MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c
SHA3-384 hash: 051b6c59770b03faae742f4aeb2d5fc5b4b5f4e8f0d60df8fd8931e7498b5f9dc3a54a043e4762ffed16726f0a256529
SHA1 hash: c475e1f824e261a7689d0ecc792f9a7bb978dda7
MD5 hash: 99444850631d4614f5861b3edc6e37d3
humanhash: bakerloo-river-twelve-aspen
File name:file
Download: download sample
File size:369'664 bytes
First seen:2026-01-22 23:01:24 UTC
Last seen:2026-01-23 02:01:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c546646952cb160243a67da7651da44c
ssdeep 6144:eni0XVm8I9UHlLjlHyAACrXdCdEVvnRS3OngbCpiHCHa7xZ:eni0vI9UHdPzrXdCdE/SengbCp8k
TLSH T141746C46BBA518F9E577863CC9534A06D7B2BC660760DBDF03A046960F277E08E3DB21
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-Stealc exe zobpx


Avatar
Bitsight
url: http://196.251.107.61/Loader.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
133
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/be652ea2-587e-4814-82bb-f4b000ff3879/
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2026-01-22 16:26:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7179f47e-df25-4555-a0d4-0d07ce76d479

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49816/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6972ac5cbcad3327ec07d348
Tags:
autorun emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm clipbanker exploit explorer lolbin microsoft_visual_cc schtasks
Link:
https://www.filescan.io/uploads/6972ac5855805a763ff1408f/reports/d40f9d2a-ccb4-49aa-8284-5294f7d8944a/overview
Verdict:
Malicious
Labled as:
Trojan.Loader.Marte.6.Generic
Link:
https://www.hybrid-analysis.com/sample/7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-22T16:15:00Z UTC
Last seen:
2026-01-22T19:41:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Backdoor.Win32.Androm Trojan.Win32.Agent.sb Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.ClipBanker.sb Trojan-Banker.Win32.ClipBanker.ahha
Link:
https://opentip.kaspersky.com/7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c/results?tab=lookup
Malware family:
MuddyWater
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bfbe2d24-d25a-493e-8338-eee93e00ce5a
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/99444850631d4614f5861b3edc6e37d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.ClipBanker
Link:
https://tip.neiki.dev/file/7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c
Threat name:
Win64.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2026-01-22 18:40:03 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7harzqvddr2asmxzn2js6rrbi4spg3pqdzpfcahkae4viqtivwa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260122-2zth1ahs2b/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c
MD5 hash:
99444850631d4614f5861b3edc6e37d3
SHA1 hash:
c475e1f824e261a7689d0ecc792f9a7bb978dda7
Link:
https://www.unpac.me/results/76a0da81-a426-4f90-aeeb-c8147c865250/
SH256 hash:
f4bb5c357a626d4ceb939ab31b2768bcdc2b56f73ad90ce1202cb1ac699d5847
MD5 hash:
12bf7b851ac14dbf9f693f280058ded6
SHA1 hash:
5ba33045ab201e90086b30da870d31a482c6f2e7
Detections:
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/76a0da81-a426-4f90-aeeb-c8147c865250/
Parent samples :
13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d
423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38
7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7fce08e61518/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7fce08e61518e3a04997cb74997a310a39279b6f80f2f288075009caa213456c

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3762302/
Cape
Cape
https://www.capesandbox.com/analysis/49816/

Comments