MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkWatchman


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0
SHA3-384 hash: 863d69c2caec44107e49f1c1d622364606a8f084ddf156b1c7a809f85bd68fc09372a38382d52a6a56a9d2e96fc562fd
SHA1 hash: 7d529d001c5a333bcd5cb4674a6881f46cf8592c
MD5 hash: b346af9c285e8541d567a4fb49672434
humanhash: hamper-carpet-magnesium-ten
File name:b346af9c285e8541d567a4fb49672434.exe
Download: download sample
Signature DarkWatchman
Create hunting rule
File size:361'049 bytes
First seen:2026-04-01 06:08:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (879 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:5OYGXaPNxdgSdcq2pVZPOJHAbKVLk8oGA47HmImqVYTQ4Bg4K:lGqN/XdctpVtklLkeHiqVp4B8
Threatray 2'676 similar samples on MalwareBazaar
TLSH T14E74D002B6D28872D57329325A3AFB256D3D7D201F24DA1FB3D40D6EEA314916634BB3
TrID 92.3% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
2.2% (.EXE) Win64 Executable (generic) (6522/11/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0000000000000000 (898 x AgentTesla, 540 x Formbook, 316 x RedLineStealer)
Reporter abuse_ch
Tags:DarkWatchman exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
SE SE
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
b346af9c285e8541d567a4fb49672434.exe
Verdict:
Malicious activity
Analysis date:
2026-04-01 06:10:16 UTC
Tags:
anti-evasion susp-powershell
Link:
https://app.any.run/tasks/a9996581-11d6-431e-92b4-93a9382793ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine.2110.19075.28917.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ccb6896363ca5d27f062ae
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Moving a file to the %temp% directory
Creating a process from a recently created file
Forced system process termination
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cobalt encrypted fingerprint installer installer microsoft_visual_cc obfuscated overlay packed sfx similar-threat
Link:
https://www.filescan.io/uploads/69ccb686e2df9aa488c16128/reports/4a3bf912-be7e-4375-9e3c-f24f99c6368b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-21T17:05:00Z UTC
Last seen:
2026-03-21T19:09:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/75ee6254-9f0b-4a91-b5f4-0da8b13f4829
Result
Threat name:
DarkWatchman
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891838
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Deletes shadow drive data (may be related to ransomware)
Encrypted powershell cmdline option found
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected DarkWatchman
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1891838 Sample: ahpIrbZeKi.exe Startdate: 01/04/2026 Architecture: WINDOWS Score: 100 90 a2b5caf8.bond 2->90 102 Suricata IDS alerts for network traffic 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 10 other signatures 2->108 12 ahpIrbZeKi.exe 19 2->12         started        14 wscript.exe 1 3 2->14         started        signatures3 process4 signatures5 17 wscript.exe 5 5 12->17         started        122 Suspicious powershell command line found 14->122 124 Wscript starts Powershell (via cmd or directly) 14->124 126 Encrypted powershell cmdline option found 14->126 128 3 other signatures 14->128 21 powershell.exe 14->21         started        23 powershell.exe 14->23         started        25 cmd.exe 1 14->25         started        process6 file7 82 C:\Users\user\AppData\Roaming\188149b1.js, ASCII 17->82 dropped 94 Suspicious powershell command line found 17->94 96 Wscript starts Powershell (via cmd or directly) 17->96 98 Encrypted powershell cmdline option found 17->98 100 7 other signatures 17->100 27 powershell.exe 23 17->27         started        30 cmd.exe 1 17->30         started        32 csc.exe 21->32         started        35 conhost.exe 21->35         started        37 csc.exe 23->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        signatures8 process9 file10 112 Loading BitLocker PowerShell Module 27->112 43 wscript.exe 27->43         started        47 conhost.exe 27->47         started        49 cvtres.exe 27->49         started        51 conhost.exe 30->51         started        78 C:\Users\user\AppData\Local\...\omwceikp.dll, PE32 32->78 dropped 53 cvtres.exe 32->53         started        80 C:\Users\user\AppData\Local\...\c3iemwx0.dll, PE32 37->80 dropped 55 cvtres.exe 37->55         started        signatures11 process12 dnsIp13 92 a2b5caf8.bond 217.60.248.91, 49722, 49727, 49731 TCIIR Iran (ISLAMIC Republic Of) 43->92 114 System process connects to network (likely due to code injection or exploit) 43->114 116 Suspicious powershell command line found 43->116 118 Wscript starts Powershell (via cmd or directly) 43->118 120 3 other signatures 43->120 57 powershell.exe 3 23 43->57         started        61 powershell.exe 2 22 43->61         started        63 cmd.exe 43->63         started        signatures14 process15 file16 88 C:\Users\user\AppData\...\m5rqjgsa.cmdline, Unicode 57->88 dropped 110 Installs a global keyboard hook 57->110 65 csc.exe 57->65         started        68 conhost.exe 57->68         started        70 csc.exe 61->70         started        72 conhost.exe 61->72         started        74 conhost.exe 63->74         started        signatures17 process18 file19 84 C:\Users\user\AppData\Local\...\m5rqjgsa.dll, PE32 65->84 dropped 86 C:\Users\user\AppData\Local\...\vql1342q.dll, PE32 70->86 dropped 76 cvtres.exe 70->76         started        process20
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0/
Verdict:
Malicious
Threat:
Family.DARKWATCHMAN
Link:
https://tip.neiki.dev/file/e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2026-03-22 04:55:37 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vgroroptntjazbmj3glo4qmefdiytgyxrz5lrhvik3nw2mxb3ya._file
Verdict:
malicious
Label(s):
genericransomware
Create hunting rule
unc_keylogger_002
Create hunting rule
Similar samples:
0a4ac8f45a51ed772a35a667c8dd318c2da8f47ea0c92bf814f183de459ddd3f
DarkWatchman
4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417
DarkWatchman
59dde91666a7dfcb1d2c8ad1f5e4a8ed7ede43b084ac1c13be4be00a0342afee
DarkWatchman
8f5cb33b00611c1f69f43241fc7193c0d633387deca7539005a1f71b6fee2394
DarkWatchman
b63239750d318dd30d49256b14c3d82841b562fb1bdabd8ba93f85c18e6edade
DarkWatchman
ce06efe2c18c75da9d9535b4328677f4136a3f04ea666d037bf55dce7c9b7c57
DarkWatchman
e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0
DarkWatchman
e8681efd888395026e420acffe3df7b45e990d0a917aec3f09c741d4d8ccfba6
DarkWatchman
error
DarkWatchman
+ 2'666 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260401-gwh8msgy5l/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Unpacked files
SH256 hash:
e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0
MD5 hash:
b346af9c285e8541d567a4fb49672434
SHA1 hash:
7d529d001c5a333bcd5cb4674a6881f46cf8592c
Link:
https://www.unpac.me/results/2a7d9197-1d9d-45ab-8a12-70977df31873/
Malware family:
MintsLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e54d1745cf9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e54d1745cf9b6690642c4eccb7720c21468c4cd8bc73d5c4f542b6db69970ef0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/59984/

Comments