MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a
SHA3-384 hash:	74902537ba78279476b8c63d98483e4d4807e7cd0e773e0e94faaa7bdf23993e5b333dc04f017a2e912de1b56f641e3a
SHA1 hash:	1342d6216faef0652d660dac5f356ddb66945022
MD5 hash:	028797b0745e4f703eb103e5aff27d2c
humanhash:	saturn-queen-rugby-steak
File name:	one war hack.exe
Download:	download sample
File size:	1'701'888 bytes
First seen:	2025-08-26 07:53:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1ce39e07a979f0e3da342ee46f74268b (8 x LummaStealer, 2 x Rhadamanthys, 2 x CoinMiner)
ssdeep	24576:/Qb60rv833KVuHQkX4vzSvbnewYeqaMeNEmfC5G7P4R7zMAzS:+62v8327k2bq13fZwBAqS
Threatray	98 similar samples on MalwareBazaar
TLSH	T1D275E019E83991D7FCC740F16B165241B4336E378F285DAB40E89751266AEED0A3F33A
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	burger
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

one war hack.exe

Verdict:

Malicious activity

Analysis date:

2025-08-26 07:49:37 UTC

Tags:

lumma

Link:

https://app.any.run/tasks/d00b0e8f-d402-4c42-b749-997a6852cc6e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23590/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ad6800eb163e0ec182bab2

Tags:

kryptik virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypt fingerprint krypt microsoft_visual_cc packed unsafe

Link:

https://www.filescan.io/uploads/68ad67fafc438b9ff4b82147/reports/35c4b791-1f59-4797-a28e-922e2d2785c7/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Clean

File Type:

exe x64

Link:

https://opentip.kaspersky.com/af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/950c6651-d4b0-460f-83dd-6138026d33be

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1765193

Signature

Checks if the current machine is a virtual machine (disk enumeration)

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sets debug register (to hijack the execution of another thread)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/028797b0745e4f703eb103e5aff27d2c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a

Threat name:

Win64.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-08-26 01:23:01 UTC

File Type:

PE+ (Exe)

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v4fr35lmzse2lcq6g2jtphqdfwvbz2b5fg5wikfnpimh5mqw5mva._file

Verdict:

malicious

Label(s):

rhadamanthys

1b35dcf34e3ad95f8148543349418a51fa31eaa37a807d9d2ddedd56a54bfd57

1c550627d02d46e25498d8191e5758f57c55a6c78371dc2005cdb31cdcf20064

7c513b4a91a01e467c917065004749df6247c61e8238ef744bbdaec1273ff552

81d322befe2fb9594401df99bba21b530b75feb0a505a64c67839d93df9fac50

a5abb6a6dcbd0e5a11bc7788b06ed3f9ec916ab742da913056161a0baaea09a5

bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda

c4957b3e8d09615172703a9349dcd8c88271ad3f1449154b188cb579a830ba71

ecf7e8e17b502ca9e4b6274cf007bb8f9c18d0ad1518ce3911db3e70337958ab

error

+ 88 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/250826-jq9jracn51/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7ddafdac-2773-4d62-b08b-566b30ed3658

Unpacked files

SH256 hash:

af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a

MD5 hash:

028797b0745e4f703eb103e5aff27d2c

SHA1 hash:

1342d6216faef0652d660dac5f356ddb66945022

Link:

https://www.unpac.me/results/d3e7d806-b421-46ba-83bd-9ce76889e9bd/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/af0b1df56ccc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23590/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample