MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd
SHA3-384 hash: 0dbf4a1bd5f558341d584f72d24ed01ebd697b9a543130f7249d382de40d2c56c47324c4f641834a8e9e141882d0f323
SHA1 hash: af44a764747999414581f90cf78e1488a9673e52
MD5 hash: 7b4b1de7890024f5a939ec27302627f6
humanhash: victor-carolina-colorado-asparagus
File name:verification.google
Download: download sample
File size:1'332'904 bytes
First seen:2026-03-04 16:23:20 UTC
Last seen:2026-03-04 17:38:28 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e3bd8ce5b9b29e3ac963c4ae92abd432
ssdeep 24576:slT149SL/vX0N+nSGfZ8fuce832znDEFlYqQ5YG97oIX4u9xZ0GIOH3BBrCvsUlw:JoUxi6hmR3LgY+DrHA
Threatray 33 similar samples on MalwareBazaar
TLSH T14855A482F7E781A5A89749F18096A22BEE702708D815E225FF731603F5F271149B8FDD
TrID 21.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
21.2% (.EXE) Win64 Executable (generic) (6522/11/2)
16.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
14.6% (.EXE) Win32 Executable (generic) (4504/4/1)
6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter BlinkzSec
Tags:dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
GB GB
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55609/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a7ee3c002d37d5c9838159
Tags:
injection obfusc virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature packed signed
Link:
https://www.filescan.io/uploads/69a85cb097feb4afd669e812/reports/ae563cb4-a14d-4c20-8942-97f9f1ad9c28/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd
Result
Gathering data
Verdict:
Clean
File Type:
dll x32
Link:
https://opentip.kaspersky.com/e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/eac45bd0-8d37-446e-bcb8-90cc5f58af1f
Result
Threat name:
Amatera Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1878378
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amatera Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1878378 Sample: verification.google Startdate: 04/03/2026 Architecture: WINDOWS Score: 100 73 Suricata IDS alerts for network traffic 2->73 75 Antivirus detection for URL or domain 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected Amatera Stealer 2->79 9 loaddll32.exe 1 2->9         started        process3 process4 11 rundll32.exe 1 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 7 other processes 9->18 signatures5 81 Found many strings related to Crypto-Wallets (likely being stolen) 11->81 83 Writes to foreign memory regions 11->83 85 Allocates memory in foreign processes 11->85 20 powershell.exe 11->20         started        23 powershell.exe 11->23         started        34 4 other processes 11->34 87 Tries to steal Crypto Currency Wallets 14->87 89 Creates a thread in another existing process (thread injection) 14->89 25 powershell.exe 14->25         started        36 5 other processes 14->36 27 rundll32.exe 16->27         started        91 System process connects to network (likely due to code injection or exploit) 18->91 93 Tries to harvest and steal browser information (history, passwords, etc) 18->93 30 powershell.exe 18->30         started        32 powershell.exe 18->32         started        38 29 other processes 18->38 process6 dnsIp7 69 91.219.23.145 POWERNETRU Russian Federation 20->69 40 conhost.exe 20->40         started        42 conhost.exe 23->42         started        44 conhost.exe 25->44         started        71 89.124.82.121, 443, 49694, 49695 IBIS-ASImagineGroupLtdIE Ireland 27->71 95 Writes to foreign memory regions 27->95 97 Allocates memory in foreign processes 27->97 99 Tries to steal Crypto Currency Wallets 27->99 101 Creates a thread in another existing process (thread injection) 27->101 50 6 other processes 27->50 46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        53 2 other processes 34->53 55 3 other processes 36->55 57 17 other processes 38->57 signatures8 process9 dnsIp10 67 194.150.220.218 SAFEGRIDRO Ukraine 50->67 59 conhost.exe 50->59         started        61 conhost.exe 50->61         started        63 conhost.exe 50->63         started        65 conhost.exe 50->65         started        process11
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd
Threat name:
Win32.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-04 08:33:16 UTC
File Type:
PE (Dll)
AV detection:
2 of 36 (5.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4p6nle4rc7tnjepsian63rbhc462ckmnnh2iwbgowbeyc6r5i66q._file
Verdict:
malicious
Label(s):
amaterastealer
Create hunting rule
Similar samples:
1809e9ca0c8091019527cdf598d985c07e28a4fdd4079193ee83aa3341660569
1e04ffcf999ffc21d769cd936f2662371d86ddec965dd486b55f5064312502f0
231ebbfd680cee62d1c4a2ea1b44686c311bfc94a1fe57af3a41ef4b08797c95
36650123e804721d04b9e60d381e9f0f5615b6a11e04bbfeec933b4dd1f1b83d
5462277bbc426f715ee14b01d5d5a70e5bce0a6d7bc608e8db2dcf8716df0971
9f3c3388c6ce825295a8c36a7668a215b4f0defdd2335e9fc29810d4a5a0b1cd
b860a6f104957545780d0a684dc08d6594dfa6c1e54f83384c4d7eb1acbf4f70
ecf674e913f5fd7429886d419978470bb2f0d7832225dc51d98aa79c5f62c3d5
error
fc0679e7f8653a35bb725adfd54fa7a58db8b1d10ef0231c65907db622075b58
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/260304-twg2ssew21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Unpacked files
SH256 hash:
e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd
MD5 hash:
7b4b1de7890024f5a939ec27302627f6
SHA1 hash:
af44a764747999414581f90cf78e1488a9673e52
Link:
https://www.unpac.me/results/321bf6ac-c454-4415-a406-3ce6a698c26e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll e3fcd5939117e6d491f2401bedc427173da1298d69f48b04ceb049817a3d47bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3789535/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3789390/
  
URLhaus
https://urlhaus.abuse.ch/url/3789401/
  
URLhaus
https://urlhaus.abuse.ch/url/3789407/
  
URLhaus
https://urlhaus.abuse.ch/url/3789495/
  
URLhaus
https://urlhaus.abuse.ch/url/3789499/
  
URLhaus
https://urlhaus.abuse.ch/url/3789501/
  
URLhaus
https://urlhaus.abuse.ch/url/3789503/
  
URLhaus
https://urlhaus.abuse.ch/url/3789505/
  
URLhaus
https://urlhaus.abuse.ch/url/3789507/
  
URLhaus
https://urlhaus.abuse.ch/url/3789509/
  
URLhaus
https://urlhaus.abuse.ch/url/3789513/
  
URLhaus
https://urlhaus.abuse.ch/url/3789518/
  
URLhaus
https://urlhaus.abuse.ch/url/3789519/
  
URLhaus
https://urlhaus.abuse.ch/url/3789520/
  
URLhaus
https://urlhaus.abuse.ch/url/3789522/
  
URLhaus
https://urlhaus.abuse.ch/url/3789523/
  
URLhaus
https://urlhaus.abuse.ch/url/3789525/
  
URLhaus
https://urlhaus.abuse.ch/url/3789526/
  
URLhaus
https://urlhaus.abuse.ch/url/3789529/
  
URLhaus
https://urlhaus.abuse.ch/url/3789537/
  
URLhaus
https://urlhaus.abuse.ch/url/3789541/
  
URLhaus
https://urlhaus.abuse.ch/url/3789542/
  
URLhaus
https://urlhaus.abuse.ch/url/3789543/
  
URLhaus
https://urlhaus.abuse.ch/url/3789545/
  
URLhaus
https://urlhaus.abuse.ch/url/3789547/
  
URLhaus
https://urlhaus.abuse.ch/url/3789549/
  
URLhaus
https://urlhaus.abuse.ch/url/3789550/
Cape
Cape
https://www.capesandbox.com/analysis/55609/
  
URLhaus
https://urlhaus.abuse.ch/url/3789553/
  
URLhaus
https://urlhaus.abuse.ch/url/3789555/
  
URLhaus
https://urlhaus.abuse.ch/url/3789557/
  
URLhaus
https://urlhaus.abuse.ch/url/3789560/
  
URLhaus
https://urlhaus.abuse.ch/url/3789563/
  
URLhaus
https://urlhaus.abuse.ch/url/3789565/
  
URLhaus
https://urlhaus.abuse.ch/url/3789568/
  
URLhaus
https://urlhaus.abuse.ch/url/3789569/
  
URLhaus
https://urlhaus.abuse.ch/url/3789570/
  
URLhaus
https://urlhaus.abuse.ch/url/3789572/
  
URLhaus
https://urlhaus.abuse.ch/url/3789574/
  
URLhaus
https://urlhaus.abuse.ch/url/3789576/
  
URLhaus
https://urlhaus.abuse.ch/url/3789579/
  
URLhaus
https://urlhaus.abuse.ch/url/3789580/
  
URLhaus
https://urlhaus.abuse.ch/url/3789581/
  
URLhaus
https://urlhaus.abuse.ch/url/3789585/
  
URLhaus
https://urlhaus.abuse.ch/url/3789586/
  
URLhaus
https://urlhaus.abuse.ch/url/3789589/
  
URLhaus
https://urlhaus.abuse.ch/url/3789592/
  
URLhaus
https://urlhaus.abuse.ch/url/3789594/
  
URLhaus
https://urlhaus.abuse.ch/url/3789596/
  
URLhaus
https://urlhaus.abuse.ch/url/3789597/
  
URLhaus
https://urlhaus.abuse.ch/url/3789601/
  
URLhaus
https://urlhaus.abuse.ch/url/3789603/
  
URLhaus
https://urlhaus.abuse.ch/url/3789606/
  
URLhaus
https://urlhaus.abuse.ch/url/3789607/
  
URLhaus
https://urlhaus.abuse.ch/url/3789610/
  
URLhaus
https://urlhaus.abuse.ch/url/3789625/
  
URLhaus
https://urlhaus.abuse.ch/url/3789627/

Comments