MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518
SHA3-384 hash: 04e9632f16c74ff8a288bdf2a66d373124bcaaa125a3f45749dd0311429705ac215f0b5267afe64e87f85d8af82f83ff
SHA1 hash: 072cc736efe7f6d043001ba1558547a20fc9da14
MD5 hash: 967d3848795f29a6877d2d7b2a69ceb8
humanhash: alabama-carpet-grey-speaker
File name:GB.exe
Download: download sample
File size:8'856'220 bytes
First seen:2026-04-14 21:58:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 196608:b+sfnRmt4uRlPGH+qCdUenGcXqc46DWNxTNvN1ZGkzp0jz5r:b+anRs4uruBe7bXr6NbvNGB
TLSH T16D963341BAC080B2C97719750125AB29647859601E41FD2FAFD05E18BE336F3AF69BF3
TrID 90.2% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.2% (.EXE) Win64 Executable (generic) (6522/11/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 71e0c6d2f0f0d868
Reporter jvcarmona

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
BR BR
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
SFX commands and extracted archive contents
Archives
extracted archive contents and possibly extra area records exploiting CVE-2025-8088
Link:
https://research.acce.ciphertechsolutions.com/results/4a72eb44-2b6a-443a-a839-83f837d95dbf/
Malware family:
n/a
ID:
1
File name:
_ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518.exe
Verdict:
Malicious activity
Analysis date:
2026-04-14 22:00:24 UTC
Tags:
auto-sch auto-reg
Link:
https://app.any.run/tasks/c3d839e4-3218-4ea6-a048-10eec9a939fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61613/
Detection(s):
Win.Worm.Prilex-9888256-0
Create hunting rule

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69deb8d345787c53e539c90b
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Launching a process
Creating a file in the Windows subdirectories
Loading a suspicious library
Connection attempt
Forced system process termination
Launching a tool to kill processes
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518
Verdict:
Malicious
File Type:
exe x32
First seen:
2024-06-03T22:15:00Z UTC
Last seen:
2026-04-16T04:44:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Prilex.gfx Worm.Win32.VBNA.b Trojan.Win32.Agent.sb HEUR:Trojan.Win32.Prilex.gen Trojan.Win32.Prilex.gfo PDM:Trojan.Win32.Generic Trojan.Win32.Prilex.be Trojan.Win32.Prilex.sb HEUR:Trojan.BAT.Alien.gen Trojan.Win32.Agentb.lgsf
Link:
https://opentip.kaspersky.com/ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e0e57bd4-f57b-4d1b-9ca1-30fcb8d49eb6
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518/
Verdict:
Malicious
Threat:
Trojan.Win32.Prilex
Link:
https://tip.neiki.dev/file/ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518
Threat name:
Win32.Trojan.Prilex
Create hunting rule
Status:
Malicious
First seen:
2024-08-01 01:02:44 UTC
File Type:
PE (Exe)
Extracted files:
105
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5t5ihqm6uwnpjwfuokmb7bjkcrhytkumj5vh33zcmksqb6ab2uma._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/260414-1wd4gabx3m/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518
MD5 hash:
967d3848795f29a6877d2d7b2a69ceb8
SHA1 hash:
072cc736efe7f6d043001ba1558547a20fc9da14
Link:
https://www.unpac.me/results/3ace3928-0495-40e4-8c97-7bb05c7322c2/
SH256 hash:
87d2f19e0e4ae61773b451ad383124b74f8ec93d2afda85a7907974174b3425a
MD5 hash:
460ba753f8fd903b203dd26e4d10c781
SHA1 hash:
64eff91f8b0898f14ac195e2c11eb63cd25480a6
Link:
https://www.unpac.me/results/3ace3928-0495-40e4-8c97-7bb05c7322c2/
SH256 hash:
a86bb66f857192486751e8168bdb17ab0b91646730811d34f1bc54402ad7b94f
MD5 hash:
c5c3746f016dd660c1a5667ea38b7a56
SHA1 hash:
85dd21e64c27a2ea529e3612c2d7cad13984e5c6
Link:
https://www.unpac.me/results/3ace3928-0495-40e4-8c97-7bb05c7322c2/
SH256 hash:
bbfe678634c0212a5e857f397b7b121383b1b9501b5dcf311cab63c79dee96dc
MD5 hash:
2aaf0a410b13d6865d8a220987307c6b
SHA1 hash:
2bf6b64fc63dd76e78a1828fd45a27264521d19f
Link:
https://www.unpac.me/results/3ace3928-0495-40e4-8c97-7bb05c7322c2/
SH256 hash:
3912c69506632f1b6071f987d7850d0b5ff55e3746f3607aec56a4e06fd713f6
MD5 hash:
42478c7ddb7a592fea0f873aa2c2aba4
SHA1 hash:
5c89d5f9ee84c00be90a4e171e8048aa87b3a91f
Link:
https://www.unpac.me/results/3ace3928-0495-40e4-8c97-7bb05c7322c2/
SH256 hash:
bdf4e90c9d10eb5f90399a7799511299beea28e1c8b136ee66d1dd809cc7969c
MD5 hash:
b00897aebae7eb44d961e5b8cc1e80b4
SHA1 hash:
37866a1608a02b05fb47d617c6627ddae67e51a0
Link:
https://www.unpac.me/results/3ace3928-0495-40e4-8c97-7bb05c7322c2/
SH256 hash:
89299f2c2dd54da1a4a874684a846b26c1c1f64a7399931171d73a9bd498086e
MD5 hash:
ab122baf6e36fea643a6591a25f99067
SHA1 hash:
8434a405eae4de2077c0a2a91f95e4e190df5df4
Link:
https://www.unpac.me/results/3ace3928-0495-40e4-8c97-7bb05c7322c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecfa83c19ea59af4d8b472981f852a144f89aa8c4f6a7def2262a500f801d518

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61613/

Comments