MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6
SHA3-384 hash: 75037ed37e80c327418ac54a32d13019e4523565eecd5690312dd47a8627c2db809407250c6518bb614a0daaf08666a3
SHA1 hash: 4d079255411ad14f5b44c9cba26a4a7f779095ed
MD5 hash: fbab91fae2e0cae22e6024d189e4a3e5
humanhash: cup-double-venus-mars
File name:e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6.bin.exe
Download: download sample
Signature CyberStealer
Create hunting rule
File size:16'040'448 bytes
First seen:2025-08-26 14:21:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:8xclcbZ8QX2MG4dfNgi9BbBAlFNq7XG6gLiHn6SvW6/2tsRRElSMreHM7JGmbJMI:NlmZn9BClXq7W6gLiHn/uG2yElSzH4J
TLSH T179F6F52025D9AB03FD7ADFBD99CC76510F79B2913723EA384B5209E90ED1B18C8435A7
TrID 34.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
23.4% (.EXE) Win32 Executable (generic) (4504/4/1)
10.7% (.ICL) Windows Icons Library (generic) (2059/9)
10.5% (.EXE) OS/2 Executable (generic) (2029/13)
10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:CyberStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-26 10:31:28 UTC
Tags:
evasion stealer cyberstealer github crypto-regex loader auto generic arch-doc
Link:
https://app.any.run/tasks/03bd1354-d96d-4d19-a6ab-22222100dfd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23678/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68adc2fceb163e0ec182c9fb
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/68adc35b7137d684583dfc53/reports/5e6aea5e-4859-4a16-9607-e80bdc3b1377/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-26T07:35:00Z UTC
Last seen:
2025-08-26T07:35:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.AsyncRat.gen
Link:
https://opentip.kaspersky.com/e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3a1d7fdf-8c80-4be0-8748-fd58265d7639
Result
Threat name:
Predator, SugarDump, EICAR
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765457
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Yara detected AntiVM3
Yara detected Predator
Yara detected SugarDump
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1765457 Sample: j2XKmMnd3o.exe Startdate: 26/08/2025 Architecture: WINDOWS Score: 100 36 cyberispanec.live 2->36 38 ip-api.com 2->38 40 2 other IPs or domains 2->40 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 10 other signatures 2->56 9 j2XKmMnd3o.exe 2 2->9         started        signatures3 process4 signatures5 58 Found many strings related to Crypto-Wallets (likely being stolen) 9->58 60 Found strings related to Crypto-Mining 9->60 12 RegAsm.exe 15 252 9->12         started        process6 dnsIp7 42 cyberispanec.live 172.67.204.238, 443, 49693, 49695 CLOUDFLARENETUS United States 12->42 44 ip-api.com 208.95.112.1, 49694, 80 TUT-ASUS United States 12->44 46 3 other IPs or domains 12->46 28 C:\Users\user\AppData\...\ZQIXMVQGAH.pdf, ASCII 12->28 dropped 30 C:\Users\user\AppData\...\UOOJJOZIRH.docx, ASCII 12->30 dropped 32 C:\Users\user\AppData\...\QCFWYSKMHA.jpg, ASCII 12->32 dropped 34 4 other files (3 malicious) 12->34 dropped 62 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 12->62 64 Writes a notice file (html or txt) to demand a ransom 12->64 66 Bypasses PowerShell execution policy 12->66 68 5 other signatures 12->68 17 powershell.exe 12->17         started        20 powershell.exe 12->20         started        file8 signatures9 process10 signatures11 48 Loading BitLocker PowerShell Module 17->48 22 conhost.exe 17->22         started        24 WmiPrvSE.exe 17->24         started        26 conhost.exe 20->26         started        process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.52 Win 32 Exe x86
Link:
https://app.malva.re/file/fbab91fae2e0cae22e6024d189e4a3e5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6/
Verdict:
Malicious
Threat:
Family.CYBER_STEALER
Link:
https://tip.neiki.dev/file/e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 10:31:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5colivfrs7vxpas5p5vnfvwogwocvxyaj5v62syvzz4yrijp63la._file
Result
Malware family:
cyber_stealer
Create hunting rule
Score:
  10/10
Tags:
family:cyber_stealer defense_evasion discovery execution spyware stealer
Link:
https://tria.ge/reports/250826-rqbayszqy8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies trusted root certificate store through registry
CyberStealer
Cyber_stealer family
Detects CyberStealer
Malware Config
C2 Extraction:
https://cyberispanec.live/webpanel/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9637488-9813-4d00-81df-29989bc03ca2
Unpacked files
SH256 hash:
ac339deed84cafab79d2a4bc7b232849a0232b2664dbd56c12b5c90e90a91c32
MD5 hash:
f532e03f70df6dd099be185f501d9fe0
SHA1 hash:
a637e7559d9e4963b74ce29bdf30dc4632e574f2
Link:
https://www.unpac.me/results/0ce4f701-e2a2-49d1-8ff2-5e6fbbc87989/
SH256 hash:
84edf34634fe7e45a9e8b5a0ebabed0b0efbd454b08d2bc894a1c3316969e9e0
MD5 hash:
994b1026a170c31c3c247894eb73c57a
SHA1 hash:
4a6043c00d15e3c532e2881b88e85662d469d02d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0ce4f701-e2a2-49d1-8ff2-5e6fbbc87989/
Parent samples :
e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6
b879d07c0c1deb75980991437e04f87c50a3a6410609f5cfd4aa68075fa3a795
5d8df26f099aacb1a96263d727316b05fd2a218a35d4853e7a17cca5fc348420
SH256 hash:
72effe5efc0974297e3046a65cdbf6b9f23cf2df5ec17f8ff5a46fb5ea76ee02
MD5 hash:
9b98d161f0c96b03bd8aecf26b04c17a
SHA1 hash:
7dc5a2f2c2847239caa551bc705407cea96a52c6
Detections:
win_quasar_rat_client
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_PasswordManagers
Create hunting rule
Link:
https://www.unpac.me/results/0ce4f701-e2a2-49d1-8ff2-5e6fbbc87989/
SH256 hash:
e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6
MD5 hash:
fbab91fae2e0cae22e6024d189e4a3e5
SHA1 hash:
4d079255411ad14f5b44c9cba26a4a7f779095ed
Link:
https://www.unpac.me/results/0ce4f701-e2a2-49d1-8ff2-5e6fbbc87989/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e89cb454b197/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CyberStealer

Executable exe e89cb454b197eb77825d7f6ad2d6ce359c2adf004f6bed4b15ce7988a12ff6d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3611863/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23678/

Comments