MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d97c951e84b98dcf0636fc8a7066676943e5a2f0cf4cff66b7da4e9ee2aa0ba3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	d97c951e84b98dcf0636fc8a7066676943e5a2f0cf4cff66b7da4e9ee2aa0ba3
SHA3-384 hash:	02aacec9717b4dffc29a72b3b3ae688b49dec3a835d59f9935b86499da3c9e911626dba8eb4c2dc0813dcb2b94dc4685
SHA1 hash:	f581ae67affb597f5d914218f2b62d4a217c6b0e
MD5 hash:	19f0da7931e9366808236d913541576e
humanhash:	fruit-hot-video-high
File name:	libGSELv2.dll
Download:	download sample
File size:	54'944'256 bytes
First seen:	2026-04-28 19:37:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c2b036f4256143e2d07a4478ca0940ea
ssdeep	393216:mHpMcwyvAKgwHpjA1p/QfAjhS8A76/20iWG:ypMcwyviZIaS8Ch0jG
TLSH	T1DFC73B43A86440E8C4EDD534C9628662BF3D7C895F3427C72F64B7682BB6BD0A67B350
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Alex_sev
Tags:	backdoor exe Generic

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

libGSELv2.dll

Verdict:

Suspicious activity

Analysis date:

2026-04-28 19:35:35 UTC

Tags:

anti-evasion telegram antivm golang

Link:

https://app.any.run/tasks/adf90775-db50-44e7-8b7e-6c8b03662b2a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

DNS request

Connection attempt

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm crypto go golang masquerade packed

Link:

https://www.filescan.io/uploads/69f10c738a82359247b82d16/reports/22986be4-c276-4d95-a418-7da83dff333b/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d97c951e84b98dcf0636fc8a7066676943e5a2f0cf4cff66b7da4e9ee2aa0ba3

Verdict:

Clean

File Type:

dll x64

Link:

https://opentip.kaspersky.com/d97c951e84b98dcf0636fc8a7066676943e5a2f0cf4cff66b7da4e9ee2aa0ba3/results?tab=lookup

Score:

16%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/d97c951e84b98dcf0636fc8a7066676943e5a2f0cf4cff66b7da4e9ee2aa0ba3

Gathering data

Verdict:

Clean

Link:

https://tip.neiki.dev/file/d97c951e84b98dcf0636fc8a7066676943e5a2f0cf4cff66b7da4e9ee2aa0ba3

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3f6jkhuexgg46brw7sfhazthnfb6lixqz5gp6zvx3jhj5yvkborq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery spyware trojan

Link:

https://tria.ge/reports/260428-ybz44adz5y/

Behaviour

GoLang User-Agent

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Modifies trusted root certificate store through registry

Checks installed software on the system

Badlisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample