MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528
SHA3-384 hash: 85e40f5f976dbbbfa03dfcf5f2bcd7d8125ca4a251e8f2f52149ad5a4dbe9001c4dd88fe1eb1284a4044e7ff5a12d668
SHA1 hash: 162f1ac66eca4a97bdb19e4186bf659f7ad7e5bf
MD5 hash: 0b1882790718e6eebaee2d339594337f
humanhash: echo-washington-uniform-green
File name:a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528
Download: download sample
File size:1'588'224 bytes
First seen:2025-08-09 17:37:54 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:fp1V4iJHRGIquM9qncCMbo7wXKAFLYr6RRzBSU+wROPqgnoCxCcyt2VfKvSePall:fpASCRYgROtxXWalHv7ffKOgMQLChd
TLSH T19C753A443BF45A26D5AF1B7E94B202294BB1F405AB53FB4F1294B2BA1C72360CDA17D3
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter johnk3r
Tags:dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19900/
Detection(s):
Win.Packed.Trojanx-9818175-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689787a211d7f9b979e707aa
Tags:
vmdetect emotet
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm cmd cmstp cmstp control fingerprint lolbin lolbin microsoft.workflow.compiler obfuscated remote runonce schtasks vbnet wscript
Link:
https://www.filescan.io/uploads/689787d52fbe0788fb1cc66f/reports/783ae055-0240-4327-9489-51511a4f8e22/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/184c4fcf-7e69-4783-80ce-e0415641069c
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1753765
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1753765 Sample: e2brAtin5Z.dll Startdate: 09/08/2025 Architecture: WINDOWS Score: 72 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected UAC Bypass using CMSTP 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
3%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.24 SOS: 0.31 Win 32 Exe x86
Link:
https://app.malva.re/file/0b1882790718e6eebaee2d339594337f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528/
Verdict:
Malicious
Threat:
HEUR:Exploit.MSIL.BypassUAC
Link:
https://tip.neiki.dev/file/a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528
Threat name:
ByteCode-MSIL.Trojan.KatzStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-02 17:02:16 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6mto5pukgggy2g3bdrcnqi6kh43yuzrjzh7socsng5kywboeuua._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250809-v8jxlavlx3/
Unpacked files
SH256 hash:
a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528
MD5 hash:
0b1882790718e6eebaee2d339594337f
SHA1 hash:
162f1ac66eca4a97bdb19e4186bf659f7ad7e5bf
Link:
https://www.unpac.me/results/13921811-ca1f-4a2c-97dd-24eb24f484e8/
SH256 hash:
4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7
MD5 hash:
470f0db6a56a879985c62cd71c5a98a4
SHA1 hash:
ceaec46f7d65706ffc639e75c515d0a35a21338d
Link:
https://www.unpac.me/results/13921811-ca1f-4a2c-97dd-24eb24f484e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MAL_NET_Katz_Stealer_Loader_May25
Create hunting rule
Author:Jonathan Peters (cod3nym)
Description:Detects .NET based Katz stealer loader
Reference:Internal Research
Rule name:MAL_NET_UAC_Bypass_May25
Create hunting rule
Author:Jonathan Peters (cod3nym)
Description:Detects .NET based tool abusing legitimate Windows utility cmstp.exe to bypass UAC (User-Admin-Controls)
Reference:Internal Research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DLL dll a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528

(this sample)

DLL dll 4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7

Cape
Cape
https://www.capesandbox.com/analysis/19900/
  
Dropping
SHA256 4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7
  
Dropping
MD5 470f0db6a56a879985c62cd71c5a98a4

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments