MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1
SHA3-384 hash: 9550a62e07f005e67781a3ede728d893b9c1a13ef8412f79751d1686289045324bcfbf1a1832e078a51ac22535d59e52
SHA1 hash: 0e30b8d591e0994630512e43ff9985195935dc40
MD5 hash: 93e7cc4c7580d5caf4dc32c027e99ac8
humanhash: lamp-crazy-alaska-california
File name:file
Download: download sample
File size:794'112 bytes
First seen:2026-05-18 20:36:32 UTC
Last seen:2026-05-18 22:17:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'016 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 12288:CmaJHUk9iseEW+URJcSBq/RZ9u1ZYOEIrveNiG0rwfv+UcFcEOZfgaG+8:9alUw4FCRjmGIr2p7MFcEW
Threatray 196 similar samples on MalwareBazaar
TLSH T1BEF412B467A8DB9AC9798BF419A1F23143B54C0ED522D3AACBEDBCDB35193104C19393
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:dropped-by-gcleaner exe G US.file


Avatar
Bitsight
url: http://158.94.209.95/service

Intelligence

File Origin
# of uploads :
4
# of downloads :
152
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/73e82f43-00a5-45cb-b5fe-e8227bf20e5a/
Malware family:
n/a
ID:
1
File name:
_976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1.exe
Verdict:
Malicious activity
Analysis date:
2026-05-18 20:38:10 UTC
Tags:
auto-reg amsi-bypass violet rat
Link:
https://app.any.run/tasks/d47e565c-47af-4dda-9464-551344ec2eb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66370/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0b788b062bae3f9734422b
Tags:
micro krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6a0b7885861ee596e63c6bf7/reports/9737a4f9-0d57-40fa-9846-5ff3d5eface9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-18T17:42:00Z UTC
Last seen:
2026-05-20T12:54:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Crypt.sb Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Androm.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.BPLogger.gen Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.sb Trojan.MSIL.Dnoper.sb
Link:
https://opentip.kaspersky.com/976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9210670d-e592-4365-b34a-f10dae75e81b
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/93e7cc4c7580d5caf4dc32c027e99ac8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1/
Verdict:
Malicious
Threat:
Trojan-Spy.MSIL.BPLogger
Link:
https://tip.neiki.dev/file/976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-18 20:37:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5wbpo35zp5g3734kt5jrs43zborrwvhv6hi5fdcgehoik2adxiq._file
Verdict:
malicious
Label(s):
wannacryptor
Create hunting rule
Similar samples:
8cda591f526a09954c7a60337daa767be7948367ee52accebc30061be1dc581a
970dd62d5d6e8996defbfda6eacef182820b91aeddcce0845a2f727b421ac9f4
976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1
a961ce0314f78900f26aec189234ac71e497487b35c1a4a604bf384e911f3e00
b69c825f72a6a7630a356a90f5a4ca044960c475964a75d7c743ac0466dd81b4
de3ce20b17a9eed13a707cc29869bcae49a99250b968a9be549385760ae5bb92
error
+ 186 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1
MD5 hash:
93e7cc4c7580d5caf4dc32c027e99ac8
SHA1 hash:
0e30b8d591e0994630512e43ff9985195935dc40
Link:
https://www.unpac.me/results/0de1d3bc-279b-4588-a262-7ce1beb6cd71/
SH256 hash:
a8e9af5d5db01b452944e83f445f25e3d3d04275127f12f8c368053b23c58694
MD5 hash:
a9e32f0739d267f3ba035595a0a1558c
SHA1 hash:
13db8d9b4a34689ef263de6734dc38bb58f7f795
Link:
https://www.unpac.me/results/0de1d3bc-279b-4588-a262-7ce1beb6cd71/
SH256 hash:
c664132fa67d4e63781706ae4425af9f841d7b48a137abd8821d5a11fea66bec
MD5 hash:
7bc46323960949f4e3bf72d14398ce98
SHA1 hash:
524d388563b0f453f89165e3270c92d394efa5ae
Link:
https://www.unpac.me/results/0de1d3bc-279b-4588-a262-7ce1beb6cd71/
SH256 hash:
1d1440a22553986ea0befb86966bc8114fa9fa2dc4fa84e3558f2e37b82f62d4
MD5 hash:
cc0b0c0b0d154bf75e671ac0f31a6f8e
SHA1 hash:
57cd69042fe5756c52b7a98fa7ae67b8f2673d8b
Link:
https://www.unpac.me/results/0de1d3bc-279b-4588-a262-7ce1beb6cd71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 976c17bb7dcbfa6dff7c54fa98cb9bc85d18daa7af8e8e9462310ee42b401dd1

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66370/

Comments