MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec
SHA3-384 hash: ee832fc3b1c150ebca500ae9f136f91c98b4a0b5146f33af2fdad85439b8ec530f1124da771d8a5bbf236d35d69b457c
SHA1 hash: 48a29e13562467c647793978587b1d92648c83cc
MD5 hash: 201a808756ea234893fee20bb524b05c
humanhash: florida-wisconsin-mars-massachusetts
File name:fish.txt
Download: download sample
File size:196'608 bytes
First seen:2026-03-08 06:56:30 UTC
Last seen:2026-03-08 20:52:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9da7080b9b697496fd4f41997e8bd436 (1 x INC, 1 x HVNC, 1 x RemcosRAT)
ssdeep 3072:8RLCJxDxQxsO8lM51B5GWp1icKAArDZz4N9GhbkrNEkOlKn/:NXDxQrbp0yN90QEHK
TLSH T109146B0927E610A6F0B66B7499F102934A3A7C637B7592FF5784803E0E336C4A971F63
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'108 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RAT txt

Intelligence

File Origin
# of uploads :
3
# of downloads :
155
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
BatchScript
varying reportable information from embedded commands and any observed URLs
Link:
https://research.acce.ciphertechsolutions.com/results/097db6b9-8bc0-472e-b17b-674bb25e1c1f/
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
05d6f4e462065f3c5c3710775f15f96d333ff3d35ea7860536c6208ff4c2f294.bin.txt
Verdict:
Malicious activity
Analysis date:
2026-03-06 17:13:55 UTC
Tags:
uac auto-reg asyncrat rat loader
Link:
https://app.any.run/tasks/11b62946-c8b6-4f1a-8db6-ed2476f25e1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/56610/
Detection(s):
SecuriteInfo.com.W64.ABmRisk.KBZH-9317.19854.3080.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ad1dd4e41a5a099930d2a7
Tags:
dropper shell virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context CAB explorer installer installer installer-heuristic lolbin masquerade microsoft_visual_cc rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/69ad1dc997feb4afd67434cb/reports/2fe14d19-0477-471e-ae99-0b6107419b83/overview
Verdict:
Suspicious
Labled as:
Generik.UPUXLQ trojan
Link:
https://www.hybrid-analysis.com/sample/b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan.PowerShell.DefenderDisabler.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7c18f126-f9ea-4650-b362-7b2b1bfe131f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1880172
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1880172 Sample: fish.txt.exe Startdate: 08/03/2026 Architecture: WINDOWS Score: 80 27 Sigma detected: Suspicious Double Extension File Execution 2->27 29 Uses an obfuscated file name to hide its real file extension (double extension) 2->29 31 AI detected malicious Powershell script 2->31 33 3 other signatures 2->33 8 fish.txt.exe 1 3 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 cmd.exe 2 8->12         started        file5 23 C:\Users\user\AppData\...\sysfix_15788.ps1, ASCII 12->23 dropped 35 Suspicious powershell command line found 12->35 37 Bypasses PowerShell execution policy 12->37 16 powershell.exe 21 12->16         started        19 conhost.exe 12->19         started        signatures6 process7 signatures8 25 Loading BitLocker PowerShell Module 16->25 21 WmiPrvSE.exe 16->21         started        process9
Score:
66%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec
Verdict:
Malware
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX DeObfuscated Executable PDB Path PE (Portable Executable) PE File Layout PowerShell Win 64 Exe x64
Link:
https://app.malva.re/file/201a808756ea234893fee20bb524b05c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdsnwj5hgr6alq7j2qvg4bhzx6fobmg7nj4pw2gj3amlztl2ndwa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/260308-hq12yaat9j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec
MD5 hash:
201a808756ea234893fee20bb524b05c
SHA1 hash:
48a29e13562467c647793978587b1d92648c83cc
Link:
https://www.unpac.me/results/c50af646-8cf0-43eb-8a26-fbaf0c68ffc5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b8e4db27a7347c05c3e9d42a6e04f9bf8ae0b0df6a78fb68c9d818bccd7a68ec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3791595/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/56610/

Comments