MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256
SHA3-384 hash: 1af397b7417e5c9273d3a371acaa4f3825f42c60306ba4bace7a4dda136be0a1d635207bd2d938242a2b049d7837bbb1
SHA1 hash: 0945fa518aeb5cb2abf1dca780b3a6774e4c068f
MD5 hash: 6d616fb98cc456857c823224452dfd6f
humanhash: vermont-island-snake-carolina
File name:root3.exe
Download: download sample
File size:11'598'289 bytes
First seen:2025-08-22 18:19:52 UTC
Last seen:2025-12-03 17:45:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 33742414196e45b8b306a928e178f844 (16 x Efimer, 5 x BlankGrabber, 4 x XWorm)
ssdeep 196608:fDv8ZdJIqdQmR8dA6luA8Qnf2ODjMnGydSdSEPswxKcZedWOBWIDaavE2uzYhZWx:TqdJIqdQJluIF3MnG30OZ0UedW0paazC
TLSH T1C8C633C5B7A40CD6E99A4039C047D528EB32BD524FA0C73B47F49F9A1E4B690293EF94
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter aachum
Tags:cherry41 exe


Avatar
iamaachum
http://178.236.252.150/v1313/cmake.zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
41
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
KMSAuto++ Portable v1.6.5.exe
Verdict:
Malicious activity
Analysis date:
2025-08-22 18:00:03 UTC
Tags:
python anti-evasion miner winring0-sys vuln-driver stealer themida xor-url upx generic lumma xmrig rhadamanthys
Link:
https://app.any.run/tasks/e4e988b6-e0ea-455e-8178-cf286f488a58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23072/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a8b50ce9d9dbcfd96d2484
Tags:
installer virus sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller python threat
Link:
https://www.filescan.io/uploads/68a8b5104a87ed7967688820/reports/0c33c385-5aa9-42c5-8f43-a6093489cdb4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256
Verdict:
Clean
File Type:
exe x64
First seen:
2025-08-14T09:14:00Z UTC
Last seen:
2025-08-14T09:14:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/848d83ba-8261-4abf-ac11-77d3efc6558e
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1763184
Signature
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Self deletion via cmd or bat file
Sigma detected: Suspicious Ping/Del Command Combination
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1763184 Sample: root3.exe Startdate: 22/08/2025 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for submitted file 2->39 41 Sigma detected: Suspicious Ping/Del Command Combination 2->41 9 root3.exe 93 2->9         started        process3 file4 29 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 9->29 dropped 31 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->31 dropped 33 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->33 dropped 35 60 other files (none is malicious) 9->35 dropped 49 Self deletion via cmd or bat file 9->49 51 Potentially malicious time measurement code found 9->51 13 root3.exe 1 9->13         started        16 conhost.exe 9->16         started        signatures5 process6 signatures7 53 Self deletion via cmd or bat file 13->53 18 cmd.exe 1 13->18         started        process8 signatures9 43 Uses ping.exe to sleep 18->43 45 Uses ping.exe to check the status of other devices and networks 18->45 21 cmd.exe 1 18->21         started        24 conhost.exe 18->24         started        process10 signatures11 47 Uses ping.exe to sleep 21->47 26 PING.EXE 1 21->26         started        process12 dnsIp13 37 127.0.0.1 unknown unknown 26->37
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/6d616fb98cc456857c823224452dfd6f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256/
Threat name:
Win64.Trojan.Yomal
Create hunting rule
Status:
Malicious
First seen:
2025-08-13 23:17:10 UTC
File Type:
PE+ (Exe)
Extracted files:
1106
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfv66tuy5uenf7whwc4tkkxavcsqnqwzazicma7olo7t74eqejla._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery pyinstaller
Link:
https://tria.ge/reports/250822-wy6t2sck2y/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
System Network Configuration Discovery: Internet Connection Discovery
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/454de378-f679-4cc2-ad64-6679550391ef
Unpacked files
SH256 hash:
896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256
MD5 hash:
6d616fb98cc456857c823224452dfd6f
SHA1 hash:
0945fa518aeb5cb2abf1dca780b3a6774e4c068f
Link:
https://www.unpac.me/results/b1c3b13a-4517-41cf-bb23-0eab01770b12/
SH256 hash:
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
MD5 hash:
75e78e4bf561031d39f86143753400ff
SHA1 hash:
324c2a99e39f8992459495182677e91656a05206
Link:
https://www.unpac.me/results/b1c3b13a-4517-41cf-bb23-0eab01770b12/
SH256 hash:
074a73db77cbd9a8a1eed34dbfeddcea2d5772d34f8761b94957ae463c9a16ae
MD5 hash:
3d9895aa25e1f493f38f08f4717a0d67
SHA1 hash:
459ed374dd8568c4f364d021c2283fb86c16e0e6
Link:
https://www.unpac.me/results/b1c3b13a-4517-41cf-bb23-0eab01770b12/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe bb5ee026e883daa38d01b7f7b8c126a12c4500c472408f9afdb5d4cf1f853ef2

Executable exe 896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256

(this sample)

  
Link
https://tria.ge/250822-wtbhcaxpx9/behavioral2
  
Dropped by
SHA256 bb5ee026e883daa38d01b7f7b8c126a12c4500c472408f9afdb5d4cf1f853ef2
  
Delivery method
Distributed via web download
  
Dropped by
MD5 c12970d322b1582a9fba61e47a83ddaa
Cape
Cape
https://www.capesandbox.com/analysis/23072/

Comments