MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a22f6b53ac3ea0b4e55da3192c73644f0e364d43891ffd1ffcf38e9b961ac13a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 12
| SHA256 hash: | a22f6b53ac3ea0b4e55da3192c73644f0e364d43891ffd1ffcf38e9b961ac13a |
|---|---|
| SHA3-384 hash: | 0ad2882b81a8459d786ff72f1792d5f03c001b9a640fff8ed9657a553c03e435894fd7850b965dab5de3cd130b64fb01 |
| SHA1 hash: | 9e7782bc06576b237435cd16033bef73b923106f |
| MD5 hash: | f1fb1da09d7a724842257097b0a5ba82 |
| humanhash: | diet-lamp-fanta-july |
| File name: | b04_crack.exe |
| Download: | download sample |
| File size: | 256'000 bytes |
| First seen: | 2026-06-17 15:33:30 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c6da37bcf16073c000b652830063c56d |
| ssdeep | 3072:hmByAgG6eA0cPrXdoaDhYVWA5i5AZHdvKEfZTHy4QG4BCPOClK2JXtU6ZxuMpQor:uyAgGqX6aEWAMGmqeNX2NNNyAt |
| TLSH | T147444A02A7EC0094F6F75278DEB14112DA76B8461731D17F5B48C6AD0F7AA80EB79F22 |
| TrID | 37.0% (.EXE) Win64 Executable (generic) (6522/11/2) 28.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3) 11.3% (.EXE) DOS Executable (generic) (2000/1) |
| Magika | pebin |
| Reporter | Anonymous |
| Tags: | al-khaser exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
165
Origin country :
FRVendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
b04_crack.exe
Verdict:
Malicious activity
Analysis date:
2026-06-17 15:36:38 UTC
Tags:
evasion ip-check
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
99.9%
Tags:
vmdetect emotet spoof
Result
Verdict:
Clean
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a file
Using the Windows Management Instrumentation requests
Delayed reading of the file
DNS request
Connection attempt
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
anti-debug anti-vm crypto evasive fingerprint hacktool microsoft_visual_cc reconnaissance
Verdict:
Malicious
Labled as:
Trojan.Recon.Marte.A.Generic
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-17T12:47:00Z UTC
Last seen:
2026-06-19T01:44:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.RokRat.sb Trojan.Win32.Mansabo.sb Trojan.Win32.Alkhaser.c Trojan.Win32.Alkhaser.b Trojan.Win32.Alkhaser.a Trojan.Win32.Agent.sba Trojan.Multi.Alkhaser.sb Trojan-Spy.Win32.Noon.brub Trojan-Spy.Noon.HTTP.ServerRequest
Malware family:
Khalesi
Verdict:
Malicious
Score:
97%
Verdict:
Malware
File Type:
PE
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Alkhaser
Threat name:
Win64.Trojan.ReconMarte
Status:
Malicious
First seen:
2026-06-17 15:34:53 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
9/10
Tags:
defense_evasion
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks for VirtualBox DLLs, possible anti-VM trick
Checks system information in the registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Identifies Wine through registry keys
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
a22f6b53ac3ea0b4e55da3192c73644f0e364d43891ffd1ffcf38e9b961ac13a
MD5 hash:
f1fb1da09d7a724842257097b0a5ba82
SHA1 hash:
9e7782bc06576b237435cd16033bef73b923106f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Check_Debugger |
|---|
| Rule name: | Check_Dlls |
|---|
| Rule name: | Check_Qemu_Description |
|---|
| Rule name: | Check_Qemu_DeviceMap |
|---|
| Rule name: | Check_VBox_Description |
|---|
| Rule name: | Check_VBox_DeviceMap |
|---|
| Rule name: | Check_VBox_Guest_Additions |
|---|
| Rule name: | Check_VBox_VideoDrivers |
|---|
| Rule name: | Check_VmTools |
|---|
| Rule name: | Check_VMWare_DeviceMap |
|---|
| Rule name: | Check_Wine |
|---|
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__GlobalFlags |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__RemoteAPI |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerException__ConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerException__SetConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Active |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | dgaagas |
|---|---|
| Author: | Harshit |
| Description: | Uses certutil.exe to download a file named test.txt |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion |
| Rule name: | INDICATOR_SUSPICIOUS_References_SecTools |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many IR and analysis tools |
| Rule name: | INDICATOR_SUSPICIOUS_Sandbox_Evasion_FilesComb |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing specific set of files observed in sandob anti-evation, and Emotet |
| Rule name: | INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing virtualization MAC addresses |
| Rule name: | INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing combination of virtualization drivers |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | Raspberry_Robin_DLL_MAY_2022 |
|---|---|
| Author: | CD_R0M_ |
| Description: | Detects DLL dropped by Raspberry Robin. |
| Reference: | https://redcanary.com/blog/raspberry-robin/ |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Suspicious_PssCaptureSnapshot_Usage |
|---|---|
| Author: | Dana Behling - Just me not for personal curiosity, no company. |
| Description: | Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity. |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | VECT_Ransomware |
|---|---|
| Author: | Mustafa Bakhit |
| Description: | Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments. |
| Rule name: | vmdetect |
|---|---|
| Author: | nex |
| Description: | Possibly employs anti-virtualization techniques |
| Rule name: | Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026 |
|---|---|
| Author: | SixHands |
| Description: | Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.