MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Konni

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57
SHA3-384 hash:	bba4769374e1cadcab24d3a8e92fb935227d022e10a6aa3d29d8559ffd82926443e590296384847fe884b5beda3a6451
SHA1 hash:	e5adeecfb03cc7d26de2f11746d3aef6b1fd4830
MD5 hash:	61f65bd593ea0e52ac0dfdc6bc9cd73a
humanhash:	saturn-thirteen-social-seven
File name:	aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57
Download:	download sample
Signature	Konni Create hunting rule
File size:	1'172'992 bytes
First seen:	2026-03-17 12:33:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0efd6cb0c6e770fe9c94ebe37a1fcc56 (1 x Konni)
ssdeep	24576:PUotovoXGo9zmmtVjRXEhMWgh5RfSqR8kkR2J9IWB7IyLS5LNYwihU:lmo2ixH++Wg51SqGkkR2bWyW5pY/h
TLSH	T15C4533AC0388E071CC079F7BACAE6B296D6C2535A3E9DDABD3C724217A574538C351D8
TrID	21.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 21.2% (.EXE) Win64 Executable (generic) (6522/11/2) 16.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 14.6% (.EXE) Win32 Executable (generic) (4504/4/1) 6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe KONNI Konni-EndRAT-KakaoTalk

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/5924334e-c20e-40cb-bd4d-850c7016435a/

Malware family:

n/a

ID:

File name:

aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57

Verdict:

Malicious activity

Analysis date:

2026-03-17 12:33:44 UTC

Tags:

vmprotect

Link:

https://app.any.run/tasks/892600a7-f3cd-4684-8d89-8dc8116ca601

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/57721/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b94a4988c80c01586b1e25

Tags:

vmprotect virut

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57

Verdict:

Malicious

File Type:

exe x32

Detections:

PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Xegumumune.syz Trojan-Spy.Win32.Xegumumune.sba VHO:Trojan-Spy.Win32.Xegumumune.syz

Link:

https://opentip.kaspersky.com/aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57/results?tab=lookup

Malware family:

KONNI

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/921c80f8-4de0-4fe0-9fc8-7abddfcf59ba

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/61f65bd593ea0e52ac0dfdc6bc9cd73a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57/

Verdict:

Malicious

Threat:

Trojan-Spy.Win32.Xegumumune

Link:

https://tip.neiki.dev/file/aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57

Threat name:

Win32.Trojan.Black

Status:

Malicious

First seen:

2026-03-02 11:01:25 UTC

File Type:

PE (Exe)

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vjivop42xtkkd3ckmhxh4waryatz4ak6uiv5w6dxqdlhzzyvhjlq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery vmprotect

Link:

https://tria.ge/reports/260317-prvd4sa18m/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

System Location Discovery: System Language Discovery

VMProtect packed file

Unpacked files

SH256 hash:

aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57

MD5 hash:

61f65bd593ea0e52ac0dfdc6bc9cd73a

SHA1 hash:

e5adeecfb03cc7d26de2f11746d3aef6b1fd4830

Link:

https://www.unpac.me/results/f441a017-3c86-41fb-bc2c-5932360550c9/

Malware family:

VMProtect

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aa51573f9abc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57721/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample