MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8a2e4865149c50ed685c7e0c2efb3a70a4e68a343e7fa1b96d569ecbf5bdc02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EpsilonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8a2e4865149c50ed685c7e0c2efb3a70a4e68a343e7fa1b96d569ecbf5bdc02
SHA3-384 hash: 8285a5abe9e8cc7cc3624858017b61a92759d1203704955290d55588222dbc6fbbbb902fc6b7b2328bec6f9677425ab7
SHA1 hash: 32f651aa2422f38825859708be8f33a1c46f70f7
MD5 hash: d0e8bf96e6068b7228894a932c45a364
humanhash: tennessee-fourteen-skylark-yankee
File name:gitlol
Download: download sample
Signature EpsilonStealer
Create hunting rule
File size:84'138'466 bytes
First seen:2026-03-08 18:14:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (565 x GuLoader, 121 x RemcosRAT, 82 x EpsilonStealer)
ssdeep 1572864:WSnyLU23CzpQRL6MXNOUTrhJWBBkQw14U2Ap0E2Mq40LNUib95cyZR0p:WeyLUSRPGirp4MNWUO95cyZSp
TLSH T1520833FDA393A772EF46253B2AF159722E2C47DE4950D8D3817B64B2DB51C820C9E02D
TrID 27.0% (.EXE) Win64 Executable (generic) (6522/11/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0000000000000000 (898 x AgentTesla, 540 x Formbook, 316 x RedLineStealer)
Reporter BlinkzSec
Tags:EpsilonStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
IT IT
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/be3de9df-6d55-40a6-bb2c-63543b64f756/
Malware family:
n/a
ID:
1
File name:
gitlol
Verdict:
Malicious activity
Analysis date:
2026-03-08 18:16:15 UTC
Tags:
evasion stealer auto-reg
Link:
https://app.any.run/tasks/177784a4-9d4b-4a73-b5a9-a311522f96e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69adbcc3e5dc8e2b2c311c44
Tags:
vmdetect shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole crypto installer installer installer-heuristic invalid-signature microsoft_visual_cc nsis packed signed soft-404
Link:
https://www.filescan.io/uploads/69adbcb7cd25bfe1dfe4a791/reports/274e0568-4aff-41b5-84bb-828e50e7bcfc/overview
Verdict:
Suspicious
Labled as:
Malware_56.0
Link:
https://www.hybrid-analysis.com/sample/c8a2e4865149c50ed685c7e0c2efb3a70a4e68a343e7fa1b96d569ecbf5bdc02
Verdict:
Adware
File Type:
exe x32
Detections:
HackTool.Win64.BroHack.jb
Link:
https://opentip.kaspersky.com/c8a2e4865149c50ed685c7e0c2efb3a70a4e68a343e7fa1b96d569ecbf5bdc02/results?tab=lookup
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c8a2e4865149c50ed685c7e0c2efb3a70a4e68a343e7fa1b96d569ecbf5bdc02
Gathering data
Verdict:
Malicious
Threat:
HackTool.Win64.BroHack
Link:
https://tip.neiki.dev/file/c8a2e4865149c50ed685c7e0c2efb3a70a4e68a343e7fa1b96d569ecbf5bdc02
Threat name:
Win32.Trojan.Cryxos
Create hunting rule
Status:
Suspicious
First seen:
2026-03-08 18:00:54 UTC
File Type:
PE (Exe)
Extracted files:
1764
AV detection:
9 of 23 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcrojbsrjhcq5vufy7qmf35tu4fe42fdipt7ug4w2vu6zp233qba._file
Result
Malware family:
epsilon
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:epsilon antivm discovery execution linux loader persistence spyware stealer
Link:
https://tria.ge/reports/260308-wv15dsfy6k/
Behaviour
Checks processor information in registry
Modifies registry key
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
Epsilon Stealer
Epsilon family
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EpsilonStealer

Executable exe c8a2e4865149c50ed685c7e0c2efb3a70a4e68a343e7fa1b96d569ecbf5bdc02

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3792459/
  
Delivery method
Distributed via web download

Comments