MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 36 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee
SHA3-384 hash: 981a9702079966924379b9f9620927a3b103d3a98311e1f485df403bb220bbe99a542533994665b929b21f4c73c54c6e
SHA1 hash: 4557478c9b47f5d0729b6f6bf21d673068b57126
MD5 hash: e8b080c276519547e95930ab15028adb
humanhash: carolina-vermont-double-alaska
File name:7esw3p.dat
Download: download sample
File size:2'058'752 bytes
First seen:2026-04-09 15:05:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72aa3d705bc1c7cc7c6057e4a008c2de
ssdeep 24576:MAbGrci1CVsb+JPrf+xp8esqhNyjAibJULb1hstRqGG7srGX8vCWI7JgZlHavtdP:VN7Jjfa87S1LktRqVzfHXxQk
TLSH T1E3958E46B3A501FCD467C178CD466217F672B4041774ABEF45A08A6A2F73BE23A7E318
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:dat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
SE SE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/da77dec5-85a8-430e-a696-9525a0fbb62b/
Malware family:
n/a
ID:
1
File name:
24853365355.zip
Verdict:
No threats detected
Analysis date:
2026-04-08 04:43:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0f44eb8-6484-4ea7-ab1b-bffb74eb6f47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60976/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d7c0796a61012f6ad06326
Tags:
infosteal emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Sending a custom TCP request
Setting a keyboard event handler
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Launching the process to change network settings
Сreating synchronization primitives
Creating a file in the %temp% directory
Reading critical registry keys
Creating a window
Searching for the window
Searching for synchronization primitives
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd control crypto cscript evasive expand explorer fingerprint hacktool installutil keylogger lolbin masquerade meterpreter microsoft_visual_cc msbuild netsh obfuscated ransomware regasm runonce sc schtasks stealer tracker wmic wscript
Link:
https://www.filescan.io/uploads/69d7c0735ea31bc68a1b71b1/reports/5cece280-6dcc-4d63-80a8-9da1f3e22924/overview
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-03T13:12:00Z UTC
Last seen:
2026-04-10T08:38:00Z UTC
Hits:
~100
Detections:
Trojan-Banker.Win32.Express.sb Trojan-PSW.PureLogs.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Backdoor.Win32.Agent.gen PDM:Trojan.Win32.Generic Trojan.Win32.Udochka.sb Trojan-Spy.Win32.Xegumumune.sbc Trojan-PSW.Win32.Greedy.sb NetTool.DiscoGetMe.HTTP.C&C
Link:
https://opentip.kaspersky.com/d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/23f0377b-87d3-48cd-88f7-7b3f87a4a713
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1895157
Signature
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/e8b080c276519547e95930ab15028adb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee/
Verdict:
Malicious
Threat:
Family.MEDUZA
Link:
https://tip.neiki.dev/file/d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee
Threat name:
Win64.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2026-04-02 18:32:05 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22ac7ts3sghner52qxlkubkfvajaz66donfryn3zjrhdqgdc2txa._file
Verdict:
malicious
Label(s):
unc_stealer_006
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260409-sgy64acx7r/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee
MD5 hash:
e8b080c276519547e95930ab15028adb
SHA1 hash:
4557478c9b47f5d0729b6f6bf21d673068b57126
Link:
https://www.unpac.me/results/cefa8aaa-4dc0-4c2e-bded-6cf263c44a0f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6802fce5b91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifacts associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_PasswordManagers
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many Password Manager software clients. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:Detects command variations typically used by ransomware
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:WIN_SHADOW_UNPACKED
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d6802fce5b918ed247ba85d6aa0545a8120cfbc3734b1c37794c4e381862d4ee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3814858/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/60976/

Comments