MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5
SHA3-384 hash: f097cd024475159a0109d5dc848f05a9af9ed93e07d341740acec71077dac5a9fc80e82684b1220b7bd752e6807d43e4
SHA1 hash: 6ade6842955282aafbe5f2f763f2c84374af1f2f
MD5 hash: 03c48d7c471abb9b0f3061dcfbbdaa6b
humanhash: four-edward-white-floor
File name:mozglue.dll
Download: download sample
File size:17'134'080 bytes
First seen:2026-01-29 20:30:20 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9c330ad90beeb251c76ec5ec6bd2c067
ssdeep 393216:2SCK8ysHjJI1fxRZCSbGQkS8RMb6bgshQ:RvOtIFiQgRMmksy
TLSH T1FF07333B6D803F93D1A453B2ED65201DC9A0F5BB8B49112AF11F47B0A295A1DCFF8B91
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter johnk3r
Tags:banker dll mgbdpki-com newkget-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50743/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697bc38a6fa3eed1653065b9
Tags:
downloader dropper packed
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/697bc37cb6bd365f0a6968fc/reports/97f2bd89-05cc-4f53-bf7f-166932d7c187/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5
Verdict:
Malicious
File Type:
dll x32
First seen:
2026-01-28T06:01:00Z UTC
Last seen:
2026-01-30T09:17:00Z UTC
Hits:
~10
Detections:
Trojan-Banker.Win32.Express.sb Trojan-PSW.Win32.Coins.sb Trojan-Banker.Win32.Ponteiro.sb
Link:
https://opentip.kaspersky.com/91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d81b787-8ce7-456d-bc34-139c4a303ab9
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1860116
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1860116 Sample: mozglue.dll Startdate: 29/01/2026 Architecture: WINDOWS Score: 100 39 mgbdpki.com 2->39 41 www.google.com 2->41 47 Antivirus detection for URL or domain 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 9 loaddll32.exe 4 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 signatures5 55 Query firmware table information (likely to detect VMs) 9->55 57 Hides threads from debuggers 9->57 59 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->59 61 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->61 14 rundll32.exe 8 9->14         started        17 cmd.exe 1 9->17         started        19 rundll32.exe 6 9->19         started        21 16 other processes 9->21 process6 signatures7 69 Suspicious powershell command line found 14->69 71 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->71 73 Bypasses PowerShell execution policy 14->73 23 powershell.exe 14->23         started        26 rundll32.exe 6 17->26         started        75 Hides threads from debuggers 19->75 77 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->77 79 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->79 29 WerFault.exe 19->29         started        31 WerFault.exe 21->31         started        33 WerFault.exe 21->33         started        process8 dnsIp9 43 mgbdpki.com 185.255.122.89, 443, 49709 ICMESE Netherlands 23->43 45 www.google.com 172.217.165.196, 443, 49711 GOOGLEUS United States 23->45 35 conhost.exe 23->35         started        63 Hides threads from debuggers 26->63 65 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->65 67 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 26->67 37 WerFault.exe 26->37         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.Express
Link:
https://tip.neiki.dev/file/91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-01-28 17:45:59 UTC
File Type:
PE (Dll)
Extracted files:
10
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shgmvkhruy2rcbwrydyybouin3ttx765aomg77uvtayijg3wvc2q._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery trojan
Link:
https://tria.ge/reports/260129-zamcaafv4d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5
MD5 hash:
03c48d7c471abb9b0f3061dcfbbdaa6b
SHA1 hash:
6ade6842955282aafbe5f2f763f2c84374af1f2f
Link:
https://www.unpac.me/results/0779d393-2417-4e60-b398-f76e237fc18b/
SH256 hash:
a271fb050eff6089b00c188f86f49ae7fc6e40b44b611124d05dd70aab11eff6
MD5 hash:
13e61379c7790776451374aed4ae5dec
SHA1 hash:
0c5895d15f91519862b9eb6757ab47d6ce28a211
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/0779d393-2417-4e60-b398-f76e237fc18b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91cccaa8f1a6351106d1c0f180ba886ee73bffdd03986ffe959830849b76a8b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/50743/

Comments