MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 973e231cfa1e7d1ad1a409dbe5c501b85f76d1c8ce167dd388fa11d71b1c86a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	973e231cfa1e7d1ad1a409dbe5c501b85f76d1c8ce167dd388fa11d71b1c86a6
SHA3-384 hash:	7f2b61acd235d6432d024c37e440306192681a1ce6e4a80077283816bf6bb50ddc76a05e9b3c9a07f400944c1dfe94b1
SHA1 hash:	077d2ba312acba43181daf1fbeb0ba87b329a807
MD5 hash:	e27c81b071e713f9995402dcc89f8650
humanhash:	beryllium-emma-fish-moon
File name:	Wondershare_Recoverit_setup.exe
Download:	download sample
File size:	29'427'336 bytes
First seen:	2026-06-05 20:18:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 744 x AgentTesla, 438 x GuLoader)
ssdeep	786432:8mw5oSyduo4PCO1P1GCjYbtmt+E6RTQa/I7:8rqGKO1ovb2nWMa/O
TLSH	T18657330293B7E0EBDCD1FF3B1BBAA41C95D05CC842C7A1E0A5E34F98BF25B1A55061A5
TrID	27.0% (.EXE) Win64 Executable (generic) (6522/11/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	c4dadadad2f492c2 (148 x GuLoader, 51 x RemcosRAT, 23 x VIPKeylogger)
Reporter	aachum
Tags:	exe signed statsnewlab-org

Code Signing Certificate

Organisation:	GANPATI ESTATES LLP
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-06-12T14:08:45Z
Valid to:	2026-06-13T14:08:45Z
Serial number:	1a68e8aefbdbd2b972f8d6bd
Thumbprint Algorithm:	SHA256
Thumbprint:	f1ec6f22eaf515456c4fe4ef63ce2ed3d06fee5c0d0032b1a2d2f71d32651eb4
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

iamaachum

https://desktop.ac/download.php

C2: statsnewlab.org

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NSIS

Details

Link:

https://research.acce.ciphertechsolutions.com/results/9e0d070d-5ac9-435c-8468-c62a3d674102/

Malware family:

n/a

ID:

File name:

Wondershare_Recoverit_setup.exe

Verdict:

Malicious activity

Analysis date:

2026-06-05 20:19:40 UTC

Tags:

loader

Link:

https://app.any.run/tasks/072e0ed1-f75a-44e9-b4e3-6092e5064580

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69267/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a232f18f8676ad4d36183be

Tags:

ransomware xtreme sage

Result

Verdict:

Malware

Maliciousness:

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/973e231cfa1e7d1ad1a409dbe5c501b85f76d1c8ce167dd388fa11d71b1c86a6

Verdict:

Clean

File Type:

exe x32

First seen:

2026-05-18T19:04:00Z UTC

Last seen:

2026-06-07T17:19:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/973e231cfa1e7d1ad1a409dbe5c501b85f76d1c8ce167dd388fa11d71b1c86a6/results?tab=lookup

Score:

61%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/973e231cfa1e7d1ad1a409dbe5c501b85f76d1c8ce167dd388fa11d71b1c86a6

Gathering data

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/973e231cfa1e7d1ad1a409dbe5c501b85f76d1c8ce167dd388fa11d71b1c86a6

Threat name:

Win32.Trojan.Malgent

Status:

Malicious

First seen:

2026-05-19 00:45:48 UTC

File Type:

PE (Exe)

Extracted files:

43910

AV detection:

1 of 23 (4.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s47cghh2dz6rvunebhn6lribxbpxnuoizylh3u4i7ii5ogy4q2ta._file

Result

Malware family:

n/a

Score:

6/10

Tags:

defense_evasion discovery trojan

Link:

https://tria.ge/reports/260605-y3grtsex5n/

Behaviour

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks whether UAC is enabled

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Network Share Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/973e231cfa1e7d1ad1a409dbe5c501b85f76d1c8ce167dd388fa11d71b1c86a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 973e231cfa1e7d1ad1a409dbe5c501b85f76d1c8ce167dd388fa11d71b1c86a6

(this sample)

Link

https://tria.ge/260605-xgy9bady8r/behavioral1

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/69267/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample