MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MilleniumRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471
SHA3-384 hash: 5bd94da3874ae9f472ca71e2b7c4d4283ab989468052c122db2db05d9e2f3977965ce43e1dff24ab55f4198b7bd53be3
SHA1 hash: c6d11e7d9ac9a18127c45f48377f2347e9226838
MD5 hash: ca1498ca9632613bb40e0673971fc66e
humanhash: fifteen-wyoming-shade-muppet
File name:file
Download: download sample
Signature MilleniumRAT
Create hunting rule
File size:2'736'640 bytes
First seen:2025-10-08 04:04:43 UTC
Last seen:2025-10-08 04:04:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e036611c05048ce1b230596686eabd36 (2 x MilleniumRAT)
ssdeep 49152:4ihHWnY9x7JuNX5xKMsvGxvzmGGCz4OErluIwexcwBWKCHSUqn7S96cD/:HqY9xspKaFz7GUiclKv7
Threatray 12 similar samples on MalwareBazaar
TLSH T1E8C59E21F782D0B2E4D201B165BE6BFB5D787635633584CBE3C01E6A59205C27A3BB1B
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe MilleniumRAT


Avatar
Bitsight
url: http://178.16.55.189/files/7354298053/XHl5pZ8.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-08 01:35:04 UTC
Tags:
telegram github evasion stealer milleniumrat rat ims-api generic
Link:
https://app.any.run/tasks/33848b8d-342c-4754-8648-6e87bb3e9aad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31080/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e5e324277c2bd8bc5db7f2
Tags:
infosteal dropper smtp remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Setting a keyboard event handler
Creating a window
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd crypto expand fingerprint hacktool keylogger lolbin microsoft_visual_cc obfuscated remote threat
Link:
https://www.filescan.io/uploads/68e5e356c74bd2958b1699b9/reports/d7fb3352-f0cb-493d-b2e5-27d1d50e34e3/overview
Verdict:
Malicious
Labled as:
Mint.SP.Sneaky.Generic
Link:
https://www.hybrid-analysis.com/sample/7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-07T22:28:00Z UTC
Last seen:
2025-10-09T22:42:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/97751283-542b-4d7b-8141-7aad8d1dff72
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/ca1498ca9632613bb40e0673971fc66e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471/
Verdict:
Malicious
Threat:
Family.MILLENIUMRAT
Link:
https://tip.neiki.dev/file/7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471
Threat name:
Win32.Trojan.MintSneaky
Create hunting rule
Status:
Malicious
First seen:
2025-10-08 01:35:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pt4vlcpxflmr5chltk5y42lghfhvxclytvtlqywpcndcm7hq2ryq._file
Verdict:
malicious
Label(s):
milleniumrat
Create hunting rule
Similar samples:
307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1
MilleniumRAT
512adab2c69feaf026adfb12cbd7d2eb4fee746120491e44f476eebddcbb19f2
MilleniumRAT
73607f1799be5facd81d484fa6b1f6518378037ef16c32eaa0c562ff49c1e0b5
MilleniumRAT
7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471
MilleniumRAT
8500031515804d9e9ec98f65c5925fbc553990abb4ef731ec112d6f2a13ee48e
MilleniumRAT
cc281b7871968c193e8d780f7f0da0faeb1ed8613cbf10f937432128b3584b20
MilleniumRAT
error
MilleniumRAT
+ 2 additional samples on MalwareBazaar
Result
Malware family:
milleniumrat
Create hunting rule
Score:
  10/10
Tags:
family:milleniumrat defense_evasion discovery rat stealer
Link:
https://tria.ge/reports/251008-epewja1zey/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Executes dropped EXE
Detects MilleniumRAT stealer
MilleniumRat
Milleniumrat family
Verdict:
Malicious
Tags:
Win.Malware.Zusy-9774083-0 External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/328ab94a-a391-41a8-9fab-6c22a925377e
Unpacked files
SH256 hash:
7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471
MD5 hash:
ca1498ca9632613bb40e0673971fc66e
SHA1 hash:
c6d11e7d9ac9a18127c45f48377f2347e9226838
Link:
https://www.unpac.me/results/caca3f8a-5278-46dd-a080-f34151fad570/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM names
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM usernames
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:WIN_WebSocket_Base64_C2_20250726
Create hunting rule
Author:dogsafetyforeverone
Description:Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MilleniumRAT

Executable exe 7cf95589f72ad91e88eb9abb8e6966394f5b89789d66b862cf1346267cf0d471

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3662831/
Cape
Cape
https://www.capesandbox.com/analysis/31080/

Comments