MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87acbf20df04543b13f16c96ecb3fc535199de6b8bc0309ed45859cb72410099. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NWHStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87acbf20df04543b13f16c96ecb3fc535199de6b8bc0309ed45859cb72410099
SHA3-384 hash: 1cf58d0a515e40aa15a33e63d2e800792fab80ea2b869d5b490824cb6cdd6799720e24d80d98660de5ec271d0530d208
SHA1 hash: b569880a4b6ee0e37ba68f81b8adf88b08ae1709
MD5 hash: a52883d6dd685c52ec8d2f27ee0f89f1
humanhash: ack-uranus-neptune-purple
File name:Spectra_Menu.zip
Download: download sample
Signature NWHStealer
Create hunting rule
File size:41'694'700 bytes
First seen:2026-06-09 12:18:33 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 786432:l5D0FRcReTgC5Yh9MVd7nOPBZyOSL3vZrYzZ8qOq3Wa56mN1jwJFy0I:lx0k0ni9Kd7oElbCzZ8qOq3Wat1WJI
TLSH T1DC9733E9C8662B5EE1AFD8364370D8B4C65F55F28B83C92AB85625CE04C33D5F9AC443
Magika zip
Reporter burger
Tags:NWHStealer zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
DE DE
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Spectra_Menu.exe
File size:117'394'944 bytes
SHA256 hash: a996df23ab163ad00ce7cce01a632b5f57501801c145372586b111dc0aa5d466
MD5 hash: 1b225306ab3e903e2d704434896cd9ba
MIME type:application/x-dosexec
Signature NWHStealer
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/8b8ec3f9-7b5f-4ced-a667-35b3ab83df23/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2804bd34eaf30d8ce43ef9
Tags:
obfuscate shell sage
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/87acbf20df04543b13f16c96ecb3fc535199de6b8bc0309ed45859cb72410099/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto fingerprint obfuscated overlay packed reconnaissance rust
Link:
https://www.filescan.io/uploads/6a2804a71f652d6865724ff7/reports/9bd9c4cd-8fe8-4202-9e00-086728d7aef9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/87acbf20df04543b13f16c96ecb3fc535199de6b8bc0309ed45859cb72410099
Verdict:
Unknown
File Type:
zip
Link:
https://opentip.kaspersky.com/87acbf20df04543b13f16c96ecb3fc535199de6b8bc0309ed45859cb72410099/results?tab=lookup
Score:
34%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/87acbf20df04543b13f16c96ecb3fc535199de6b8bc0309ed45859cb72410099
Gathering data
Threat name:
Win64.Trojan.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-06-09 12:27:03 UTC
File Type:
Binary (Archive)
Extracted files:
17
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6wl6ig7arkdwe7rnslozm74kniztxtlrpadbhwulbm4w4sbacmq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260609-qtstqsby2j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87acbf20df04543b13f16c96ecb3fc535199de6b8bc0309ed45859cb72410099

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments