MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 35 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
SHA3-384 hash: 9c3c66c885d4dce066e9aeb8b64e7edc43f68f4bc805903f1653f6c72a420cb3b6ee04b8aa61fe9db6286175a753fc02
SHA1 hash: dc00375f36a7968d4946bd7f685f197c617f2c9a
MD5 hash: a916870b1be4c1cf4e19cb9324a439b6
humanhash: sink-carolina-ohio-earth
File name:123123.exe
Download: download sample
File size:2'106'368 bytes
First seen:2026-04-09 09:06:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 38c192218334865e56f906ff44fbc4b0
ssdeep 24576:s5uYyQO8hVDs/5IdhtQFujoh6m6vBsZZ5PXQBJOKdkjnoor0PfSIgZlHVvtRJQOh:gno8haujVsPAB8KY2+Bz+2
Threatray 9 similar samples on MalwareBazaar
TLSH T12DA58E46B3A501F8D477C078CD466217FA72B4041774ABEB55A08A6A2F33FE13ABE315
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
SE SE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/76c2104f-aef4-45a2-8c53-9542d2171d59/
Malware family:
n/a
ID:
1
File name:
encrypted.hta
Verdict:
Malicious activity
Analysis date:
2026-04-09 06:28:41 UTC
Tags:
github evasion stealer meduza donutloader loader crypto-regex amsi-bypass rdp ip-check
Link:
https://app.any.run/tasks/5275bd63-00e4-495b-94bd-41f37ab4d3d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60938/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d76c4c66ab6d001dd08ba0
Tags:
infosteal emotet
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm cmd control crypto cscript evasive expand explorer fingerprint hacktool installutil keylogger lolbin meterpreter microsoft_visual_cc msbuild netsh regasm remote runonce sc schtasks stealer threat tracker unknown wmic wscript
Link:
https://www.filescan.io/uploads/69d76c4cc33dc5a985d5d979/reports/7b590ba2-ba60-4454-b6e9-ed127b110391/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-09T00:14:00Z UTC
Last seen:
2026-04-09T00:36:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb Trojan-Banker.Win32.Express.sb HEUR:Backdoor.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/78e60489-00b3-41a0-903e-cc9b621ccf36
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1895849
Signature
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2/
Verdict:
Malicious
Threat:
Family.MEDUZA
Link:
https://tip.neiki.dev/file/d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
Threat name:
Win64.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2026-04-09 03:17:07 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gq6niwavxcfuthuaeuona2jttmyjvmahljohiooez3iuyjov3ba._file
Verdict:
malicious
Label(s):
unc_stealer_006
Create hunting rule
Similar samples:
0563f9e1d0fe8c2cf932f55fb8341ee86c1d1ee7d1be5d99f929db36d92dcf97
1dc49390801ae4be6be1568ca9616aa9d9368b4ee5f009a15d69ec73bb453f61
6c088016a0e185ffe40ec6cf25173f5e623ac11193b247e4ca7230ffd797fa82
7baec10572549525371602d096866b664b63f9bd0d8b15a21a0e68bda1d76432
7e8b9bcb0dba0271ad431077219b073584aceb075b131f49f652e9312de7880f
93b70cbf0e33621499d8d076fece24e5683003c728652711934d0bfc1902adbd
d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
d2011ed4fe2998724e3312174be8f32f65f858ddcd1f1b40ea3ac0806c007d9f
e48aae30303baaabdf26a9554bdc9da8d2215b584c14c6a787e027f48fdc610b
error
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/260409-k3f9eacz9m/
Behaviour
Looks up external IP address via web service
Unpacked files
SH256 hash:
d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2
MD5 hash:
a916870b1be4c1cf4e19cb9324a439b6
SHA1 hash:
dc00375f36a7968d4946bd7f685f197c617f2c9a
Link:
https://www.unpac.me/results/4024ce92-0294-4f83-94e2-6fc05dc47f5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifacts associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_PasswordManagers
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many Password Manager software clients. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:Detects command variations typically used by ransomware
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:WIN_SHADOW_UNPACKED
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d1a1e6a2c0adc45a4cf40128e683499cd984d5803ad2e3a1ce26768a612eaec2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3814744/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/60938/

Comments