
Author:iam-py-test
Description:Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)
Rule name:CMD_Ping_Localhost
Rule name:CMD_Shutdown
Author:adm1n_usa32
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:dgaaga
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Author:Aaron DeVera
Description:Discord domains
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:kill_explorer
Author:iam-py-test
Description:Detect files killing explorer.exe
Rule name:meth_stackstrings
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:skip20_sqllang_hook
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Suspicious_Process
Author:Security Research Team
Description:Suspicious process creation
Rule name:SUSP_XORed_Mozilla_Oct19
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments