MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ec413c20e1c9623828ea1ada49a15a5cd1e451cfaa43def7464cb29d6788208. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash: 7ec413c20e1c9623828ea1ada49a15a5cd1e451cfaa43def7464cb29d6788208
SHA3-384 hash: 68b422ad2389c883e71fb7520b0bfa4902a343b6dc66c3b2375de18dc68ee30bf2d422e9cc0a3e675dd78d8e432b1c69
SHA1 hash: f711c1fecf6c0c4166c6a2e4e3dc6912570a213b
MD5 hash: a5ae212e85445573b2e6737aad442266
humanhash: social-missouri-apart-summer
File name:Y.exe
Download: download sample
File size:1'299'968 bytes
First seen:2026-07-09 16:54:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c5e134cc1c1e4c253962fc1102568c64 (2 x QuasarRAT)
ssdeep 24576:mb6pAEsvf7BUQ12Vzabpd3Gusftzf+usx:cFnf2cplEFz
TLSH T1F8555B2ED6F269C0E0BECCF66D831D658C913F95113C368ED6B0F26245310E269DADA7
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon d0dad216ccccccf0 (2 x QuasarRAT, 1 x ArcStealer, 1 x CoinMiner)
Reporter nanoave
Tags:exe PureHVNC

Intelligence


File Origin
# of uploads :
1
# of downloads :
155
Origin country :
BR BR
Vendor Threat Intelligence
No detections
Malware family:
ID:
1
File name:
TharY.bat
Verdict:
Malicious activity
Analysis date:
2026-07-08 19:31:26 UTC
Tags:
powershell loader exfiltration telegram stealer evasion rat netreactor purehvnc quasar

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
ransomware asyncrat dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug dropper installer-heuristic lolbin microsoft_visual_cc overlay reconnaissance schtasks
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-07-09T10:46:00Z UTC
Last seen:
2026-07-10T19:27:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic VHO:Backdoor.MSIL.AsyncRat.gen UDS:DangerousObject.Multi.Generic Trojan.Win64.Agent.gen Trojan.Win32.AntiAV.sb Trojan.Win32.AntiAV.dedw VHO:Trojan.Win32.AntiAV.gen
Gathering data
Threat name:
Win64.Trojan.Yogi
Status:
Malicious
First seen:
2026-07-09 15:35:13 UTC
File Type:
PE+ (Exe)
Extracted files:
27
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence privilege_escalation
Behaviour
Modifies registry class
Uses Task Scheduler COM API
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Unpacked files
SH256 hash:
7ec413c20e1c9623828ea1ada49a15a5cd1e451cfaa43def7464cb29d6788208
MD5 hash:
a5ae212e85445573b2e6737aad442266
SHA1 hash:
f711c1fecf6c0c4166c6a2e4e3dc6912570a213b
SH256 hash:
02456a6bc11701964672e29d5e55ec353d80c0c76ee9d489acb76c7b8fc2115c
MD5 hash:
8f05193e1a66a9dffb950ad60bca213e
SHA1 hash:
b32a4e36b1f5059931ca95a1da5a7e6bcf9aa8a1
SH256 hash:
15e2bb9e5f127cf4837bb2c071b63d4af3767e78d594e888355eee9d2b3512c8
MD5 hash:
f209b761bcdbfd28751f83f0f46f83fd
SHA1 hash:
870d6181f4e501afcc45d682c70f94e88237ce98
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7ec413c20e1c9623828ea1ada49a15a5cd1e451cfaa43def7464cb29d6788208

(this sample)

Comments