MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

KeshXrdStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 16 File information Comments

SHA256 hash:	e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50
SHA3-384 hash:	ec3157bdc6a18781e7bbf70c8fcacf8773352afaf1895e6e2fe4454ac176e8fcfb0f6feddba83a81f72f62d55c1ca7fe
SHA1 hash:	2df125d457121e46323ab36f5a60d3aa6ad48972
MD5 hash:	facff72b6a876d605b1854be16f21d44
humanhash:	louisiana-louisiana-nevada-burger
File name:	e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50
Download:	download sample
Signature	KeshXrdStealer Create hunting rule
File size:	1'632'768 bytes
First seen:	2026-05-12 18:48:18 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	49152:b8t85ftfAu4+hgfAxPOxJvROaYR86unXjkv:au4+AAGbvROaYyFnA
TLSH	T14375F119E7E805E9E1FBD678C8224506C772F80A0B31EB8F079959D91F337909D39B22
TrID	21.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 21.2% (.EXE) Win64 Executable (generic) (6522/11/2) 16.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 14.6% (.EXE) Win32 Executable (generic) (4504/4/1) 6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Threatray
Tags:	dll KeshXrdStealer

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/65744/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a037607aa2b27a55c89c740

Tags:

infosteal vmdetect

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm base64 evasive eventvwr fingerprint lolbin obfuscated packed reconnaissance reconnaissance

Link:

https://www.filescan.io/uploads/6a03760f2fcb905ec2922a02/reports/79ebb5e3-a90f-461b-8862-b5bf7dadd292/overview

Verdict:

Malicious

Labled as:

Win64_HackTool_PSWDump_P_trojan

Link:

https://www.hybrid-analysis.com/sample/e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50

Verdict:

Malicious

File Type:

executable.pe.32.dll

First seen:

2026-04-22T00:36:00Z UTC

Last seen:

2026-05-14T03:30:00Z UTC

Hits:

~10

Detections:

Trojan.MSIL.Agent.sb HEUR:Exploit.MSIL.BypassUAC.c

Link:

https://opentip.kaspersky.com/e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/9a237a51-cd54-4066-84cc-989627524f55

Score:

63%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.27 Win 32 Exe x86

Link:

https://app.malva.re/file/facff72b6a876d605b1854be16f21d44

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50/

Verdict:

Malicious

Threat:

Exploit.MSIL.BypassUAC

Link:

https://tip.neiki.dev/file/e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50

Threat name:

Win32.Trojan.Jalapeno

Status:

Malicious

First seen:

2026-04-22 07:53:30 UTC

File Type:

PE (.Net Dll)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5b67tftyn7ywco4fkcv7m3pgivx2v57bujxjef6nc6rpljwkvvia._file

Verdict:

malicious

Label(s):

keshxrdstealer

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260512-xf2ytacw6n/

Unpacked files

SH256 hash:

e87df996786ff1613b8550abf66de6456faaf7e1a26e9217cd17a2f5a6caad50

MD5 hash:

facff72b6a876d605b1854be16f21d44

SHA1 hash:

2df125d457121e46323ab36f5a60d3aa6ad48972

Link:

https://www.unpac.me/results/546ade29-bf31-4627-ac16-862c27338182/

SH256 hash:

88043db62a7dbf4f482cc1478776186e34ec26477361156e3f8a2baf2f12dfe0

MD5 hash:

05c910bb6fbc5030e536b711025c6a2c

SHA1 hash:

f8b98c2450d8121b0f44cb537aca039d31bc7901

Link:

https://www.unpac.me/results/546ade29-bf31-4627-ac16-862c27338182/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing base64 encoded User Agent

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing combination of virtualization drivers

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://x.com/ThreatrayLabs/status/2054189465720005045

Cape

https://www.capesandbox.com/analysis/65744/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample