MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9819b8bcb72df8cbfb081e848b0105a7e5f38a520db29f10d199430874c94b45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9819b8bcb72df8cbfb081e848b0105a7e5f38a520db29f10d199430874c94b45
SHA3-384 hash: d81724a99569a215b515a81728b0a1a50dc453945c62dd4e6c8420ce9c01a6b5819bb7d2b9187a75bf6973f0adb82dce
SHA1 hash: 3f5a264438d021e4514969708522cdb8fae54a77
MD5 hash: 1f186fc73f106373b7744cb909d32df4
humanhash: connecticut-failed-zebra-pizza
File name:propsys.dll
Download: download sample
File size:288'768 bytes
First seen:2026-02-04 11:23:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12998a4a20680cf0ba12a53605895257
ssdeep 3072:Aif1fUZ1WwD/z3CnEJjdaQQ3+cdMHThF8LxiLWHHtSjedWGHP:pf1fM1WydufdMHdeLJAj
TLSH T1D054B348128364F4FDE3EC3A4399B75FB5906900189DE9338BA1DC5A683AF831DE71D9
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe Loader SantaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://www.mediafire.com/file/uqp96mkdsnq0cfv/
Verdict:
Malicious activity
Analysis date:
2026-02-03 19:59:15 UTC
Tags:
telegram stealer santastealer loader
Link:
https://app.any.run/tasks/747e5036-3601-4b04-97ae-c83177900be2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51664/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69832c416b1af47db72cbfa1
Tags:
virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm masquerade mingw packed
Link:
https://www.filescan.io/uploads/69832c65552d46acbff0ae3c/reports/141a27a2-92b4-4b97-b430-3e4a3b34d848/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9819b8bcb72df8cbfb081e848b0105a7e5f38a520db29f10d199430874c94b45
Result
Gathering data
Verdict:
Clean
File Type:
dll x64
Link:
https://opentip.kaspersky.com/9819b8bcb72df8cbfb081e848b0105a7e5f38a520db29f10d199430874c94b45/results?tab=lookup
Malware family:
Reverseshell
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2975c5c-ff6c-4d43-9986-b41fdecbac85
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1863207
Signature
Joe Sandbox ML detected suspicious sample
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863207 Sample: propsys.dll.exe Startdate: 04/02/2026 Architecture: WINDOWS Score: 52 66 imnotmalware.icu 2->66 68 t.me 2->68 74 Joe Sandbox ML detected suspicious sample 2->74 10 loaddll64.exe 1 2->10         started        signatures3 process4 signatures5 78 Suspicious powershell command line found 10->78 80 Tries to detect virtualization through RDTSC time measurements 10->80 13 cmd.exe 1 10->13         started        15 rundll32.exe 10->15         started        18 rundll32.exe 10->18         started        20 39 other processes 10->20 process6 signatures7 22 rundll32.exe 13->22         started        82 Suspicious powershell command line found 15->82 25 powershell.exe 15->25         started        27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        31 powershell.exe 18->31         started        33 powershell.exe 18->33         started        35 powershell.exe 18->35         started        37 powershell.exe 20->37         started        39 21 other processes 20->39 process8 signatures9 76 Suspicious powershell command line found 22->76 55 3 other processes 22->55 41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        53 conhost.exe 37->53         started        58 18 other processes 39->58 process10 dnsIp11 70 imnotmalware.icu 172.67.221.54, 443, 49684, 49685 CLOUDFLARENETUS United States 55->70 72 t.me 149.154.167.99, 443, 49681, 49682 TELEGRAMRU United Kingdom 55->72 60 conhost.exe 55->60         started        62 conhost.exe 55->62         started        64 conhost.exe 55->64         started        process12
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9819b8bcb72df8cbfb081e848b0105a7e5f38a520db29f10d199430874c94b45
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/1f186fc73f106373b7744cb909d32df4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9819b8bcb72df8cbfb081e848b0105a7e5f38a520db29f10d199430874c94b45/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/9819b8bcb72df8cbfb081e848b0105a7e5f38a520db29f10d199430874c94b45
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tam3rpfxfx4mx6yid2ciwaifu7s7hcssbwzj6egrtfbqq5gjjncq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260204-nhv4lsgt2b/
Unpacked files
SH256 hash:
9819b8bcb72df8cbfb081e848b0105a7e5f38a520db29f10d199430874c94b45
MD5 hash:
1f186fc73f106373b7744cb909d32df4
SHA1 hash:
3f5a264438d021e4514969708522cdb8fae54a77
Link:
https://www.unpac.me/results/ca6342f8-e764-4f77-9174-d63563613c9b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51664/

Comments