MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a31e83824b1da9be127cfef373d59cf61b6a07eeb8b6a982d15864127372254c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a31e83824b1da9be127cfef373d59cf61b6a07eeb8b6a982d15864127372254c
SHA3-384 hash: bcb6c45d5dcf302df209a8f15659ecd7f06c8af63ae951b87d91f350df8993343c34fa5bc33d6054e2a26af9705cd62a
SHA1 hash: 786b109c8b6d7b0da5388072540e2560324204e2
MD5 hash: d8dc4591476fb53cfd842a493bb6753c
humanhash: yellow-pip-rugby-nebraska
File name:Loader.exe
Download: download sample
File size:97'814'092 bytes
First seen:2026-03-01 11:23:48 UTC
Last seen:2026-03-01 13:03:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (548 x GuLoader, 117 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:xqAiPyZvYbPes9b4SQ4GqfG1LL3Xu9TfHuYDwkYCHsqxctPOE7mBvwTEwRx9i1VD:xqACyZACOb9nG1LqBfHuQwtGotEoKSQ
TLSH T1442833EAE6D07EE6FC3EA93D29BCC671515C5225FD76E11F828600C6D42CE25684B3C2
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe stealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/bc6d6040-883d-451a-b8e0-8e144be0eb73/
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2026-03-01 11:22:28 UTC
Tags:
evasion auto-startup stealer discord nodejs
Link:
https://app.any.run/tasks/6c57db08-04d2-44ea-bd32-f96c15f5dcf8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a42136c950ab5d9ab2eec5
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm blackhole crypto fingerprint installer installer installer-heuristic microsoft_visual_cc nsis soft-404
Link:
https://www.filescan.io/uploads/69a421e9d967dbda74ef813f/reports/d01b58da-062d-4d14-95e0-841d40ba2107/overview
Verdict:
Malicious
Labled as:
Malware_50.7
Link:
https://www.hybrid-analysis.com/sample/a31e83824b1da9be127cfef373d59cf61b6a07eeb8b6a982d15864127372254c
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/a31e83824b1da9be127cfef373d59cf61b6a07eeb8b6a982d15864127372254c/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1876459
Signature
Drops large PE files
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1876459 Sample: Loader.exe Startdate: 01/03/2026 Architecture: WINDOWS Score: 56 30 Joe Sandbox ML detected suspicious sample 2->30 7 Loader.exe 13 294 2->7         started        11 Loader.exe 2 2->11         started        process3 file4 22 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 7->26 dropped 28 18 other files (none is malicious) 7->28 dropped 32 Drops large PE files 7->32 13 powershell.exe 23 7->13         started        16 powershell.exe 21 7->16         started        34 Unusual module load detection (module proxying) 11->34 signatures5 process6 signatures7 36 Loading BitLocker PowerShell Module 13->36 18 conhost.exe 13->18         started        20 conhost.exe 16->20         started        process8
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a31e83824b1da9be127cfef373d59cf61b6a07eeb8b6a982d15864127372254c
Gathering data
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/a31e83824b1da9be127cfef373d59cf61b6a07eeb8b6a982d15864127372254c
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umpihasldwu34et473zxhvm46ynwub7oxc3ktawrlbsbe43sevga._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution linux pyinstaller spyware stealer
Link:
https://tria.ge/reports/260301-nhw1xaev7d/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Checks installed software on the system
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses browser remote debugging
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments