MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e
SHA3-384 hash: 317c0008662ffb6dde95de76cfdfcc31609162ff5db21919561ff44da7a02998516d58b6b201a9b354c040321a042e38
SHA1 hash: ff08ef815e2b791e4a68657e932f5e3a97d20853
MD5 hash: a2b489c46247fe3f8e0eb82fee1158ce
humanhash: stairway-beer-solar-blossom
File name:file
Download: download sample
File size:2'353'436 bytes
First seen:2026-04-01 08:08:39 UTC
Last seen:2026-04-01 15:03:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (66 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:IgwRJ9H/VDAthmIR6b8SM/KfbUhm7Y2JX9exSTMoPEfogMncp52xGXbLoA1mf:IgwRLfVsTmm6U89hTifogMn6a4LoX
Threatray 1 similar samples on MalwareBazaar
TLSH T10BB52321B6F8C4F0FA6A17B015A5975D0BB9EE15073506C7F3587A82C4BB2C2A73B2D1
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.8% (.EXE) Win64 Executable (generic) (6522/11/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 68e0c0c4c4c4c4d8 (2 x Mimic, 1 x SalatStealer)
Reporter Bitsight
Tags:b dropped-by-gcleaner exe MIX7.file


Avatar
Bitsight
url: http://158.94.209.95/service

Intelligence

File Origin
# of uploads :
8
# of downloads :
123
Origin country :
US US
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
_85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e.exe
Verdict:
Malicious activity
Analysis date:
2026-04-01 08:10:15 UTC
Tags:
auto generic auto-reg everything tool smb ransomware pay2key
Link:
https://app.any.run/tasks/3cc61ac7-bc1c-4998-b7f6-598b701d7de0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.PowerShell.Dropper.54.13091.23732.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ccd2af3a18a6e1ddf03b54
Tags:
injection shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Creating a service
Launching a service
Сreating synchronization primitives
Creating a file
Moving a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-01T07:15:00Z UTC
Last seen:
2026-04-01T15:36:00Z UTC
Hits:
~10
Detections:
Trojan.PowerShell.Kriptik.sba Trojan.PowerShell.Cobalt.sb HEUR:Trojan-Ransom.Win32.Generic
Link:
https://opentip.kaspersky.com/85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7651ce74-3641-4b4c-8137-54631d044479
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e/
Verdict:
Malicious
Threat:
Family.PAY2KEY
Link:
https://tip.neiki.dev/file/85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e
Threat name:
Win32.Ransomware.Pay2Key
Create hunting rule
Status:
Malicious
First seen:
2026-04-01 08:09:23 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qvjfs4pp2giifrmdronpwmmnapfhvyvj26wrkwxnotruisyvbf7a._file
Verdict:
malicious
Label(s):
hacktool_defendnot
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution upx
Link:
https://tria.ge/reports/260401-j19bqshz3m/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e
MD5 hash:
a2b489c46247fe3f8e0eb82fee1158ce
SHA1 hash:
ff08ef815e2b791e4a68657e932f5e3a97d20853
Link:
https://www.unpac.me/results/b7e21cc4-d2b4-45b0-8335-99337aef607a/
SH256 hash:
1543c03bf6d28c0c1b781e1a53cae84de08654948a240a9b52689352ed0ca58f
MD5 hash:
db68031420b3b79b016898c06188eae6
SHA1 hash:
8e29b5f4b5f0edbcfbae11e9686f2b22f24d9cdc
Link:
https://www.unpac.me/results/b7e21cc4-d2b4-45b0-8335-99337aef607a/
SH256 hash:
c19147ef76676c8a46ce63916d2dd41a85942c534473a9667fff2a31e74e027d
MD5 hash:
abe32854ecf85e6747cb26955400d822
SHA1 hash:
54d63a738445f5923bbe4137e295b08e5648018d
Link:
https://www.unpac.me/results/b7e21cc4-d2b4-45b0-8335-99337aef607a/
SH256 hash:
b6301160d2cceb9df1bb2d0548d65c31ecc38b694fa5efe67899935f19870fce
MD5 hash:
46857dedd8ea45006ec3ebff24739f8b
SHA1 hash:
47bd7d9f2eb13d178327769b964043887258390e
Link:
https://www.unpac.me/results/b7e21cc4-d2b4-45b0-8335-99337aef607a/
SH256 hash:
f457b1cb1b146ab07117e34dc50881ef787946a0311467d82469fdaa3e54884c
MD5 hash:
52b7073101ce2f83c85ed698f1ee0445
SHA1 hash:
cd2f016c79de7d4bf20d1366cc9483b610b4ffc2
Link:
https://www.unpac.me/results/b7e21cc4-d2b4-45b0-8335-99337aef607a/
SH256 hash:
e273a05ae99bbf547c5f7fc0d027c416eeabe1829a8ece661f587d6d8965f8b7
MD5 hash:
91c0d86df5a6c28167839ba56c83288c
SHA1 hash:
2d2f65d854edfc55ab75dd4babf6e920a8573f48
Link:
https://www.unpac.me/results/b7e21cc4-d2b4-45b0-8335-99337aef607a/
Malware family:
Mimic
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85525971efd1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 85525971efd19082c5838b9afb318d03ca7ae2a9d7ad155aed74e3444b15097e

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/60013/

Comments