MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GoStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c
SHA3-384 hash: 79f657f17efb5facb8b25f1567797ccf7fb352f3cb7ae57a447f7eaf9376c69e5c355b1b4100a18bdda3c7191b4ae9fa
SHA1 hash: c484bab29c04a6b5a340197aa1f811b6f327ecac
MD5 hash: 59914991ec9fbd3117bcf1ad493fe37e
humanhash: oranges-black-crazy-jupiter
File name:Komodo.exe
Download: download sample
Signature GoStealer
Create hunting rule
File size:7'247'088 bytes
First seen:2026-04-01 20:23:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:84T08lEyQRBqSVVdWuDIIpwtXP7HAh9xj5aCNHfSQiNoQ01nD3Nz/:q9y0qnEICwlDH6xjbKQbR
TLSH T19D7601AF6B1030B8C8155AF897B0AE01A7EC6C91BD9049EDE14EF717DDB4943EE89074
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon f0f0ccd4d4ccf0f0 (1 x NodeLoader, 1 x GoStealer)
Reporter aachum
Tags:193-24-123-23 dcdivas-com DeepLoad dropped-by-LummaStealer exe GOStealer signed

Code Signing Certificate

Organisation:Ruecker and Sons
Issuer:Ruecker and Sons Intermediate CA 1
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-30T13:22:39Z
Valid to:2028-03-31T13:22:39Z
Serial number: 01f0f11a921da6c9
Thumbprint Algorithm:SHA256
Thumbprint: e5aeba26cfd6d0c775086d9664f88b02dd6f3747033c38c350981f8c20002634
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
http://dcdivas.com/wp-includes/pomo/Komodo.exe

DeepLoad C2: http://193.24.123.23:3000/api/v2/backup-domains/active

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
Komodo.exe
Verdict:
Malicious activity
Analysis date:
2026-04-01 20:26:36 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/c08e74c3-a741-47e3-95c9-114777a8013c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60128/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.18496782.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cd7ef36363ca5d27f0b4c8
Tags:
injection obfusc
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Creating a file
Changing a file
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected signed unknown zero
Link:
https://www.filescan.io/uploads/69cd7ef32346b9da57b7c42f/reports/46944c81-976c-4989-b774-71e26b48b565/overview
Verdict:
Suspicious
Labled as:
Win64/GenKryptik.HQIA trojan
Link:
https://www.hybrid-analysis.com/sample/94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-03-31T18:23:00Z UTC
Last seen:
2026-04-02T09:34:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.sb Trojan-PSW.Win64.Stealer.asli Trojan-PSW.MSIL.Stealer.sb
Link:
https://opentip.kaspersky.com/94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9db8a066-f62d-4b7b-979f-c3a42bcb05e2
Result
Threat name:
GO Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1892469
Signature
AI detected suspicious PE digital signature
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: BloodHound Collection Files
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Yara detected GO Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1892469 Sample: Komodo.exe Startdate: 01/04/2026 Architecture: WINDOWS Score: 80 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected GO Stealer 2->35 37 Uses known network protocols on non-standard ports 2->37 39 3 other signatures 2->39 8 Komodo.exe 19 2->8         started        process3 dnsIp4 31 193.24.123.23, 3000, 49695 UPM-KYMMENE-ASKuusankoskiFinlandFI Germany 8->31 27 C:\Users\user\Desktop\Komodo.exe.bat, DOS 8->27 dropped 29 C:\Users\user\AppData\...\backup_domains.json, JSON 8->29 dropped 41 Tries to harvest and steal browser information (history, passwords, etc) 8->41 43 Unusual module load detection (module proxying) 8->43 13 cmd.exe 1 8->13         started        file5 signatures6 process7 process8 15 cmd.exe 1 13->15         started        17 conhost.exe 13->17         started        process9 19 timeout.exe 1 15->19         started        21 timeout.exe 1 15->21         started        23 timeout.exe 1 15->23         started        25 17 other processes 15->25
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/59914991ec9fbd3117bcf1ad493fe37e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c/
Verdict:
Malicious
Threat:
Trojan-PSW.Win64.Stealer
Link:
https://tip.neiki.dev/file/94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-04-01 01:38:29 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=st6i6lcc3orvpgnc2tp7qd76f6n6vvl25gxj6k553cl3ju4bezoa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion spyware stealer
Link:
https://tria.ge/reports/260401-y6tkssbw6v/
Behaviour
Delays execution with timeout.exe
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c
MD5 hash:
59914991ec9fbd3117bcf1ad493fe37e
SHA1 hash:
c484bab29c04a6b5a340197aa1f811b6f327ecac
Link:
https://www.unpac.me/results/e6dc46ab-813b-43fb-b83b-41316779d555/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GoStealer

Executable exe 94fc8f2c42dba35799a2d4dff80ffe2f9bead57ae9ae9f2bbdd897b4d381265c

(this sample)

  
Link
https://tria.ge/260401-yn2hpaf19m/behavioral2
  
Dropped by
LummaStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/60128/

Comments