MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b
SHA3-384 hash:	2bf7d49f217361813a503e1065d089b237e5446f5f0d736f57ade8580cc1080732c29479b7565f6e8cf8cd9b7ef67b7d
SHA1 hash:	d742329593e9cf5c56b7681b34134c10006b0855
MD5 hash:	16219e04eab9d404f85408c70e2e0777
humanhash:	shade-indigo-glucose-lemon
File name:	16219e04eab9d404f85408c70e2e0777
Download:	download sample
File size:	13'824 bytes
First seen:	2026-06-22 08:00:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	17a4bd9c95f2898add97f309fc6f9bcd (18 x DarkSide, 6 x CobaltStrike, 5 x Vidar)
ssdeep	384:vYqDVNgsJCuTNZw679w/VR9e8qcI0wlJ:Q4zTlZw1sNLT
TLSH	T14252D7CA71E370BAC1A8C37CC54E62B6CF5A3097061A6FBF49DC85953BC26112CF8A55
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	adrian__luca
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

16219e04eab9d404f85408c70e2e0777.exe

Verdict:

No threats detected

Analysis date:

2026-06-22 08:04:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b6fe825a-6062-434a-bba9-d226b97705f7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/71486/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a38ebef1548daf709f8b247

Tags:

virus remo

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Searching for synchronization primitives

Verdict:

Malicious

Labled as:

Win64/Agent_AGeneric.OPA trojan

Link:

https://www.hybrid-analysis.com/sample/d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-06-13T10:22:00Z UTC

Last seen:

2026-06-23T23:27:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b6cde88e-84a4-4aeb-a235-61d8b8a857ce

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/16219e04eab9d404f85408c70e2e0777

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b/

Verdict:

Malicious

Threat:

DangerousObject.Multi

Link:

https://tip.neiki.dev/file/d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b

Threat name:

Win64.Trojan.Kepavll

Status:

Malicious

First seen:

2026-06-13 15:16:08 UTC

File Type:

PE+ (Exe)

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=27rvcwctt4vr45nwb3fuoi7f4nktohqeb5pqu5vluw2invkd4y5q._file

Result

Malware family:

n/a

Score:

8/10

Tags:

adware persistence ransomware spyware

Link:

https://tria.ge/reports/260622-jwp3asas6p/

Behaviour

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Enumerates connected drives

Boot or Logon Autostart Execution: Active Setup

Unpacked files

SH256 hash:

d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b

MD5 hash:

16219e04eab9d404f85408c70e2e0777

SHA1 hash:

d742329593e9cf5c56b7681b34134c10006b0855

Link:

https://www.unpac.me/results/2394c362-adfa-486c-8a44-d09851779171/

Malware family:

DragonFly

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d7e35158539f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Unspecified_Malware_Sep1_A1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects malware from DrqgonFly APT report
Reference:	https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

Rule name:	Unspecified_Malware_Sep1_A1_RID3131 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from DrqgonFly APT report
Reference:	https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe d7e35158539f2b1e75b60ecb4723e5e355371e040f5f0a76aba5b486d543e63b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/71486/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample