MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ebfa90ecbfeb5d095a5bf131a7c453b9e92bab752ad2b98743d2d9150e13292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SilentNet


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ebfa90ecbfeb5d095a5bf131a7c453b9e92bab752ad2b98743d2d9150e13292
SHA3-384 hash: bfbeb813cccfd70aa7e6c8ed535382596dbf824ada6f5dae2ba2c950f922b3a15b75c2b1b40ac3ca2ceedd16dad1fa1d
SHA1 hash: ffda28ba241ae415383a190ee60de20f8db4da8e
MD5 hash: eb7b1d831cec0b6bbdfd02d98d20b33e
humanhash: single-mars-fourteen-two
File name:Launcher.exe
Download: download sample
Signature SilentNet
Create hunting rule
File size:1'138'688 bytes
First seen:2026-06-02 14:44:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 73f461c771aef77ec43d53a0c54f0c8d (4 x SilentNet)
ssdeep 12288:BZ+OE4MmD6/Oyspc5EEBBBHGBgzGerwGpvPqItNquB:Bcb4M06WpoPrwqvP3f5
TLSH T19F357C83EBA385D8C156C8B5534FF137F9627C8E4A157196ABC41E633E67B64E22CB00
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter burger
Tags:exe SilentNet

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Launcher.exe
Verdict:
Malicious activity
Analysis date:
2026-06-01 15:54:36 UTC
Tags:
python arch-exec arch-doc processexplorer tool openssl arch-scr
Link:
https://app.any.run/tasks/eb17703c-ed48-4d6f-8ac8-3c6fd3bf6a77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68810/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a1eec3257b7bf261d604b6f
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Delayed reading of the file
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a file
Moving a recently created file
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto reconnaissance
Link:
https://www.filescan.io/uploads/6a1eec4d77463968d61914bf/reports/cbfceb9a-9985-4f0d-8588-b22ab325a406/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.MCC trojan
Link:
https://www.hybrid-analysis.com/sample/8ebfa90ecbfeb5d095a5bf131a7c453b9e92bab752ad2b98743d2d9150e13292
Verdict:
Malicious
File Type:
exe x64
Detections:
HEUR:Trojan-Downloader.Win32.Magnar.gen
Link:
https://opentip.kaspersky.com/8ebfa90ecbfeb5d095a5bf131a7c453b9e92bab752ad2b98743d2d9150e13292/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5bde1169-240b-4fba-93f0-f555acbd4e31
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1921717
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious ZIP file
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1921717 Sample: Launcher.exe Startdate: 02/06/2026 Architecture: WINDOWS Score: 100 104 www.python.org 2->104 106 v5.thisisafalsepositive.ru 2->106 108 10 other IPs or domains 2->108 124 Suricata IDS alerts for network traffic 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 Yara detected MicroClip 2->128 130 4 other signatures 2->130 10 Launcher.exe 4 2->10         started        signatures3 process4 dnsIp5 118 rpc-mainnet.matic.quiknode.pro 150.136.141.142, 443, 49684, 49721 ORACLE-BMC-31898-OracleCorporationUS United States 10->118 120 polygon-rpc.com 198.178.224.35, 443, 49683, 49720 LATITUDE-SH-LatitudeshUS United States 10->120 134 Found direct / indirect Syscall (likely to bypass EDR) 10->134 14 python.exe 10->14         started        18 python.exe 10->18         started        20 python.exe 1088 10->20         started        23 6 other processes 10->23 signatures6 process7 dnsIp8 78 C:\Users\user\AppData\Local\...\python.exe, PE32+ 14->78 dropped 80 C:\Users\user\AppData\...\tmp_3eg0m1nw.zip, Zip 14->80 dropped 88 35 other files (2 malicious) 14->88 dropped 142 Tries to harvest and steal browser information (history, passwords, etc) 14->142 144 Writes to foreign memory regions 14->144 146 Allocates memory in foreign processes 14->146 148 Creates a thread in another existing process (thread injection) 14->148 25 pip.exe 14->25         started        27 python.exe 14->27         started        31 python.exe 14->31         started        33 chrome.exe 14->33         started        82 C:\Users\user\AppData\Local\...\tmpvzubr49r, Zip 18->82 dropped 84 C:\Users\user\AppData\Local\...\tmpa84qvyy6, Zip 18->84 dropped 90 580 other files (10 malicious) 18->90 dropped 35 conhost.exe 18->35         started        110 pypi.org 151.101.192.223, 443, 49699, 49708 FASTLY-FastlyIncUS Canada 20->110 92 381 other files (none is malicious) 20->92 dropped 150 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->150 152 Writes many files with high entropy 20->152 41 2 other processes 20->41 112 dualstack.c.ssl.global.fastly.net 151.101.0.175, 443, 49690, 49727 FASTLY-FastlyIncUS Canada 23->112 114 dualstack.python.map.fastly.net 151.101.128.223, 443, 49687, 49700 FASTLY-FastlyIncUS Canada 23->114 116 2 other IPs or domains 23->116 86 C:\Users\user\AppData\Local\...\python.exe, PE32+ 23->86 dropped 94 33 other files (2 malicious) 23->94 dropped 37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        43 4 other processes 23->43 file9 signatures10 process11 file12 45 python.exe 25->45         started        49 conhost.exe 25->49         started        62 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 27->62 dropped 64 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 27->64 dropped 66 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 27->66 dropped 74 378 other files (none is malicious) 27->74 dropped 136 Suspicious powershell command line found 27->136 138 Adds a directory exclusion to Windows Defender 27->138 140 Drops PE files with benign system names 27->140 51 conhost.exe 27->51         started        68 C:\Users\user\AppData\Local\...\stdole.py, Python 31->68 dropped 70 _78530B68_61F9_11D...A024580902_0_1_0.py, Python 31->70 dropped 72 _56A868B0_0AD4_11C...20AF0BA770_0_1_0.py, Python 31->72 dropped 76 3 other files (none is malicious) 31->76 dropped 53 powershell.exe 31->53         started        56 conhost.exe 31->56         started        signatures13 process14 dnsIp15 122 151.101.0.223, 443, 49743 FASTLY-FastlyIncUS Canada 45->122 96 C:\Users\user\AppData\Local\...\mss.exe, PE32+ 45->96 dropped 98 C:\Users\user\AppData\...\numpy-config.exe, PE32+ 45->98 dropped 100 C:\Users\user\AppData\Local\...\idna.exe, PE32+ 45->100 dropped 102 476 other files (none is malicious) 45->102 dropped 132 Loading BitLocker PowerShell Module 53->132 58 conhost.exe 53->58         started        60 WmiPrvSE.exe 53->60         started        file16 signatures17 process18
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8ebfa90ecbfeb5d095a5bf131a7c453b9e92bab752ad2b98743d2d9150e13292
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ebfa90ecbfeb5d095a5bf131a7c453b9e92bab752ad2b98743d2d9150e13292/
Threat name:
Win64.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2026-06-02 14:44:08 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r272sdwl7225bfnfx4jru7cfhopjfovxkkwsxgduhuwzcuhbgkja._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260602-r4dy1afy9v/
Behaviour
Checks processor information in registry
Unpacked files
SH256 hash:
8ebfa90ecbfeb5d095a5bf131a7c453b9e92bab752ad2b98743d2d9150e13292
MD5 hash:
eb7b1d831cec0b6bbdfd02d98d20b33e
SHA1 hash:
ffda28ba241ae415383a190ee60de20f8db4da8e
Link:
https://www.unpac.me/results/61ae1375-e809-46c1-b982-27330821918b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8ebfa90ecbfeb5d095a5bf131a7c453b9e92bab752ad2b98743d2d9150e13292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68810/

Comments