MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca
SHA3-384 hash: f569b9da411098e18e742b247bd5022f562da0a3f81e32b8eae4bdc7940f5ebe551d2a0cfaaa200fdb9bf8e0872a32b3
SHA1 hash: b30c9d9d2ef93bd5a8ff69a9bf1f107dedd134cd
MD5 hash: 4054e60a4640bf3123a47bf5f2ba48d5
humanhash: quiet-venus-undress-nuts
File name:199503092023212028.exe
Download: download sample
File size:15'938'560 bytes
First seen:2026-05-15 20:53:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3349ac94059332f55af383791b9938f3
ssdeep 393216:0ze9RmW0FWzTtyYr/V11u4b0dGsUNB/XE:0zee5FFYrt1fbzJjE
TLSH T188F6014678E181BCC855C635E2CB4AFEF09A78494EB9582B7F86C4012632D95CCF773A
TrID 48.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
19.1% (.EXE) Win64 Executable (generic) (6522/11/2)
14.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) OS/2 Executable (generic) (2029/13)
5.8% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:dropped-by-ACRStealer exe


Avatar
iamaachum
https://ggx-tn-connectir.unwittingdork.digital/199503092023212028

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
No threats detected
Analysis date:
2026-05-15 20:54:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/48838c52-af9d-47e2-bdfd-5657c94fa66c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66070/
Detection(s):
SecuriteInfo.com.Variant.Tedy.970514.58399652.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0787de953bbcef1c9097d5
Tags:
shellcode
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/6a0787c7875badc3b3876365/reports/a57c29d0-77d4-4e9d-844b-f070f9a02ef9/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca
Verdict:
Malicious
File Type:
dll x64
First seen:
2026-05-15T17:45:00Z UTC
Last seen:
2026-05-16T01:40:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Shellcode.sba Trojan.Win32.Shellcode.pni
Link:
https://opentip.kaspersky.com/993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8f348486-0497-4ca1-9798-8591ff212c41
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1914278
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1914278 Sample: 199503092023212028.exe Startdate: 15/05/2026 Architecture: WINDOWS Score: 92 22 Multi AV Scanner detection for submitted file 2->22 24 PE file has nameless sections 2->24 26 Joe Sandbox ML detected suspicious sample 2->26 7 loaddll64.exe 1 2->7         started        process3 signatures4 34 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->34 36 Query firmware table information (likely to detect VMs) 7->36 38 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->38 40 4 other signatures 7->40 10 rundll32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 conhost.exe 7->17         started        process5 signatures6 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->42 44 Sets debug register (to hijack the execution of another thread) 10->44 46 Modifies the context of a thread in another process (thread injection) 10->46 19 rundll32.exe 13->19         started        48 Tries to detect debuggers (CloseHandle check) 15->48 50 Hides threads from debuggers 15->50 process7 signatures8 28 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->28 30 Tries to detect debuggers (CloseHandle check) 19->30 32 Hides threads from debuggers 19->32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/4054e60a4640bf3123a47bf5f2ba48d5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca/
Verdict:
Malicious
Threat:
Trojan.Win64.Shellcode
Link:
https://tip.neiki.dev/file/993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=te6qmksv6syc5j3zfba73f5ity7kp577wutzc5fpbs5ffxzsztfa._file
Gathering data
Unpacked files
SH256 hash:
993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca
MD5 hash:
4054e60a4640bf3123a47bf5f2ba48d5
SHA1 hash:
b30c9d9d2ef93bd5a8ff69a9bf1f107dedd134cd
Link:
https://www.unpac.me/results/a2f70f2a-b385-45a8-8705-53061b3d9009/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 bf0ced091903218f6f0d3293156623822f4f2a8f59494c65412a832f42262419

Executable exe 993d062a55f4b02ea7792841fd97a89e3ea7f7ffb5279174af0cba52df32ccca

(this sample)

  
Link
https://tria.ge/260515-zgwjjafx91/behavioral2
  
Dropped by
SHA256 bf0ced091903218f6f0d3293156623822f4f2a8f59494c65412a832f42262419
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66070/
  
Dropped by
MD5 3c01ff4dcc75d086afa283c43c784417

Comments