MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a
SHA3-384 hash: c590996ceab6254e1516a9cc63b74e129be4df047dcea319d4e54d22c602e3565a2ee4916f7a1ce9c4cd093cab5c4818
SHA1 hash: be6bacacb8efcc0fc34192a73c0ab6ade90aebe6
MD5 hash: 20e283386181afdf0ca2b7dd3e4d2edd
humanhash: four-yankee-wyoming-purple
File name:tier0.dll
Download: download sample
File size:145'256 bytes
First seen:2026-02-04 11:39:31 UTC
Last seen:2026-02-04 12:50:49 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5526b43f221834dbe17a1672e3091184 (1 x Rhadamanthys, 1 x LummaStealer, 1 x ACRStealer)
ssdeep 3072:RhvV8BSyshdIYAdfMtbzaSlqGDe9tRuF9sw8eXClxz:RhrxhVAAzJRDOE9swZY
TLSH T1F3E36D33B615C171E59D03B868A56BBBC37BAD68CF7042C7A3849E7A1A305D32F31916
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:dll HIjackLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51668/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69832ff56b1af47db72cc114
Tags:
injection obfusc virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm expired-cert infostealer invalid-signature microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/69833023981ff1d38a47f945/reports/8e310944-b72f-44c1-9d30-a5a10b5a5b76/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a
Result
Gathering data
Verdict:
Malicious
File Type:
dll x32
First seen:
2026-01-31T13:25:00Z UTC
Last seen:
2026-02-02T06:49:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win64.DllHijack.gen
Link:
https://opentip.kaspersky.com/ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c628efa5-f76e-4d61-a32f-288f88474105
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1863213
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863213 Sample: tier0.dll Startdate: 04/02/2026 Architecture: WINDOWS Score: 48 20 shed.dual-low.part-0012.t-0009.t-msedge.net 2->20 22 part-0012.t-0009.t-msedge.net 2->22 24 2 other IPs or domains 2->24 26 Multi AV Scanner detection for submitted file 2->26 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 cmd.exe 1 8->10         started        12 conhost.exe 8->12         started        14 rundll32.exe 8->14         started        16 2 other processes 8->16 process6 18 rundll32.exe 1 10->18         started       
Score:
29%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/20e283386181afdf0ca2b7dd3e4d2edd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a/
Verdict:
Malicious
Threat:
Trojan.Win64.DllHijack
Link:
https://tip.neiki.dev/file/ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-31 18:19:52 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5s2hvtvybicrpdmjxqa3ugjdyuwuw3th2n7sue74pprjttifviva._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/260204-ns1f3sgz6g/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a
MD5 hash:
20e283386181afdf0ca2b7dd3e4d2edd
SHA1 hash:
be6bacacb8efcc0fc34192a73c0ab6ade90aebe6
Link:
https://www.unpac.me/results/d2bce36c-ad94-4207-9b26-77423f332149/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.01
Link:
https://yomi.yoroi.company/submissions/ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Vidar

Microsoft Software Installer (MSI) msi 0c82c872b3a66cb680b2244ec6a8f8ff9c5dc4d49b67ec4e83994bad9deab5c2

Vidar

zip ef3099ae05e0ebce1cdd735253e56791e55e69348dc90f980a7a926f2e9bcf26

DLL dll ecb47aceb80a05178d89bc01ba1923c52d4b6e67d37f2a13fc7be299cd05aa2a

(this sample)

  
Dropped by
SHA256 ef3099ae05e0ebce1cdd735253e56791e55e69348dc90f980a7a926f2e9bcf26
Cape
Cape
https://www.capesandbox.com/analysis/51668/
  
Dropped by
MD5 fac6fb0ffb098f0612c37f8cb5a6755d
  
URLhaus
https://urlhaus.abuse.ch/url/3772100/
  
Delivery method
Distributed via web download

Comments