MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SolarisLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa
SHA3-384 hash: 8b8a1cdf9c55371d3587e746599af93adffcc87e462547eedf00a9623783388c62e61c309e5ccb9acd8b60a4ad559590
SHA1 hash: 8b87e252ce8f449247f8baa2a1dd346a75194f1f
MD5 hash: 9545e8f1a1900b8899b129839ad17024
humanhash: apart-mountain-seventeen-coffee
File name:a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa.bin
Download: download sample
Signature SolarisLoader
Create hunting rule
File size:29'184 bytes
First seen:2026-06-23 09:20:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cb12d737f70331a45875da1d1aea73f8 (2 x SolarisLoader)
ssdeep 768:gm5NXQBiCGgZcoR61+1TTjktiTrtiWBMsSa2XFtCVyem8P53K:g2u8NULRXxLrEWmHauOVLXK
Threatray 17 similar samples on MalwareBazaar
TLSH T167D24A2AF7E61196CFA5BB7ED9340333DBA2F5C67320531F2720C9199F53522A118B89
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter spamhaus
Tags:exe SolarisLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
GR GR
Vendor Threat Intelligence
No detections
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
main.exe.zip
Verdict:
Malicious activity
Analysis date:
2026-04-24 02:00:35 UTC
Tags:
auto xworm rat arch-exec python github stealer stealc phorpiex botnet possible-phishing powershell phishing clickfix generic anti-evasion violetworm worm vidar action1rmm quasar havoc tool koiloader loader networm amus xenorat cobaltstrike golang guloader cryptowall ransomware njrat bladabindi bruteratel remote evasion rustystealer meterpreter gh0st asyncrat redline discordrat remcos stealerium wannacry pushware adware donutloader pyinstaller whitesnakestealer putty rmm-tool metasploit pythonstealer coinminer miner amadey websocket susp-powershell ghostsocks proxyware pastebin santastealer neshta dattormm lumma autoit datto ammy smb cryptolocker autohotkey dcrat noescape wiper muckstealer action1 jigsaw salatstealer telegram scan smbscan jeefo netsupport gotoresolve hijackloader
Link:
https://app.any.run/tasks/c195cd4a-989f-485e-833e-2ef53c262513

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71661/
Detection(s):
SecuriteInfo.com.Trojan.Inject6.41156.15779.19203.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3a502486bc95245bf8dbef
Tags:
autorun emotet agentb
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Loading a suspicious library
Enabling the 'hidden' option for files in the %temp% directory
Searching for synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade microsoft_visual_cc obfuscated packed
Link:
https://www.filescan.io/uploads/6a3a501c90632a45f7354c64/reports/604e9a34-0e29-44ba-aebb-c534df9c467f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-23T19:42:00Z UTC
Last seen:
2026-06-24T22:11:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ded0d012-ed6a-4aca-b2e0-9934b56bbdd7
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2026-04-24 00:54:42 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uoesnmt2ac4xxomjohhuzcstr7ghus43zbomn537jiflya3lm2va._file
Verdict:
malicious
Label(s):
remus
Create hunting rule
unc_clipper_003
Create hunting rule
Similar samples:
613e5314a7ded3155cdec49fd34e852e181f4651d78bd8bf3adad2f4dbf22b0d
SolarisLoader
634e89d8592d7c9e2bc1c098217a813947b44a4f80bc569e9a15c1e8b0864b91
SolarisLoader
8dbcde2a28a0b3de201214d7e3bd43acc97561924daa247c05c4b0536d42be85
SolarisLoader
90300680b29901acfe0e01d74c9474a5fcc21fdb761dd94385b6bc29de10c7c2
SolarisLoader
ac6b5f68ac303ce5cecec20ba357640ba6131bca34ba99061f0b67a84d4fe514
SolarisLoader
c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728
SolarisLoader
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/260623-lblkgsbz4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Executes dropped EXE
Registers new Windows logon scripts automatically executed at logon.
Unpacked files
SH256 hash:
a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa
MD5 hash:
9545e8f1a1900b8899b129839ad17024
SHA1 hash:
8b87e252ce8f449247f8baa2a1dd346a75194f1f
Link:
https://www.unpac.me/results/a45036e8-130d-4cbe-a387-3229e8c80209/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SolarisLoader

Executable exe a38926b27a00b97bb98971cf4c8a538fcc7a4b9bc85cc6f77f4a0abc036b66aa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3828249/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/71661/

Comments