MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fdf4415759c6535a3e7464458954143a7e0bfee97eadcfcf3d635a90caa202f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LinaStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	9fdf4415759c6535a3e7464458954143a7e0bfee97eadcfcf3d635a90caa202f
SHA3-384 hash:	ace78a42b209d9ea85ace7f6b10754e2f32f08c0a7f16a2c42bb7531bcfa2347934783bba2d054bc678eb5df92c76c48
SHA1 hash:	bc49e95a152aebb6c1ef908712cd3f2824533510
MD5 hash:	b03c54333efa373775fdc5ad8c69f886
humanhash:	oscar-michigan-football-bacon
File name:	Error404 Setup 1.0.0 (3).exe
Download:	download sample
Signature	LinaStealer Create hunting rule
File size:	95'058'558 bytes
First seen:	2025-12-04 13:43:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (542 x GuLoader, 116 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	1572864:TYoAO73e+mm8f43pJWKcujMoN37jxUDOsWWyP07vYqu4R92PupWHCQ8:Top+rK47/cGt9oWWyP0jSP+q8
TLSH	T14128332590368407E2A439F8AD72C27113F11FAB948065ED61E6BFF3F26D10867F87A5
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	ragnarok10006
Tags:	exe infostealer Linastealer stealer

ragnarok10006

new skid malware https://linahook.com

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/fe9a9290-960e-4f74-83ae-0c49d5126429/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6931ac2721e2f720d66bef31

Tags:

shell sage blic

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole fingerprint installer installer installer-heuristic microsoft_visual_cc nsis overlay packed

Link:

https://www.filescan.io/uploads/6931ac19bba50eaf042167fa/reports/bb0519dd-2490-40b1-8bee-2ce052540eea/overview

Verdict:

Suspicious

Labled as:

Malware_50.4

Link:

https://www.hybrid-analysis.com/sample/9fdf4415759c6535a3e7464458954143a7e0bfee97eadcfcf3d635a90caa202f

Verdict:

Unknown

File Type:

exe x32

Link:

https://opentip.kaspersky.com/9fdf4415759c6535a3e7464458954143a7e0bfee97eadcfcf3d635a90caa202f/results?tab=lookup

Score:

52%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/9fdf4415759c6535a3e7464458954143a7e0bfee97eadcfcf3d635a90caa202f

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t7puiflvtrstli7hizcfrfkbiot6bp7os7vnz7ht2y22sdfkeaxq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution spyware stealer

Link:

https://tria.ge/reports/251204-s535yszkg1/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates processes with tasklist

Checks installed software on the system

Obfuscated Files or Information: Command Obfuscation

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5f313f5c-6fe6-44ff-bdff-dd6daf34c80c

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/17f58309-67e1-4a9b-8445-0d2312ba33d1

Dropping

LinaStealer

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample