MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea
SHA3-384 hash: f38e7884a5d21b22d54505749b66b4e97c83713d87713ca015d2193a5a8b8165246cd4b08d4c8308be2de36df2cdf662
SHA1 hash: 158e61a797c29f8c7a5394964b0ab6e1644cd82b
MD5 hash: fda139d8edc75f77c2606dc9a67f762d
humanhash: colorado-winter-oregon-ack
File name:sh.ext.bin
Download: download sample
File size:5'955'608 bytes
First seen:2025-05-20 13:24:26 UTC
Last seen:2025-05-28 14:18:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:gpe2bolizLouGhKNCkUrAfJutc4xbZK9JufguWQEqrcDmRAc1Jt7TNLz:gpeYolezGhOCkUs4xbZKruYeEqwDmRAc
TLSH T1B05633023B94A9F5DA21D4B0AF6ECB22C57BF79D9B404D0BD2D91E501F931B1160BAEC
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter aachum
Tags:AcreedStealer dropped-by-ACRStealer exe hateimplant-top HIjackLoader sh.ext trustdomainnet-live


Avatar
iamaachum
https://h4.ripcordbuffalo.run/sh.ext.bin

C2: trustdomainnet.live

Intelligence

File Origin
# of uploads :
5
# of downloads :
427
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2025-05-20 01:23:54 UTC
Tags:
inno installer delphi stealer loader auto generic hijackloader
Link:
https://app.any.run/tasks/51085dae-b315-4ea2-8a44-0a9dae012d46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c82dac28c67d666424ee8
Tags:
injection vmdetect obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context expired-cert fingerprint installer invalid-signature masquerade microsoft_visual_cc overlay overlay packed packer_detected signed
Link:
https://www.filescan.io/uploads/682c8310c609634bd7cb76d4/reports/449fb242-bc9c-44df-a987-0c4407cae495/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0ec0967f-53f2-496b-bbc0-ab83cda4960c
Result
Threat name:
HTMLPhisher
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694964
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Yara detected BlockedWebSite
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694964 Sample: sh.ext.bin.exe Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 62 trustdomainnet.live 2->62 64 data-seed-prebsc-1-s1.binance.org 2->64 66 a8a00b7a27dd309f6.awsglobalaccelerator.com 2->66 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for URL or domain 2->88 90 Antivirus detection for dropped file 2->90 92 4 other signatures 2->92 9 sh.ext.bin.exe 8 2->9         started        13 NahimicSvc64.exe 11 2->13         started        15 NahimicSvc64.exe 8 2->15         started        signatures3 process4 file5 50 C:\Users\user\msvcr80.dll, PE32 9->50 dropped 52 C:\Users\user\msvcp80.dll, PE32 9->52 dropped 54 C:\Users\user54ahimicSvc64.exe, PE32 9->54 dropped 56 C:\Users\user\DivXDownloadManager.dll, PE32 9->56 dropped 94 Drops PE files to the user root directory 9->94 17 NahimicSvc64.exe 25 9->17         started        58 C:\Users\user\AppData\Roaming\...\IE.com, PE32 13->58 dropped 60 C:\Users\user\AppData\Local\Temp34352.tmp, PE32 13->60 dropped 96 Modifies the context of a thread in another process (thread injection) 13->96 98 Maps a DLL or memory area into another process 13->98 100 Found direct / indirect Syscall (likely to bypass EDR) 13->100 21 IE.com 31 13->21         started        24 7za.exe 1 13->24         started        26 7za.exe 1 15->26         started        signatures6 process7 dnsIp8 40 C:\Users\user\AppData\Local\...\C995ACD.tmp, PE32 17->40 dropped 42 C:\ProgramData\MBSDK\msvcr80.dll, PE32 17->42 dropped 44 C:\ProgramData\MBSDK\msvcp80.dll, PE32 17->44 dropped 48 2 other malicious files 17->48 dropped 74 Found many strings related to Crypto-Wallets (likely being stolen) 17->74 76 Found API chain indicative of debugger detection 17->76 78 Injects code into the Windows Explorer (explorer.exe) 17->78 84 4 other signatures 17->84 28 explorer.exe 14 17->28         started        32 7za.exe 1 17->32         started        68 trustdomainnet.live 172.67.191.134, 443, 49701, 49705 CLOUDFLARENETUS United States 21->68 70 3.33.196.84, 49698, 49699, 49700 AMAZONEXPANSIONGB United States 21->70 46 C:\ProgramData\Direct\icons\testarc.zip, HTML 21->46 dropped 80 Switches to a custom stack to bypass stack traces 21->80 82 Found direct / indirect Syscall (likely to bypass EDR) 21->82 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        file9 signatures10 process11 dnsIp12 72 a8a00b7a27dd309f6.awsglobalaccelerator.com 15.197.198.189, 49696, 8545 TANDEMUS United States 28->72 102 System process connects to network (likely due to code injection or exploit) 28->102 104 Found many strings related to Crypto-Wallets (likely being stolen) 28->104 106 Switches to a custom stack to bypass stack traces 28->106 108 Found direct / indirect Syscall (likely to bypass EDR) 32->108 38 conhost.exe 32->38         started        signatures13 process14
Score:
78%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-19 18:24:35 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdp2qddkek3rncz3m44cswshfqpy3fwjgidcy4vfgbrlatpjbhva._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250520-qqgmasdj9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea
MD5 hash:
fda139d8edc75f77c2606dc9a67f762d
SHA1 hash:
158e61a797c29f8c7a5394964b0ab6e1644cd82b
Link:
https://www.unpac.me/results/8f2155de-c6d7-45bf-a331-d1bb50c2da52/
SH256 hash:
48704d9bf353d9c9608edb38609321926b731d5e98b4eef0cecdde679864a0c8
MD5 hash:
8b45ad5b937c9f5aa2d9204049ccc4f5
SHA1 hash:
26937b1104827837923826cb8c75a2479dac5390
Link:
https://www.unpac.me/results/8f2155de-c6d7-45bf-a331-d1bb50c2da52/
SH256 hash:
756ad5dff6923cd5970be7126117b6572259b2d22f76b327444ea5e71c84f9a0
MD5 hash:
f2ebdf5a2aac96ae25752c2165c12ae4
SHA1 hash:
59ab9f555b02a6da81b2143a7a0e75639add1719
Link:
https://www.unpac.me/results/8f2155de-c6d7-45bf-a331-d1bb50c2da52/
SH256 hash:
c3dcec682360408bb5ea207f7e4dbe5df3586d54344e75550591f78105f3aec3
MD5 hash:
5c0e836ed6847dc6e430b59be52bf563
SHA1 hash:
a34c99dfdce8685429e41c1214c7da42b937ac4e
Link:
https://www.unpac.me/results/8f2155de-c6d7-45bf-a331-d1bb50c2da52/
SH256 hash:
6eb98e078243aa39dd0f884090ac4488d10a15b2debcad5daf36dbb23942adbe
MD5 hash:
e981f4859617c7455ce673e3d3126437
SHA1 hash:
e63837c15572c3e221e25854398d086e020df1fe
Link:
https://www.unpac.me/results/8f2155de-c6d7-45bf-a331-d1bb50c2da52/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b8dfa80c6a22b7168b3b6738295a472c1f8d96c932062c72a53062b04de909ea

(this sample)

anyrun
any.run
https://app.any.run/tasks/af32364c-0114-4aab-9798-5edc39be92da
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3548096/
  
URLhaus
https://urlhaus.abuse.ch/url/3548105/
  
URLhaus
https://urlhaus.abuse.ch/url/3548106/
  
URLhaus
https://urlhaus.abuse.ch/url/3548107/
  
URLhaus
https://urlhaus.abuse.ch/url/3548953/

Comments