MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90365f2b76c3a4b667e6497f1c975420c917ab2441334d8e3e276ef206e52778. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NovaShadowStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90365f2b76c3a4b667e6497f1c975420c917ab2441334d8e3e276ef206e52778
SHA3-384 hash: 31cc378fe135a72b894e16bf91c7dbf75a25cb093bdad8004eac9439f32d8b8619a6bbd40d748557818e8447cd667fdf
SHA1 hash: f2e9d1c995c635b08a7f662caf620c881e500b07
MD5 hash: 7303113c03f562ab24608461c1c27f4f
humanhash: lake-fix-timing-echo
File name:dezed.exe
Download: download sample
Signature NovaShadowStealer
Create hunting rule
File size:90'230'344 bytes
First seen:2026-04-10 16:40:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (566 x GuLoader, 121 x RemcosRAT, 82 x EpsilonStealer)
ssdeep 1572864:h4gPXMo9nWjWSV3AHyU9mxR074Lp2cUpJ42UhXJcsqA00F8/2ZQW2xT7:h4AcVCSV3khmPK344fA0+8/oWT7
Threatray 208 similar samples on MalwareBazaar
TLSH T1811833D2865579D3E44EFAB494D5BA262D9BD1804D322CE86F8F305D0D28E10BE2C6F7
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b2c4ccccf096d496 (1 x NovaShadowStealer)
Reporter burger
Tags:exe NovaShadow NovaShadowStealer RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
SE SE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/00e94561-2a67-427a-900e-aaa22ccb9a47/
Malware family:
n/a
ID:
1
File name:
dezed.exe
Verdict:
Malicious activity
Analysis date:
2026-04-10 16:40:16 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/08807383-cf7f-400e-a84f-ed096708e1c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d927bf6a61012f6ad0ab96
Tags:
vmdetect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Connection attempt
Unauthorized injection to a recently created process
Searching for synchronization primitives
Sending an HTTP GET request
Loading a suspicious library
Running batch commands
Creating a process with a hidden window
Launching the process to interact with network services
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Gathering data
Verdict:
Malicious
Labled as:
QD:Trojan.GenericQ
Link:
https://www.hybrid-analysis.com/sample/90365f2b76c3a4b667e6497f1c975420c917ab2441334d8e3e276ef206e52778
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-10T14:16:00Z UTC
Last seen:
2026-04-10T23:54:00Z UTC
Hits:
~100
Detections:
Trojan-GameThief.MSIL.Worgtop.fzv HEUR:Trojan.Python.Agent.gen Trojan-GameThief.Worgtop.HTTP.C&C
Link:
https://opentip.kaspersky.com/90365f2b76c3a4b667e6497f1c975420c917ab2441334d8e3e276ef206e52778/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1896625
Signature
Drops large PE files
Excessive usage of taskkill to terminate processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell creates an autostart link
Queries Google from non browser process on port 80
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1896625 Sample: dezed.exe Startdate: 10/04/2026 Architecture: WINDOWS Score: 100 110 zerdium.com 2->110 112 www.python.org 2->112 114 7 other IPs or domains 2->114 132 Multi AV Scanner detection for submitted file 2->132 134 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->134 136 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->136 138 5 other signatures 2->138 10 dezed.exe 216 2->10         started        14 stellarconquest.exe 2->14         started        16 dezed.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 92 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->92 dropped 94 C:\Users\user\AppData\Local\...\System.dll, PE32 10->94 dropped 96 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 10->96 dropped 102 12 other files (none is malicious) 10->102 dropped 166 Drops large PE files 10->166 20 stellarconquest.exe 29 10->20         started        98 C:\Users\user\AppData\...\stellarconquest.exe, PE32+ 14->98 dropped 104 2 other files (none is malicious) 14->104 dropped 168 Tries to harvest and steal browser information (history, passwords, etc) 14->168 25 cmd.exe 14->25         started        27 cmd.exe 14->27         started        29 cmd.exe 14->29         started        39 15 other processes 14->39 100 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 16->100 dropped 106 12 other files (none is malicious) 16->106 dropped 170 Multi AV Scanner detection for dropped file 16->170 108 2 other files (none is malicious) 18->108 dropped 31 stellarconquest.exe 18->31         started        33 stellarconquest.exe 18->33         started        35 stellarconquest.exe 18->35         started        37 stellarconquest.exe 18->37         started        signatures6 process7 dnsIp8 116 www.google.com 142.251.150.119, 49728, 49741, 50838 GOOGLEUS United States 20->116 118 ipinfo.io 34.117.59.81, 443, 49729, 49742 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->118 128 8 other IPs or domains 20->128 84 C:\Users\user\AppData\Roaming\...\dezed.exe, PE32 20->84 dropped 86 C:\Users\user\...\winJaxmalzWD103fa992.vbs, data 20->86 dropped 88 C:\Users\user\...\dezed.exe:Zone.Identifier, ASCII 20->88 dropped 90 2 other files (none is malicious) 20->90 dropped 140 Suspicious powershell command line found 20->140 142 Tries to harvest and steal browser information (history, passwords, etc) 20->142 144 Drops large PE files 20->144 148 3 other signatures 20->148 41 cmd.exe 20->41         started        44 cmd.exe 20->44         started        46 cmd.exe 20->46         started        52 48 other processes 20->52 48 powershell.exe 25->48         started        50 conhost.exe 25->50         started        55 2 other processes 27->55 57 2 other processes 29->57 120 chrome.cloudflare-dns.com 31->120 122 chrome.cloudflare-dns.com 33->122 124 162.159.61.3, 443, 49836, 50042 CLOUDFLARENETUS United States 39->124 126 chrome.cloudflare-dns.com 39->126 146 Uses cmd line tools excessively to alter registry or file data 39->146 59 23 other processes 39->59 file9 signatures10 process11 dnsIp12 150 Suspicious powershell command line found 41->150 152 Uses cmd line tools excessively to alter registry or file data 41->152 154 Uses schtasks.exe or at.exe to add and modify task schedules 41->154 76 2 other processes 41->76 61 powershell.exe 44->61         started        64 conhost.exe 44->64         started        66 powershell.exe 46->66         started        68 conhost.exe 46->68         started        156 Loading BitLocker PowerShell Module 48->156 130 chrome.cloudflare-dns.com 172.64.41.3, 443, 49733, 49734 CLOUDFLARENETUS United States 52->130 158 Query firmware table information (likely to detect VMs) 52->158 160 Excessive usage of taskkill to terminate processes 52->160 162 Windows Scripting host queries suspicious COM object (likely to drop second stage) 52->162 164 Maps a DLL or memory area into another process 52->164 70 powershell.exe 52->70         started        72 powershell.exe 52->72         started        78 79 other processes 52->78 74 schtasks.exe 59->74         started        signatures13 process14 signatures15 172 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 61->172 174 Powershell creates an autostart link 61->174 176 Loading BitLocker PowerShell Module 61->176 80 net1.exe 76->80         started        82 schtasks.exe 78->82         started        process16
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90365f2b76c3a4b667e6497f1c975420c917ab2441334d8e3e276ef206e52778
Gathering data
Verdict:
Malicious
Threat:
Family.NOVASHADOW
Link:
https://tip.neiki.dev/file/90365f2b76c3a4b667e6497f1c975420c917ab2441334d8e3e276ef206e52778
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-03-30 15:26:31 UTC
File Type:
PE (Exe)
Extracted files:
16681
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sa3f6k3wyoslmz7gjf7rzf2uederpkzeiezu3dr6e5xpebxfe54a._file
Verdict:
malicious
Label(s):
novablight
Create hunting rule
Similar samples:
0d19a2454600a853532a0b93bad70831dfe6080b3142f87e4a22340931c819fa
NovaShadowStealer
1d7888d4cc9c9ca665f8393ffb0bfa1c9a5011da61d35d8d2bcda24342dbb758
NovaShadowStealer
83e9fdf06a347b8528f69055f491d43da83cd365a3de24dbfada9626a3bda6fe
NovaShadowStealer
b0e20d6cac274d7d3d0eb47f39acb6302878a2881952c91593c2db3f036341e9
NovaShadowStealer
bdb1bb7b7824a994d9370675109b2e4f0c2f1abd7472032c7268dcfd6932249d
NovaShadowStealer
c086b2803dfa65f71d42b88ba380fe69be15ac59e10efe6b363b0a942bfb156a
NovaShadowStealer
d453950e093f7970a2ad7b6b545b800b7c8e1341775e1726a19460fb0a9a48bd
NovaShadowStealer
error
NovaShadowStealer
f8789608f1e00dd5696dda2a29e5fca75cc3b386dd9b180895c8324088ac2305
NovaShadowStealer
fa46fd2e46e3fe57b053e767e3b68dc1b1b2f253f9bc07af59658175250f905b
NovaShadowStealer
+ 198 additional samples on MalwareBazaar
Result
Malware family:
novashadow
Create hunting rule
Score:
  10/10
Tags:
family:novashadow defense_evasion discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/260410-t6v2eaby8v/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Hide Artifacts: Ignore Process Interrupts
Enumerates processes with tasklist
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Contacts third-party web service commonly abused for C2
Indicator Removal: File Deletion
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments