MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 904cee06bbc6093213e8653b120b2b72701bac7e8dbfbdd69bfb3aed9b6a7298. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 904cee06bbc6093213e8653b120b2b72701bac7e8dbfbdd69bfb3aed9b6a7298
SHA3-384 hash: d6dcb935d1f174150c70ca102d93f60d8ec56d11ade9e4044c26945f9de29ae645bb7f9750aef823e44c10ab9e47f2c8
SHA1 hash: 93781d80259cda15f1b4072cc43b6dae6baadacc
MD5 hash: 3fe2b172ad50f843ff56a4ae7f7703c0
humanhash: king-uncle-timing-paris
File name:904CEE06BBC6093213E8653B120B2B72701BAC7E8DBFBDD69BFB3AED9B6A7298.exe
Download: download sample
File size:25'285'632 bytes
First seen:2026-02-13 10:04:34 UTC
Last seen:2026-02-13 11:08:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (239 x Vidar, 92 x Rhadamanthys, 89 x Stealc)
ssdeep 196608:ItpNhsVa6kyyT/Vegd3u+d++4KaKJSPwzXmo1dvaRRXEC:ItPIgd++dyLKJSPwzXZyRRX
Threatray 3 similar samples on MalwareBazaar
TLSH T14C474A47E4B615D9C4FAC174D22A6127F9A13C4C473827EB1A90B7312F32BE46E7AB11
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter cocaman
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://wormhole.app/77PL74#9cmTnMuCr3s0Py2gavzFVw
Verdict:
Malicious activity
Analysis date:
2026-02-13 08:04:03 UTC
Tags:
websocket evasion golang ransomware
Link:
https://app.any.run/tasks/e2f79418-ca77-4cee-aca7-4f087e576443

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53241/
Detection(s):
Win.Tool.Garble-10044180-0
Create hunting rule

Win.Trojan.Sliver-10044264-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698ed49c76589225f6663ad2
Tags:
dropper virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm crypto crypto golang obfuscated packed
Link:
https://www.filescan.io/uploads/698ef76cc9bfb60ece1f561a/reports/de19b98a-f2bb-4fe2-b1b4-c2ac14cfdd8c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/904cee06bbc6093213e8653b120b2b72701bac7e8dbfbdd69bfb3aed9b6a7298
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-13T01:03:00Z UTC
Last seen:
2026-02-13T10:42:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.DelShad.sb Trojan.Win32.DelShad.psd Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic NetTool.TorToolE.TCP.C&C NetTool.TorTool.TCP.C&C
Link:
https://opentip.kaspersky.com/904cee06bbc6093213e8653b120b2b72701bac7e8dbfbdd69bfb3aed9b6a7298/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1869012
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Drops a file containing file decryption instructions (likely related to ransomware)
Found potential ransomware demand text
Found Tor onion address
Joe Sandbox ML detected suspicious sample
May disable shadow drive data (uses vssadmin)
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Sigma detected: Deletion of Volume Shadow Copies via WMI with PowerShell
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes a notice file (html or txt) to demand a ransom
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1869012 Sample: N6ER7EsEDa.exe Startdate: 13/02/2026 Architecture: WINDOWS Score: 100 74 shed.dual-low.part-0041.t-0009.t-msedge.net 2->74 76 part-0041.t-0009.t-msedge.net 2->76 78 3 other IPs or domains 2->78 96 Antivirus / Scanner detection for submitted sample 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 Sigma detected: WScript or CScript Dropper 2->100 102 5 other signatures 2->102 11 N6ER7EsEDa.exe 2 2->11         started        15 wbengine.exe 3 2->15         started        17 vdsldr.exe 2->17         started        19 vds.exe 2->19         started        signatures3 process4 file5 72 24540e48-ceb4-8cc0-7c71-39a441e115f1.exe, PE32+ 11->72 dropped 112 Found Tor onion address 11->112 21 cmd.exe 1 11->21         started        23 powershell.exe 15 11->23         started        114 Creates files inside the volume driver (system volume information) 15->114 signatures6 process7 process8 25 24540e48-ceb4-8cc0-7c71-39a441e115f1.exe 705 21->25         started        30 conhost.exe 21->30         started        32 conhost.exe 23->32         started        dnsIp9 86 api.ipify.org 172.67.74.152, 443, 49716 CLOUDFLARENETUS United States 25->86 64 C:\Users\...\HTAGVDFUIE.mp3.ZETARINK37GnfGAa, DOS 25->64 dropped 66 C:\Users\...\TQDGENUHWP.docx.ZETARINK37GnfGAa, DOS 25->66 dropped 68 8fe519d9-5bb9-232c-c64b-5f803f050168.exe, PE32+ 25->68 dropped 70 44 other malicious files 25->70 dropped 104 Antivirus detection for dropped file 25->104 106 Multi AV Scanner detection for dropped file 25->106 108 May disable shadow drive data (uses vssadmin) 25->108 110 13 other signatures 25->110 34 wscript.exe 25->34         started        37 8fe519d9-5bb9-232c-c64b-5f803f050168.exe 12 25->37         started        40 vssadmin.exe 1 25->40         started        42 5 other processes 25->42 file10 signatures11 process12 dnsIp13 88 Windows Scripting host queries suspicious COM object (likely to drop second stage) 34->88 90 WScript reads language and country specific registry keys (likely country aware script) 34->90 44 taskkill.exe 34->44         started        46 taskkill.exe 34->46         started        80 51.158.146.152, 443, 49725 OnlineSASFR France 37->80 82 77.160.53.97, 49733, 9001 KPNKPNNationalEU Netherlands 37->82 84 6 other IPs or domains 37->84 92 Found Tor onion address 37->92 48 conhost.exe 37->48         started        94 Deletes shadow drive data (may be related to ransomware) 40->94 50 conhost.exe 40->50         started        52 conhost.exe 42->52         started        54 conhost.exe 42->54         started        56 conhost.exe 42->56         started        58 2 other processes 42->58 signatures14 process15 process16 60 conhost.exe 44->60         started        62 conhost.exe 46->62         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/904cee06bbc6093213e8653b120b2b72701bac7e8dbfbdd69bfb3aed9b6a7298
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/3fe2b172ad50f843ff56a4ae7f7703c0
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.TCP
Link:
https://tip.neiki.dev/file/904cee06bbc6093213e8653b120b2b72701bac7e8dbfbdd69bfb3aed9b6a7298
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-02-13 06:52:08 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbgo4bv3yyetee7imu5reczlojybxld6rw733vu37m5o3g3kokma._file
Verdict:
malicious
Label(s):
genericransomware
Create hunting rule
Similar samples:
904cee06bbc6093213e8653b120b2b72701bac7e8dbfbdd69bfb3aed9b6a7298
d7e9c3c649a34d505b73a00b72b20f0048c4495244da3b0c6ece56892f33d058
error
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/260213-l4r8qsbt8a/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Sets desktop wallpaper using registry
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Deletes backup catalog
Modifies Windows Firewall
Deletes shadow copies
Modifies boot configuration data using bcdedit
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/904cee06bbc6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/904cee06bbc6093213e8653b120b2b72701bac7e8dbfbdd69bfb3aed9b6a7298

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/53241/

Comments