MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58
SHA3-384 hash: 4a08178c0d2af79d4ddf0d9950941f5e781f1d5554ed76c5acc1d0b981cecf6c2687b969cedc022ed74851e9c50d93fc
SHA1 hash: 0118ba6026af1769a6a46925b81a07ea41a834b3
MD5 hash: a06636d2b8aa4ce2a05d484a510f35cd
humanhash: romeo-massachusetts-coffee-king
File name:a06636d2b8aa4ce2a05d484a510f35cd.exe
Download: download sample
File size:2'955'956 bytes
First seen:2025-11-18 06:42:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (63 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:IgwRqHtgSlNf25gsDf+fQazuUQvycsG2SV583WJn+1Z9a7KmU79fq10XbH1vugNc:IgwRe85gG+f6XvyfDaOWJn+MWmm9qqj6
Threatray 1'111 similar samples on MalwareBazaar
TLSH T10CD5331177A391B1D48B483265ED294905DDDEAC3B1AA2CBBFEE65070DB43D0CA7E0B1
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a06636d2b8aa4ce2a05d484a510f35cd.exe
Verdict:
Malicious activity
Analysis date:
2025-11-18 06:44:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97e70b94-8084-44aa-ace0-ed2401a22d9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38527/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691c158fbdb0ec3a9dc30094
Tags:
shellcode shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Creating a service
Launching a service
Сreating synchronization primitives
Creating a file
Moving a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Forced system process termination
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypt fingerprint installer installer keylogger microsoft_visual_cc overlay overlay
Link:
https://www.filescan.io/uploads/691c158a4e43be3f7163e4a7/reports/f58926fc-d1b5-4071-97a8-282bf67e8492/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-17T06:22:00Z UTC
Last seen:
2025-11-17T06:41:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Ransom.Win32.Generic HEUR:Trojan.PowerShell.Generic HEUR:HackTool.Win64.NoDefender.a HEUR:HackTool.PowerShell.InvokeObfuscation.gen Trojan.PowerShell.Kriptik.sba BSS:HackTool.Win32.Yzon.a Trojan.PowerShell.Cobalt.sb
Link:
https://opentip.kaspersky.com/e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b78baaef-191f-47bc-acc4-09d6e7abe621
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1815785
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to register a low level keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1815785 Sample: vfjH7wAM5z.exe Startdate: 18/11/2025 Architecture: WINDOWS Score: 100 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for dropped file 2->101 103 Multi AV Scanner detection for dropped file 2->103 105 4 other signatures 2->105 9 vfjH7wAM5z.exe 10 2->9         started        13 vfjH7wAM5z.exe 2->13         started        15 svchost.exe 5 2->15         started        17 10 other processes 2->17 process3 dnsIp4 91 C:\Users\user\AppData\Local\...\setup.cmd, ASCII 9->91 dropped 117 Contains functionality to register a low level keyboard hook 9->117 20 cmd.exe 5 9->20         started        24 cmd.exe 9->24         started        119 Multi AV Scanner detection for dropped file 13->119 26 cmd.exe 13->26         started        28 cmd.exe 13->28         started        121 Changes security center settings (notifications, updates, antivirus, firewall) 15->121 30 MpCmdRun.exe 15->30         started        97 127.0.0.1 unknown unknown 17->97 32 WerFault.exe 16 17->32         started        34 WerFault.exe 2 17->34         started        36 WerFault.exe 17->36         started        38 WerFault.exe 17->38         started        file5 signatures6 process7 file8 69 C:\Users\user\AppData\Local\Temp\...\7z, ASCII 20->69 dropped 107 Suspicious powershell command line found 20->107 109 Uses cmd line tools excessively to alter registry or file data 20->109 40 7za.exe 9 20->40         started        44 powershell.exe 20->44         started        46 powershell.exe 29 20->46         started        56 6 other processes 20->56 48 conhost.exe 24->48         started        71 C:\Users\user\AppData\Local\Temp\...\7z, ASCII 26->71 dropped 50 7za.exe 26->50         started        58 8 other processes 26->58 52 conhost.exe 28->52         started        54 conhost.exe 30->54         started        signatures9 process10 file11 73 C:\Program Files\...\wsc_proxy.exe, PE32 40->73 dropped 75 C:\Program Files\Avast Software\...\wsc.dll, PE32 40->75 dropped 77 C:\Program Files\...\powrprof.exe, PE32 40->77 dropped 79 C:\Program Files\...\powrprof.dll, PE32 40->79 dropped 111 Multi AV Scanner detection for dropped file 40->111 81 C:\ProgramData\Microsoft\...\vfjH7wAM5z.exe, PE32 44->81 dropped 83 C:\Users\user\AppData\...\1hbvxoql.cmdline, Unicode 44->83 dropped 85 C:\...\vfjH7wAM5z.exe:Zone.Identifier, ASCII 44->85 dropped 60 csc.exe 44->60         started        87 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 46->87 dropped 113 Loading BitLocker PowerShell Module 46->113 115 Powershell drops PE file 46->115 89 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 58->89 dropped 63 csc.exe 58->63         started        signatures12 process13 file14 93 C:\Users\user\AppData\Local\...\1hbvxoql.dll, PE32 60->93 dropped 65 cvtres.exe 60->65         started        95 C:\Users\user\AppData\Local\...\ry0dmy12.dll, PE32 63->95 dropped 67 cvtres.exe 63->67         started        process15
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58
Verdict:
Malware
YARA:
5 match(es)
Tags:
DeObfuscated Executable PE (Portable Executable) PE File Layout PowerShell SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/a06636d2b8aa4ce2a05d484a510f35cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Kriptik
Link:
https://tip.neiki.dev/file/e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58
Threat name:
Win32.Ransomware.Pay2Key
Create hunting rule
Status:
Suspicious
First seen:
2025-11-18 04:28:57 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gr6hygmf2fzi5sqjsja5yqmtzio7hzsodl4ivrnu52n3hezbrma._file
Verdict:
malicious
Label(s):
hacktool_defendernot
Create hunting rule
Similar samples:
0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
518e83f226c9a0ab4bfd27b3561331da201041c1c88c38e17b0dcdb4c8a7b742
821bbbfb7c8f4b3eaae16abd0dd1a868c7d39225f56b62013b1a563316460349
a9c42f11e75c3525d8d0f3f036c2f603e60fe102fc68b8f22a8b4c81779652a2
c2c68123486badda33b199b00beb3c098a067469593a371fdd54f2b6a2b03814
dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb
e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58
error
fce5f95d9a8d8a4003af3fd63365d5f3a7746536d054d290534674fa8ef4b844
+ 1'101 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution upx
Link:
https://tria.ge/reports/251118-hg35yavner/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7ac88ad1-ff07-44c3-8ec7-bd7cfcfe7437
Unpacked files
SH256 hash:
e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58
MD5 hash:
a06636d2b8aa4ce2a05d484a510f35cd
SHA1 hash:
0118ba6026af1769a6a46925b81a07ea41a834b3
Link:
https://www.unpac.me/results/cc73bd76-1f85-426f-b014-36bf351c2dfe/
SH256 hash:
1273e8c2d25318149cbcdf4cff8c6a1e00d8aa37664f482149cb132b119d2547
MD5 hash:
e495bf2c1e6dae2ea4a52b70e280b190
SHA1 hash:
13638a3689e2e554d1ce4b3f6fadb427cfa449e0
Link:
https://www.unpac.me/results/cc73bd76-1f85-426f-b014-36bf351c2dfe/
SH256 hash:
b6301160d2cceb9df1bb2d0548d65c31ecc38b694fa5efe67899935f19870fce
MD5 hash:
46857dedd8ea45006ec3ebff24739f8b
SHA1 hash:
47bd7d9f2eb13d178327769b964043887258390e
Link:
https://www.unpac.me/results/cc73bd76-1f85-426f-b014-36bf351c2dfe/
SH256 hash:
f457b1cb1b146ab07117e34dc50881ef787946a0311467d82469fdaa3e54884c
MD5 hash:
52b7073101ce2f83c85ed698f1ee0445
SHA1 hash:
cd2f016c79de7d4bf20d1366cc9483b610b4ffc2
Link:
https://www.unpac.me/results/cc73bd76-1f85-426f-b014-36bf351c2dfe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38527/

Comments