MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b00ffa3319c0c7768dd16df98249ca1a7c259a7d35c37fff4d1fa3bb19e38447. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b00ffa3319c0c7768dd16df98249ca1a7c259a7d35c37fff4d1fa3bb19e38447
SHA3-384 hash: 3a0b7fd2436faab79f11665c8d3216aded270b5bc77bd73b12e5b1563f0ce8db27028b54c10f8c4f24920ec813c35789
SHA1 hash: 1a50b611027cd694e50c1163196d7eca2a57f4a5
MD5 hash: 7d21e34d0476e02320cd579a681188c3
humanhash: california-stairway-six-kitten
File name:Loaderk.exe
Download: download sample
File size:27'316'224 bytes
First seen:2026-05-28 11:13:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 786432:NHg4PD+hSY9LG05xJi8k3R2nscsyMQvAIyTutG5VV4:Vg4PahZ7PcPuWyHvAP+G+
TLSH T11F573302EEFAB20DFE62797D94DB5051310AD105F29085994266133E81BEEFB3E819DF
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
PEunion
Details
PEunion
extracted components
PEunion
a decrypted stage 2 component
Link:
https://research.acce.ciphertechsolutions.com/results/53d9596e-54d7-47d3-9675-efc0e1edff7e/
Malware family:
n/a
ID:
1
File name:
Loaderk.exe
Verdict:
No threats detected
Analysis date:
2026-05-28 11:13:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8824a2a7-c8f8-4f65-8ea9-ce920e00c447

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68277/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a18232e33dfa243d40a64bc
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Moving a file to the %temp% directory
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b00ffa3319c0c7768dd16df98249ca1a7c259a7d35c37fff4d1fa3bb19e38447
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-05-28T08:20:00Z UTC
Last seen:
2026-05-28T09:36:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/b00ffa3319c0c7768dd16df98249ca1a7c259a7d35c37fff4d1fa3bb19e38447/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
bank.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1919698
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to inject code into remote processes
Early bird code injection technique detected
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Tries to detect debuggers (CloseHandle check)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download files via bitsadmin
Tries to evade analysis by execution special instruction (VM detection)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1919698 Sample: Loaderk.exe Startdate: 28/05/2026 Architecture: WINDOWS Score: 100 76 luckyware.cy 2->76 78 dns.google 2->78 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for dropped file 2->100 102 Antivirus / Scanner detection for submitted sample 2->102 104 10 other signatures 2->104 11 Loaderk.exe 3 2->11         started        15 powershell.exe 2->15         started        signatures3 process4 file5 64 C:\Users\user\AppData\...\DVNmhd0psS.exe, PE32+ 11->64 dropped 66 C:\Users\user\AppData\...\Loaderk.exe.log, CSV 11->66 dropped 112 Hijacks the control flow in another process 11->112 114 Modifies the context of a thread in another process (thread injection) 11->114 116 Injects a PE file into a foreign processes 11->116 118 Unusual module load detection (module proxying) 11->118 17 Loaderk.exe 6 11->17         started        21 DVNmhd0psS.exe 1 11->21         started        68 C:\Users\user\AppData\...\jvqlgugn.cmdline, Unicode 15->68 dropped 23 csc.exe 15->23         started        26 csc.exe 15->26         started        signatures6 process7 dnsIp8 70 dns.google 8.8.8.8, 443, 49715, 49731 GOOGLE-GoogleLLCUS United States 17->70 72 104.21.47.171, 49720, 49734, 49747 CLOUDFLARENET-CloudflareIncUS Canada 17->72 74 172.67.156.73, 49716, 49740, 49745 CLOUDFLARENET-CloudflareIncUS Canada 17->74 82 Writes to foreign memory regions 17->82 84 Allocates memory in foreign processes 17->84 86 Modifies the context of a thread in another process (thread injection) 17->86 94 2 other signatures 17->94 28 getmac.exe 1 12 17->28         started        88 Multi AV Scanner detection for dropped file 21->88 90 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->90 92 Query firmware table information (likely to detect VMs) 21->92 96 4 other signatures 21->96 32 conhost.exe 21->32         started        60 C:\Users\user\AppData\Local\...\jvqlgugn.dll, PE32 23->60 dropped 34 cvtres.exe 23->34         started        62 C:\Users\user\AppData\Local\...\qhndjnwj.dll, PE32 26->62 dropped 36 cvtres.exe 26->36         started        file9 signatures10 process11 dnsIp12 80 luckyware.cy 172.67.171.176, 443, 49725, 49727 CLOUDFLARENET-CloudflareIncUS Canada 28->80 120 Malicious encrypted Powershell command line found 28->120 122 Early bird code injection technique detected 28->122 124 Hijacks the control flow in another process 28->124 130 6 other signatures 28->130 38 conhost.exe 28->38         started        41 conhost.exe 28->41         started        43 svchost.exe 6 28->43         started        45 dllhost.exe 6 28->45         started        126 Encrypted powershell cmdline option found 32->126 128 Bypasses PowerShell execution policy 32->128 signatures13 process14 signatures15 106 Malicious encrypted Powershell command line found 38->106 108 Encrypted powershell cmdline option found 38->108 47 powershell.exe 11 38->47         started        50 powershell.exe 7 41->50         started        110 Unusual module load detection (module proxying) 43->110 process16 signatures17 132 Tries to download files via bitsadmin 47->132 134 Unusual module load detection (module proxying) 47->134 52 bitsadmin.exe 50->52         started        54 bitsadmin.exe 50->54         started        56 bitsadmin.exe 50->56         started        58 5 other processes 50->58 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b00ffa3319c0c7768dd16df98249ca1a7c259a7d35c37fff4d1fa3bb19e38447
Gathering data
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/b00ffa3319c0c7768dd16df98249ca1a7c259a7d35c37fff4d1fa3bb19e38447
Threat name:
ByteCode-MSIL.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-05-27 18:28:17 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wah7umyzyddxndornx4yesokdj6clgt5gxbx772nd6r3wgpdqrdq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/260528-nbpm9ae15z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/b00ffa3319c0c7768dd16df98249ca1a7c259a7d35c37fff4d1fa3bb19e38447

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68277/

Comments