MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df1c7f9dd25d4f7c6c393e1f3f9e6857c3f8e89dbde25cd4094ea38239868b6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df1c7f9dd25d4f7c6c393e1f3f9e6857c3f8e89dbde25cd4094ea38239868b6a
SHA3-384 hash: aeab9e52be72f775dd94bb48f1f68835e83851cbea677faa6162000f23d0a87920b8dcba5802b1ad7e063c393ce293c3
SHA1 hash: 253ee89007002fa9e039237a9a0fe841ca9978eb
MD5 hash: cbe4f8c3c0896e2091c2fa8eae1a4bb8
humanhash: nitrogen-vegan-network-east
File name:df1c7f9dd25d4f7c6c393e1f3f9e6857c3f8e89dbde25cd4094ea38239868b6a
Download: download sample
File size:6'568'216 bytes
First seen:2025-08-12 14:27:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47ef05eb53d09a9dba4db02d08012899 (2 x XWorm)
ssdeep 196608:vmOnlSqs3iA1vlX7dELWjfeMGPaqfoX4BwLT:3lSqlA9Vqi6tTfoYO
TLSH T1D96623F753154394E4AA8839883BBDE770F3526E9D41583C34A6BEC73D237A2A113987
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 7eeceeccd6c2f2f2 (14 x Formbook, 9 x AgentTesla, 8 x RemcosRAT)
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
18
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df1c7f9dd25d4f7c6c393e1f3f9e6857c3f8e89dbde25cd4094ea38239868b6a
Verdict:
No threats detected
Analysis date:
2025-08-12 19:44:50 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/890c057b-1f7d-4acf-907e-2e0bbb2f84a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20668/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b51f5fca70bd90e8f1268
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/df1c7f9dd25d4f7c6c393e1f3f9e6857c3f8e89dbde25cd4094ea38239868b6a
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9f74c9cd-74e3-41ec-a532-c377896a5ce0
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/df1c7f9dd25d4f7c6c393e1f3f9e6857c3f8e89dbde25cd4094ea38239868b6a
Gathering data
Gathering data
Threat name:
Win32.Trojan.Kelios
Create hunting rule
Status:
Malicious
First seen:
2025-07-24 17:08:39 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34oh7hoslvhxy3bzhypt7htik7b7r2e5xxrfzvajj2ryeomgrnva._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250812-tfexhaen7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/21e1f66c-ae12-416c-85ac-b7dcb5315192
Unpacked files
SH256 hash:
df1c7f9dd25d4f7c6c393e1f3f9e6857c3f8e89dbde25cd4094ea38239868b6a
MD5 hash:
cbe4f8c3c0896e2091c2fa8eae1a4bb8
SHA1 hash:
253ee89007002fa9e039237a9a0fe841ca9978eb
Link:
https://www.unpac.me/results/e92c3663-3b75-444d-a282-e69fa322a46e/
SH256 hash:
40bb5a303bbbbb566104e9b63e2762af4319328d10334c1f24dc744dec0deffd
MD5 hash:
5a366e8d41b8e835b8ef8816618f9517
SHA1 hash:
5e0d00000145e84da5c2a06528237dcce39263f9
Link:
https://www.unpac.me/results/e92c3663-3b75-444d-a282-e69fa322a46e/
SH256 hash:
46be745c2707a59e4ca52280bddf43a32639693705da6da1f16b49b4ff253652
MD5 hash:
898498c4eb895a76bf274b36d39d5592
SHA1 hash:
018c4b39658825b0619441764729815b32b93ba4
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e92c3663-3b75-444d-a282-e69fa322a46e/
SH256 hash:
8bcd10c24cba8a3ec20ecbceae8b0c71518927fbf2789a56225e18bcf3c89caa
MD5 hash:
17af54e4d0acd81b455c7e6a7d96d337
SHA1 hash:
3d16fa45fd3cc70c7f192bc5118b7a581878e8d6
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e92c3663-3b75-444d-a282-e69fa322a46e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20668/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments