MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 16 File information Comments

SHA256 hash:	c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202
SHA3-384 hash:	2a93faf47af15dbf64e1cea90eadef163c2712a6d160ce27c544d1e88547bcc060a4ddd913ed9b44e84e01fc074003b6
SHA1 hash:	0bbb21365e3f6f6cc6404beee838359a646d55a9
MD5 hash:	7feea557126cad7616853471a6535bef
humanhash:	may-autumn-oklahoma-massachusetts
File name:	cyber.exe
Download:	download sample
File size:	3'715'072 bytes
First seen:	2026-02-02 18:33:12 UTC
Last seen:	2026-02-02 19:48:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	694e3de35418ad5a678b52378cc688f6
ssdeep	49152:s6xuvrC5Zv1AHNrFcS44NfAtRHIt/gXT0PoC4sVyEoOta:s6Yr+qtrqCdgA0EoCa
Threatray	25 similar samples on MalwareBazaar
TLSH	T142065C53B288A53FE06B1B3F583BE670583FB6602A1A8D0B6FF4195C4E396406D36747
TrID	62.3% (.EXE) Inno Setup installer (107240/4/30) 24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	BlinkzSec
Tags:	79-110-49-81 exe

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202.exe

Verdict:

Malicious activity

Analysis date:

2026-02-02 18:35:12 UTC

Tags:

evasion stealer delphi

Link:

https://app.any.run/tasks/b92924f3-6936-415d-b3e3-6bdbb97259fa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51309/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6980edfba9ffec4a96096547

Tags:

dropper keylog word

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug apt embarcadero_delphi fingerprint keylogger packed zusy

Link:

https://www.filescan.io/uploads/6980edf32ffccda09766378a/reports/ebc6783a-c9b2-4555-b1ed-658677861580/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan-PSW.Win32.Stealer.gen

Link:

https://opentip.kaspersky.com/c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/63a0d5b1-439e-48a7-a141-165d7bc0e923

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/7feea557126cad7616853471a6535bef

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202/

Verdict:

Malicious

Threat:

Trojan-PSW.MSIL.Stealer

Link:

https://tip.neiki.dev/file/c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2026-02-02 18:31:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 36 (38.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zfskfhur2so45sllmcvvsv5y2epiuerdykml5yr2r5rjr5z6aiba._file

Verdict:

malicious

Label(s):

ravenloader

2785be306bd18814e5b9e833de4448c458fa713024d76c8d7e0217cd8dfdd88e

48ebd0e60eed1e5cc38195aa33694afd2a387be44a34270890f7fa756833d9c8

956c4127c423b87465f750c055dc883bac25182789788e82ddcda5a5bf71f971

bfcc51383c4d80e555a1f8ec8e6298faa2e63c6421e520b630af3af4fe2a78d5

c5dbce5b2801cd11a80edd5072a35f0ac761c2be3b093e7e739de3550a794f2d

c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202

error

+ 15 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery

Link:

https://tria.ge/reports/260202-w7fzzshx4b/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

Looks up external IP address via web service

Unpacked files

SH256 hash:

c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202

MD5 hash:

7feea557126cad7616853471a6535bef

SHA1 hash:

0bbb21365e3f6f6cc6404beee838359a646d55a9

Link:

https://www.unpac.me/results/682a52cd-b93c-4a8c-adba-aea969420ce9/

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c964a29e91d4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DustSquad_PE_Nov19_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	APT_DustSquad_PE_Nov19_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_ClearWinLogs Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing commands for clearing Windows Event Logs

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	SR_APT_DustSquad_PE_Nov19 Create hunting rule
Author:	Arkbird_SOLG
Description:	Super Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe c964a29e91d49dcec96b60ab5957b8d11e8a1223c298bee23a8f6298f73e0202

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3770857/

Cape

https://www.capesandbox.com/analysis/51309/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample