MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34
SHA3-384 hash: 6c74cfc9f1240cd29cefcbe7d534184bbb5a66e44fc67e8766b4316e691c3ee3650c238a4dcc52c4ce3f6f72f998f28a
SHA1 hash: 5fef004be1e6bb7670be7a3e9f71656233a28add
MD5 hash: f31717eaaa7df978792a8a9344568fdd
humanhash: rugby-lactose-august-india
File name:gkonkh.exe
Download: download sample
File size:5'859'334 bytes
First seen:2025-04-29 12:49:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 98304:ZsGOOjWmCwBGlu73164Y6tn63iJAGasLpV25aTGxYh7PCYDpk9pkyo90:jgmCo73sr3CZaslV25aCSh7PlFYCh6
TLSH T1AF463323F9D5C571C29A6832C95D8FB5A5BA6C8087164EDFA3643AFE75310F21B306C2
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter aachum
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Value.exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 12:38:45 UTC
Tags:
purecrypter pureminer netreactor loader phishing lumma stealer
Link:
https://app.any.run/tasks/84dcee0a-6df1-4185-ab1c-381a944b82b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4997/
Detection(s):
Win.Packed.Zusy-10014517-0
Create hunting rule

SecuriteInfo.com.Win64.Malware-gen.14092.25867.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810cf59c8b2e86d0ac46554
Tags:
injection obfusc lien remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Forced system process termination
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Deleting a recently created file
Query of malicious DNS domain
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypto entropy expand fingerprint golang installer lolbin microsoft_visual_cc obfuscated overlay overlay packed packed packer_detected sfx zero
Link:
https://www.filescan.io/uploads/6810cb1da8d43a4dd6129530/reports/70672b38-7eb3-4f7b-bb82-04b7850e0723/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbcf1603-da18-4cd5-8d79-6282229de5dc
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677309
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Silenttrinity Stager Msbuild Activity
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677309 Sample: gkonkh.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 53 lofhr.com 2->53 55 loadingfreelofhr.net 2->55 57 5 other IPs or domains 2->57 67 Antivirus detection for URL or domain 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected AntiVM3 2->71 73 11 other signatures 2->73 8 gkonkh.exe 15 2->8         started        11 Value.exe 3 2->11         started        14 CanReuseTransform.exe 2->14         started        16 4 other processes 2->16 signatures3 process4 file5 47 C:\Users\user\AppData\Local\Temp\...\info.exe, PE32+ 8->47 dropped 49 C:\Users\user\...\dotNetFx46_Full_setup.exe, PE32+ 8->49 dropped 51 C:\Users\user\AppData\...\VC_redist.x86.exe, PE32+ 8->51 dropped 18 dotNetFx46_Full_setup.exe 6 8->18         started        22 VC_redist.x86.exe 5 8->22         started        24 info.exe 1 8->24         started        81 Antivirus detection for dropped file 11->81 83 Multi AV Scanner detection for dropped file 11->83 85 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->85 27 MSBuild.exe 11->27         started        87 Writes to foreign memory regions 14->87 89 Modifies the context of a thread in another process (thread injection) 14->89 91 Injects a PE file into a foreign processes 14->91 29 InstallUtil.exe 14->29         started        93 Loading BitLocker PowerShell Module 16->93 31 conhost.exe 16->31         started        33 conhost.exe 16->33         started        35 conhost.exe 16->35         started        37 WmiPrvSE.exe 16->37         started        signatures6 process7 dnsIp8 43 C:\Users\user\...\CanReuseTransform.exe, PE32+ 18->43 dropped 75 Antivirus detection for dropped file 18->75 77 Multi AV Scanner detection for dropped file 18->77 79 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->79 45 C:\Users\user\AppData\Roaming\...\Value.exe, PE32+ 22->45 dropped 59 stats-1.crabdance.com 82.115.223.212, 49686, 80 MIDNET-ASTK-TelecomRU Russian Federation 24->59 39 conhost.exe 24->39         started        61 loadingfreelofhr.net 185.208.156.66, 443, 49695, 49729 SIMPLECARRIERCH Switzerland 27->61 63 loadingfreedlophr.com.de 213.209.150.69, 39001, 49692, 49694 KEMINETAL Germany 27->63 65 github.com 140.82.114.4, 443, 49732, 49773 GITHUBUS United States 27->65 41 chrome.exe 29->41         started        file9 signatures10 process11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2025-04-28 12:56:56 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4t3gqiqez2gkhj6h2wzg7iekgz66utzts2ibh45yid4kv47d5u2a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250429-p22wya1qw4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
Win.Packed.Zusy-10014517-0
YARA:
n/a
Link:
https://app.threat.zone/submission/87ae1dc6-32d2-4aad-be34-34ac31205e10
Unpacked files
SH256 hash:
e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34
MD5 hash:
f31717eaaa7df978792a8a9344568fdd
SHA1 hash:
5fef004be1e6bb7670be7a3e9f71656233a28add
Link:
https://www.unpac.me/results/d94c95b6-0ecb-479b-bb4e-08d45970e860/
SH256 hash:
2c5ff17a5fe069fc007ff81824d675360186587ef834156fc2696630c370a4c9
MD5 hash:
417bf30b5ed2a1d679a93028f13a1ca3
SHA1 hash:
1dfa837d0745a77096a75627143a687fc99c950f
Link:
https://www.unpac.me/results/d94c95b6-0ecb-479b-bb4e-08d45970e860/
SH256 hash:
a2906e3083c7767bd805ed63c5d2211440dca9decb8876b7843674e7b6b02a24
MD5 hash:
5563fd5ef0892c459d7f2eb3244664a9
SHA1 hash:
922617a46fe0ac07989af2042db9a50dc1e6aaa7
Link:
https://www.unpac.me/results/d94c95b6-0ecb-479b-bb4e-08d45970e860/
SH256 hash:
ec8edefc4337f8c2d40dfa61aa65cf245ef2e7d1292182c9bd4f0a1ee86d0241
MD5 hash:
109f33e1da9b7dccbf61c7247fb7dcc6
SHA1 hash:
93066c8a4e79f7aae13811dda4173d4d4c3c8d57
Link:
https://www.unpac.me/results/d94c95b6-0ecb-479b-bb4e-08d45970e860/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e4f6682204ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Spambot.Kelihos

Executable exe 8f92307e30976e68bd4ab9e197719846cfaac84774ed74bc88b94ddeb100d1b3

Executable exe e4f6682204ce8ca3a7c7d5b26fa08a367dea4f33969013f3b840f8aaf3e3ed34

(this sample)

  
Link
https://tria.ge/250429-prhejs1pv7/behavioral1
  
Dropped by
SHA256 8f92307e30976e68bd4ab9e197719846cfaac84774ed74bc88b94ddeb100d1b3
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/4997/
  
URLhaus
https://urlhaus.abuse.ch/url/3498208/
  
URLhaus
https://urlhaus.abuse.ch/url/3519068/
  
Dropped by
MD5 71da19e66862894bf042e3bb1b8d3a61
  
Dropped by
SHA256 b463ac9a5e008df75e1692944d7459bfe5df7c004806be2be9352383bd7bf477
  
Dropped by
MD5 7972f32cc11047ed8f5f6900c76fe69f
  
Dropped by
SHA256 7f401672fde74e85aa1f32b9dd6a523144363250483ab02859f2fe3946c15663
  
Dropped by
MD5 00d766fd0f7bcf3858aa2d7d3fd540b9

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments