MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea
SHA3-384 hash: 7a79e46ba9460de3e3f935f374c5d7e0adfcacb103d0c1694644d515865637ab4d3115fe97ced6aa55c6fe9a875b82b7
SHA1 hash: 1ba1a4c7dbf6ec02854fc084f4443624760a3b03
MD5 hash: 065b3bffbde91466dee61d6bc6b79b86
humanhash: alabama-bluebird-paris-lactose
File name:065b3bffbde91466dee61d6bc6b79b86.exe
Download: download sample
File size:2'411'490 bytes
First seen:2026-04-06 10:11:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (8 x OffLoader, 8 x ValleyRAT, 3 x Gh0stRAT)
ssdeep 49152:RuI2h3HOOwTdyFyun/ggS76zvJO5WImt0XDR6KG4VqYqY:R5O2TdGX/gL7kBO5WIw0XDR6Pkth
Threatray 443 similar samples on MalwareBazaar
TLSH T1DEB5E03BF28BA53EE06A1A3A7A72E110543B7A2165164C1696ECF48CCF355701E3F787
TrID 50.8% (.EXE) Inno Setup installer (107240/4/30)
20.4% (.EXE) InstallShield setup (43053/19/16)
19.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.0% (.EXE) Win64 Executable (generic) (6522/11/2)
2.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (112 x Adware.Generic, 73 x OffLoader, 43 x LummaStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
SE SE
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
065b3bffbde91466dee61d6bc6b79b86.exe
Verdict:
Malicious activity
Analysis date:
2026-04-06 10:11:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c07104bc-cfb4-4735-83f0-f5dd1740cdb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60592/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.31709.12377.8649.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d386c36a61012f6acf4f21
Tags:
shellcode dropper delphi shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Moving a file to the %temp% subdirectory
Creating a process with a hidden window
Launching a service
Searching for the window
Connecting to a non-recommended domain
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed powershell rshell soft-404
Link:
https://www.filescan.io/uploads/69d386c12346b9da57c0fe9e/reports/ab964ac1-1248-4e9f-85b2-33b4605c2cbf/overview
Verdict:
Malicious
Labled as:
PowerShell_ReverseShell_UW_trojan
Link:
https://www.hybrid-analysis.com/sample/7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-28T06:48:00Z UTC
Last seen:
2026-04-07T23:45:00Z UTC
Hits:
~10
Detections:
Trojan.PowerShell.Persik.sbr Trojan.MSIL.Dnoper.sb HEUR:Backdoor.PowerShell.RShell.gen
Link:
https://opentip.kaspersky.com/7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6504ddf7-65f9-4534-bdf7-2e0fe7c8a69f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1893935
Signature
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Malware Callback Communication
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1893935 Sample: XoIMOKzfye.exe Startdate: 06/04/2026 Architecture: WINDOWS Score: 68 43 Multi AV Scanner detection for submitted file 2->43 45 Suspicious powershell command line found 2->45 47 Sigma detected: Potentially Suspicious Malware Callback Communication 2->47 49 Joe Sandbox ML detected suspicious sample 2->49 8 XoIMOKzfye.exe 2 2->8         started        11 powershell.exe 19 2->11         started        13 powershell.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\...\XoIMOKzfye.tmp, PE32 8->29 dropped 15 XoIMOKzfye.tmp 21 13 8->15         started        19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        process5 file6 31 C:\Users\user\AppData\...\unins000.exe (copy), PE32 15->31 dropped 33 C:\Users\user\AppData\...\is-ECNKZC86EG.tmp, PE32 15->33 dropped 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->35 dropped 39 Suspicious powershell command line found 15->39 41 Bypasses PowerShell execution policy 15->41 23 powershell.exe 1 18 15->23         started        signatures7 process8 dnsIp9 37 185.196.9.249, 4444 SIMPLECARRIERCH Switzerland 23->37 51 Creates autostart registry keys with suspicious values (likely registry only malware) 23->51 27 conhost.exe 23->27         started        signatures10 process11
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/065b3bffbde91466dee61d6bc6b79b86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Persik
Link:
https://tip.neiki.dev/file/7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-03-28 11:35:19 UTC
File Type:
PE (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=prg47nq7ogjlkfup4un5apw5jvshfdjm6ss7xmkt5rt4sqs2s7va._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
13bb558ff08190a0a8f945dcddb1e1e52b5b991cb99aeac5a44c8a5f5f642f3a
3187d7d38c47124e360db6441709c1a6ce0617a06cd02668399ec053e60aeb8c
399b4fb4ea821746e67e38b985186417e647b2574e12279553b3014538bdba92
6d9cbd7fbf5a266760ff49defe0d47546b035fe1a31ebb134e28a3364b82a84e
71f7f0e2f384415cef81e600040bcb40aca574c873c813e8b35589a44f6ab6e8
74548adc0158b704c0776920cf0f8cfc2c3022b2cae56b5aae239d70df1f7d7f
b34ad2bcea2f7e3459975747fa3e44fe958cad413bc5e45768bcbf86cf505fa2
b3d22961a7a4783fa58d8c8fd6f3651c91ae623b4b082a0e8a3b3addc5bfb575
d2a282349a21657ff3ef519af65211f632f061049f83554ac6c6bc56f6aa0925
error
f25743da00820fa4f4870ce100d28caf7c1e12ded844c4118dbfc77c2aff7319
+ 433 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution installer persistence
Link:
https://tria.ge/reports/260406-l71z2sat2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea
MD5 hash:
065b3bffbde91466dee61d6bc6b79b86
SHA1 hash:
1ba1a4c7dbf6ec02854fc084f4443624760a3b03
Link:
https://www.unpac.me/results/bbd54ae2-a075-4e1e-9ac9-fe073c67e873/
SH256 hash:
5a86178d483ff4116c63487f8f45e2a5f4ad0837f89c1992c421e2c362c4896a
MD5 hash:
fe92b75f4b6dedf3f1611148339ed5c2
SHA1 hash:
2b8f1dac59f6c8f0324fed59f97421fd511f8682
Link:
https://www.unpac.me/results/bbd54ae2-a075-4e1e-9ac9-fe073c67e873/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c4dcfb61f7192b5168fe51bd03edd4d64728d2cf4a5fbb153ec67c9425a97ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60592/

Comments