MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DocSaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d
SHA3-384 hash: 47ab4ff66ce8c0ebf5ea6051c2a7f272c679d4604d5bc1c1bc10e344da32842b83f5a9ba2d49e7b83b8d8ea946539242
SHA1 hash: 19d1ca835f3c3f13c72c85811dd4ecfe72cc92dc
MD5 hash: 713e9e89cf4f2508ea7fbaa36cb15fb3
humanhash: nine-bulldog-summer-carbon
File name:Voltrix.exe
Download: download sample
Signature DocSaStealer
Create hunting rule
File size:2'027'040 bytes
First seen:2026-06-06 09:50:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c2d457ad8ac36fc9f18d45bffcd450c2 (24 x CobaltStrike, 8 x Sliver, 5 x Lazarus)
ssdeep 24576:B7S5IETNmYlOL1LTnk5eojuB+tjx8u02IYuXngK4sdgStUBR9zqVJ5:yIETNmYkLTnk5eojtPIVGsdrUBMv
TLSH T1EF956B4BBCE014B9C0AAD736896665927E71BC440F3223D72E90B37C2FB2BD09A75754
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 29f0f0e0ccf0f029 (1 x DocSaStealer)
Reporter burger
Tags:DocSaStealer exe signed

Code Signing Certificate

Organisation:Enterprise Center
Issuer:Enterprise Center
Algorithm:sha256WithRSAEncryption
Valid from:2026-06-05T10:39:32Z
Valid to:2027-06-05T10:49:33Z
Serial number: 184eebab9756d6ac42186f490b36a85e
Thumbprint Algorithm:SHA256
Thumbprint: 30db07c69bc2630b5b54f9c9aaab86e16772c9abbd7b74d7d366d453f4d7802f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://share.google/0LxchBfl6PXPNJn7A
Verdict:
Malicious activity
Analysis date:
2026-06-06 02:44:53 UTC
Tags:
golang
Link:
https://app.any.run/tasks/3aaa8734-9d7d-48b3-a5e5-838015c8e207

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69300/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a23ed382f0f550abbf9edc9
Tags:
injection emotet obfusc crypt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypto golang installer-heuristic packed signed
Link:
https://www.filescan.io/uploads/6a23ed65099ef368af239b48/reports/e98f1e8e-9c37-4a5b-bdf0-c73bcc060fa4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-05T09:09:00Z UTC
Last seen:
2026-06-06T06:07:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f6b96ee5-433e-48f9-b904-86e7a019a915
Result
Threat name:
DocSa Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1923992
Signature
AI detected suspicious PE digital signature
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates / moves files in alternative data streams (ADS)
Creates an undocumented autostart registry key
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Potentially malicious time measurement code found
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Unusual module load detection (module proxying)
Yara detected DocSa Stealer by APT28
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923992 Sample: Voltrix.exe Startdate: 06/06/2026 Architecture: WINDOWS Score: 100 31 proxy.willowfleet.click 2->31 33 polygon.drpc.org 2->33 35 health.hazelkit.one 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 8 Voltrix.exe 13 2->8         started        signatures3 process4 dnsIp5 41 158.94.208.44, 49703, 80 OMEGATECH-ASSC Germany 8->41 43 health.hazelkit.one 172.67.139.158, 443, 49694 CLOUDFLARENET-CloudflareIncUS Canada 8->43 25 C:\Users\user\AppData\...\nk03gw3k6u.exe, PE32+ 8->25 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->59 61 Creates / moves files in alternative data streams (ADS) 8->61 63 Found many strings related to Crypto-Wallets (likely being stolen) 8->63 65 10 other signatures 8->65 13 nk03gw3k6u.exe 1 9 8->13         started        17 chrome.exe 8->17         started        file6 signatures7 process8 file9 27 C:\Users\user\...\AppReadiness8bbe01.exe, PE32+ 13->27 dropped 29 :x (copy), PE32+ 13->29 dropped 67 Multi AV Scanner detection for dropped file 13->67 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->69 71 Creates / moves files in alternative data streams (ADS) 13->71 73 2 other signatures 13->73 19 AppReadiness8bbe01.exe 12 13->19         started        23 chrome.exe 17->23         started        signatures10 process11 dnsIp12 37 polygon.drpc.org 104.18.11.59, 443, 49704, 49705 CLOUDFLARENET-CloudflareIncUS Canada 19->37 39 proxy.willowfleet.click 104.21.8.126, 443, 49706 CLOUDFLARENET-CloudflareIncUS Canada 19->39 53 Multi AV Scanner detection for dropped file 19->53 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->55 57 Found direct / indirect Syscall (likely to bypass EDR) 19->57 signatures13
Score:
70%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mbra36e77q5mwapu6qyzxsblgi5di4zftq3lvf5wjpusbwtrzoq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260606-lt5fbacx9n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d
MD5 hash:
713e9e89cf4f2508ea7fbaa36cb15fb3
SHA1 hash:
19d1ca835f3c3f13c72c85811dd4ecfe72cc92dc
Link:
https://www.unpac.me/results/437df455-5937-4de2-8132-0870c7699dd6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/eb03106fc4ffe1d6580fa7a18cde415991d1a3992ce1b5d4bdb25f4906d38e5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RemusStealer_GoPayload
Create hunting rule
Author:burger
Description:Detects RemusStealer Go-compiled payload
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69300/

Comments