MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b0194c2c0f5d3779822b8ea3ec8ddb802b66b661079955809d7a397c19b70d32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 9
| SHA256 hash: | b0194c2c0f5d3779822b8ea3ec8ddb802b66b661079955809d7a397c19b70d32 |
|---|---|
| SHA3-384 hash: | 0b2851ee0301f06b6c8bfd7508a00447558f0407aa7a1f4a5f5d8582744f0249fc3c14f029c0e82b1032c0b9e39f27b2 |
| SHA1 hash: | 16746f9848d4d4bbf0537465df853c7ca7c6c24d |
| MD5 hash: | 8751569e63b6eac4a2b21beb64f26227 |
| humanhash: | stream-sad-speaker-diet |
| File name: | Clash-X64.exe |
| Download: | download sample |
| File size: | 87'057'355 bytes |
| First seen: | 2026-07-09 02:40:22 UTC |
| Last seen: | Never |
| File type: | |
| MIME type: | application/x-dosexec |
| imphash | 88016fcdef7f227c62171d0afad9aae4 (15 x OffLoader, 10 x ValleyRAT, 5 x Tofsee) |
| ssdeep | 1572864:oP5AgEP+C5MDEl4TKAAdVx5TL1/Ih1xdnoI+dgRH9qxKYmZUcXzZIG/J+p:n9DyAlSMxZBIPx6IJbq4Lq8zXJo |
| TLSH | T17F183333E21A652DE07A5E35697BA136C237B9316E134C1B96F4846CDF160A03F3B786 |
| TrID | 63.8% (.EXE) Inno Setup installer (107240/4/30) 24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.8% (.EXE) Win64 Executable (generic) (6522/11/2) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
| Magika | pebin |
| dhash icon | 0049c8e9d4d6d410 (1 x AsyncRAT, 1 x ValleyRAT) |
| Reporter | |
| Tags: | Androm exe RAT zbot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_b0194c2c0f5d3779822b8ea3ec8ddb802b66b661079955809d7a397c19b70d32
Verdict:
No threats detected
Analysis date:
2026-07-09 02:48:06 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
89.3%
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
adaptive-context crypto embarcadero_delphi fingerprint inno installer installer installer-heuristic packed reconnaissance
Verdict:
Malicious
Labled as:
Suspicious:TrojanSpy.Banker.YIR.kkwi.dll
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-08T05:27:00Z UTC
Last seen:
2026-07-09T00:48:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Agentb.HTTP.C&C Backdoor.Androm.HTTP.Download VHO:Backdoor.Win32.Androm.gen Trojan-Spy.Win32.Xegumumune.sbc Trojan-PSW.Win32.Coins.sb VHO:Backdoor.Win32.Androm.wdvs BSS:Trojan.Win32.Generic Backdoor.Win32.Androm.wdvs Trojan.Win32.Waldek.sb Trojan-Spy.Win32.Agent.sb
Score:
82%
Verdict:
Malware
File Type:
PE
Gathering data
Verdict:
Malicious
Threat:
Backdoor.Win32.Androm
Threat name:
Win32.Backdoor.Androm
Status:
Suspicious
First seen:
2026-07-09 02:42:50 UTC
File Type:
PE (Exe)
AV detection:
2 of 24 (8.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
7/10
Tags:
discovery installer
Behaviour
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
exe b0194c2c0f5d3779822b8ea3ec8ddb802b66b661079955809d7a397c19b70d32
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.