MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


KatzStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84
SHA3-384 hash: 7258c3b15212cd772a646ac70b002a77d9f863c6c38e8e88c8a40208ca5a66366b065eb61b18e61f54799f3fa29a9b3e
SHA1 hash: 5b201f9d85ba26e538b325775ec3317fb9ac673c
MD5 hash: 2511033a79bd3168a854717822ddb053
humanhash: carbon-lake-artist-avocado
File name:76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84
Download: download sample
Signature KatzStealer
Create hunting rule
File size:23'040 bytes
First seen:2025-05-26 06:03:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a90af70c37018ecdb98d8b7b5678243 (3 x KatzStealer)
ssdeep 384:v+6HIHL/Jq4vgWGevSyuiWr2I9UkfDZZyXdIOnuWmrTG1Dp6/NN2/O3qQ3L8rjWN:G6oHL/J7nGecCAU42Xq4ft6/NNcSOWxU
TLSH T1FBA2C00F34F61449CF4906778B9AD90E0335EC6BFA17671D17AE187A1F08592CCAA39B
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:185-107-74-40 exe KatzStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
536
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84
Verdict:
Malicious activity
Analysis date:
2025-05-26 06:13:41 UTC
Tags:
stealer upx
Link:
https://app.any.run/tasks/ee1726a4-133b-4c97-97f9-4ba733e88eb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.719.21982.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683405b5acf88f5815e6fa39
Tags:
emotet virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint overlay packed packed packed packed packer_detected upx
Link:
https://www.filescan.io/uploads/68340468171e01f9592d1635/reports/4d1f90f9-8bf7-4c9e-801d-ce7873fff109/overview
Verdict:
Malicious
Labled as:
Malware_49.0
Link:
https://www.hybrid-analysis.com/sample/76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c3c652c4-656b-4509-b5d5-4e4068ae4185
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1699029
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1699029 Sample: rIlTpjiuE6.exe Startdate: 26/05/2025 Architecture: WINDOWS Score: 80 37 beacons.gvt2.com 2->37 39 beacons.gcp.gvt2.com 2->39 41 beacons-handoff.gcp.gvt2.com 2->41 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Connects to many ports of the same IP (likely port scanning) 2->59 10 rIlTpjiuE6.exe 4 2->10         started        signatures3 process4 dnsIp5 53 185.107.74.40, 27016, 49681, 49700 AIREEIPv4RU01UpstreamRTCOMMRU Russian Federation 10->53 33 C:\Users\user\AppData\...\katz_ontop.dll, PE32+ 10->33 dropped 61 Contains functionality to inject threads in other processes 10->61 63 Contains functionality to inject code into remote processes 10->63 65 Writes to foreign memory regions 10->65 67 2 other signatures 10->67 15 chrome.exe 2 10->15         started        17 chrome.exe 4 10->17         started        20 chrome.exe 1 10->20         started        file6 signatures7 process8 dnsIp9 22 chrome.exe 15->22         started        35 192.168.2.7, 138, 27016, 443 unknown unknown 17->35 25 chrome.exe 17->25         started        27 chrome.exe 20->27         started        process10 dnsIp11 43 googlehosted.l.googleusercontent.com 142.250.101.132, 443, 49689, 49703 GOOGLEUS United States 22->43 45 clients2.googleusercontent.com 22->45 29 MpCmdRun.exe 2 22->29         started        47 clients2.googleusercontent.com 25->47 49 beacons.gvt2.com 25->49 51 2 other IPs or domains 25->51 process12 process13 31 conhost.exe 29->31         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84/
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-05-26 06:01:57 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3hinadqonvmqcosezlgxod3o3mqawbqtsi5czyy4gkyrzbux6ca._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/250526-gssmxadq8z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
UPX packed file
Loads dropped DLL
Unpacked files
SH256 hash:
76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84
MD5 hash:
2511033a79bd3168a854717822ddb053
SHA1 hash:
5b201f9d85ba26e538b325775ec3317fb9ac673c
Link:
https://www.unpac.me/results/148f5801-1178-4472-90eb-603c96a14fa4/
SH256 hash:
b2e91419a0717689ac4c78deb4a8a827d1374f89ca4cb515af42bc1d33dfcca5
MD5 hash:
baf292797b6d10fadb32f4ebcd575587
SHA1 hash:
bbf2a5fdb039366b3f9eca603bf08ae92c43c0ef
Link:
https://www.unpac.me/results/148f5801-1178-4472-90eb-603c96a14fa4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76ce868070736ac809d226566bb87b76d90058309c91d16718e19588e434bf84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments