MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e495342a5e4140fe64e602a6370acd8050f2ea29bb22916c85eddff416543c72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e495342a5e4140fe64e602a6370acd8050f2ea29bb22916c85eddff416543c72
SHA3-384 hash: ec6e683a5d1abe4a439273a6bab25167f776b1bbdc246ebdd054f08527bdccfd95a3fcc42a58aeade04b16a7bd4df1fc
SHA1 hash: 33545e64be8e0719653c74f71d28bc1ce2a962d5
MD5 hash: 32198579010783b2513c334187c29a22
humanhash: solar-green-angel-freddie
File name:app5.jar
Download: download sample
File size:29'642'392 bytes
First seen:2025-09-13 19:26:06 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 786432:LDNcvQGN5q+feL1rC8Mk4CrpPXjstm97IDEz5:LDNc4Y55eLVC8MkDtPXWu7I4z5
TLSH T11E570219D25F403ACA57D67928EF4BE6FF30829F8221571F23F439198CD2B890B62759
TrID 55.0% (.SPE) SPSS Extension (30000/1/7)
24.7% (.JAR) Java Archive (13500/1/2)
12.8% (.MAFF) Mozilla Archive Format (gen) (7000/1/1)
7.3% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
app5.jar
Verdict:
Malicious activity
Analysis date:
2025-09-13 19:32:38 UTC
Tags:
arch-doc discord java stealer github python
Link:
https://app.any.run/tasks/81a09c10-901f-4987-983c-d5e66723f1b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27359/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c5c609d49ea3f1e4b540dc
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm lolbin macros-on-close obfuscated runonce
Link:
https://www.filescan.io/uploads/68c5c62f0d1238ff0aab6e0e/reports/7307c272-669e-467c-bec1-83806a1db239/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e495342a5e4140fe64e602a6370acd8050f2ea29bb22916c85eddff416543c72
Verdict:
Malicious
File Type:
jar
Detections:
Trojan-PSW.Win32.Greedy.sb
Link:
https://opentip.kaspersky.com/e495342a5e4140fe64e602a6370acd8050f2ea29bb22916c85eddff416543c72/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1777084
Signature
Attempt to bypass Chrome Application-Bound Encryption
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1777084 Sample: app5.jar Startdate: 13/09/2025 Architecture: WINDOWS Score: 84 56 upload.gofile.io 2->56 58 raw.githubusercontent.com 2->58 60 2 other IPs or domains 2->60 78 Suricata IDS alerts for network traffic 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Attempt to bypass Chrome Application-Bound Encryption 2->82 84 4 other signatures 2->84 9 cmd.exe 2 2->9         started        11 msedge.exe 2->11         started        signatures3 process4 dnsIp5 15 java.exe 52 9->15         started        20 conhost.exe 9->20         started        62 239.255.255.250 unknown Reserved 11->62 52 C:\Users\user\AppData\Local\...\Login Data, SQLite 11->52 dropped 54 C:\Users\user\AppData\Local\...\History, SQLite 11->54 dropped 22 msedge.exe 11->22         started        file6 process7 dnsIp8 64 github.com 140.82.116.3, 443, 49742 GITHUBUS United States 15->64 66 raw.githubusercontent.com 185.199.108.133, 443, 49743 FASTLYUS Netherlands 15->66 72 3 other IPs or domains 15->72 46 C:\Users\user\AppData\Local\micro.exe, PE32+ 15->46 dropped 48 sqlite-3.49.1.0-97...bc7d-sqlitejdbc.dll, PE32 15->48 dropped 50 C:\Users\user\...\jna6278441588876096340.dll, PE32 15->50 dropped 76 Tries to harvest and steal browser information (history, passwords, etc) 15->76 24 taskkill.exe 1 15->24         started        26 taskkill.exe 1 15->26         started        28 taskkill.exe 1 15->28         started        30 25 other processes 15->30 68 ax-0002.ax-msedge.net 150.171.28.11, 443, 49723 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->68 70 a434.dscr.akamai.net 96.7.181.9, 443, 49722, 63216 AKAMAI-ASUS United States 22->70 74 9 other IPs or domains 22->74 file9 signatures10 process11 process12 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 conhost.exe 30->40         started        42 conhost.exe 30->42         started        44 22 other processes 30->44
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Greedy
Link:
https://tip.neiki.dev/file/e495342a5e4140fe64e602a6370acd8050f2ea29bb22916c85eddff416543c72
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sktiks6ifap4zhgaktdocwnqbipf2rjxmrjc3ef5xp7ifsuhrza._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution pyinstaller spyware stealer
Link:
https://tria.ge/reports/250913-x7qpvsgj6s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates processes with tasklist
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/e495342a5e4140fe64e602a6370acd8050f2ea29bb22916c85eddff416543c72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Java file jar e495342a5e4140fe64e602a6370acd8050f2ea29bb22916c85eddff416543c72

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3623402/
Cape
Cape
https://www.capesandbox.com/analysis/27359/

Comments