MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e193bad23c195dca8d38d4488384ba367e8047cf70e57d5803d40020f144c7a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e193bad23c195dca8d38d4488384ba367e8047cf70e57d5803d40020f144c7a8
SHA3-384 hash: af37fcd6fd778b86efa50944c1c462213d14093970bb2a69d182a732c5bcea7cc00e54775dec18b396cf898f4d3b5604
SHA1 hash: 644178f456e92e404b88e6d8d7627c82e42e2ddc
MD5 hash: 13b1401882dd0ed20244c45526105859
humanhash: oscar-ohio-single-crazy
File name:SecuriteInfo.com.Win64.Trojan.Agent.VKPE24.12242.18491
Download: download sample
File size:1'455'104 bytes
First seen:2025-06-11 21:28:29 UTC
Last seen:2025-06-11 22:28:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f8b84614b23d2e435258eec719d54b42
ssdeep 24576:jFP1ncIBrMkIE2B13X0pLlrOVIV6JDxj0cq9fNzwvJX/f:jFPykiB1aL3VQjcVzwh
TLSH T13365E089374428F4D6718078CB0D4692CD35F4B093711A8BA3BD837E2A72AF9AD77791
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 1cb6b66ccc8cac4c (1 x Fabookie, 1 x Arechclient2)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
446
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win64.Trojan.Agent.VKPE24.12242.18491
Verdict:
Malicious activity
Analysis date:
2025-06-11 21:55:10 UTC
Tags:
xor-url generic arechclient2 rat stealer backdoor
Link:
https://app.any.run/tasks/623e1634-e8d0-44a2-8b2b-4044afc5148a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9042/
Detection(s):
SecuriteInfo.com.Win64.Trojan.Agent.VKPE24.12242.18491.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6849f60607b5e8c1cfe653b2
Tags:
keylog virus word
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e193bad23c195dca8d38d4488384ba367e8047cf70e57d5803d40020f144c7a8
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/46579a30-0e07-43cb-8a19-a4793d6dca06
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1712733
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1712733 Sample: SecuriteInfo.com.Win64.Troj... Startdate: 11/06/2025 Architecture: WINDOWS Score: 100 38 clients2.googleusercontent.com 2->38 40 142.251.40.97 GOOGLEUS United States 2->40 42 googlehosted.l.googleusercontent.com 2->42 60 Suricata IDS alerts for network traffic 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 8 SecuriteInfo.com.Win64.Trojan.Agent.VKPE24.12242.18491.exe 14 119 2->8         started        signatures3 process4 dnsIp5 56 67.220.72.124, 15847, 49686, 49687 AWKNET-LLCUS Canada 8->56 58 clients2.googleusercontent.com 8->58 36 C:\Users\user\AppData\...\Secure Preferences, JSON 8->36 dropped 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->68 70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->70 72 Tries to harvest and steal browser information (history, passwords, etc) 8->72 74 6 other signatures 8->74 13 chrome.exe 8->13         started        15 chrome.exe 8->15         started        17 chrome.exe 8->17         started        19 69 other processes 8->19 file6 signatures7 process8 process9 21 chrome.exe 13->21         started        24 chrome.exe 15->24         started        26 chrome.exe 17->26         started        28 chrome.exe 19->28         started        30 chrome.exe 19->30         started        32 chrome.exe 19->32         started        34 28 other processes 19->34 dnsIp10 44 clients2.googleusercontent.com 21->44 46 googlehosted.l.googleusercontent.com 142.251.40.193, 443, 49791 GOOGLEUS United States 21->46 48 clients2.googleusercontent.com 24->48 50 142.250.81.225 GOOGLEUS United States 24->50 52 clients2.googleusercontent.com 26->52 54 clients2.googleusercontent.com 28->54
Score:
14%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e193bad23c195dca8d38d4488384ba367e8047cf70e57d5803d40020f144c7a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e193bad23c195dca8d38d4488384ba367e8047cf70e57d5803d40020f144c7a8/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-08 00:24:16 UTC
File Type:
PE+ (Exe)
Extracted files:
81
AV detection:
17 of 38 (44.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gj3vur4dfo4vdjy2reihbf2gz7iar6podsx2wad2qacb4key6ua._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/250611-1cqyxsdn5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d12c14c1-27de-42cd-a399-dc6fbc742527
Unpacked files
SH256 hash:
e193bad23c195dca8d38d4488384ba367e8047cf70e57d5803d40020f144c7a8
MD5 hash:
13b1401882dd0ed20244c45526105859
SHA1 hash:
644178f456e92e404b88e6d8d7627c82e42e2ddc
Link:
https://www.unpac.me/results/9eec90e8-6117-4838-92f1-cc0097de44eb/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e193bad23c19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e193bad23c195dca8d38d4488384ba367e8047cf70e57d5803d40020f144c7a8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3561087/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9042/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsapi-ms-win-core-com-l1-1-0.dll::CoAddRefServerProcess
api-ms-win-core-com-l1-1-0.dll::CoCreateInstance
api-ms-win-core-com-l1-1-0.dll::CoInitializeSecurity
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SOFTWARE_LICENSING_APIUses Software Licensing APIsppc.dll::SLGetGenuineInformation
WIN32_PROCESS_APICan Create Process and Threadsapi-ms-win-core-processthreads-l1-1-1.dll::GetProcessMitigationPolicy
KERNEL32.dll::OpenSemaphoreW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolTimer
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIapi-ms-win-core-processthreads-l1-1-0.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
api-ms-win-core-processthreads-l1-1-0.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetKeySecurity
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments