MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f12727864186fc323d2fd833c8acb2ddaed553ad53419cc0618fe3c5bd7d019d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f12727864186fc323d2fd833c8acb2ddaed553ad53419cc0618fe3c5bd7d019d
SHA3-384 hash: aa5f3c05d856c8627973aab9eeac221b1eeb8f6666638d3cfea5fd101a209ca76cda2da5c3fe7d66ae9b1db60f5754c9
SHA1 hash: 45c2ae21bec956c84f915154e3ad0688f47ce35c
MD5 hash: d399d8af4e35dad453f12cf182b2f37a
humanhash: low-west-snake-mountain
File name:shrk.bin
Download: download sample
File size:5'605'306 bytes
First seen:2025-07-17 05:51:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fd76873c16ac481ae372d642880a9686
ssdeep 49152:/ToOEepr7CcgLFGSBqq8/NHMFCkBac70h+TlqjqfkZ77RgkfasKgksVAyhfyqAbX:/LEeVCcFNsCewMSNgki/UA3bS3vk
TLSH T17946CF33B644653EC6AB1A3A4933E22C9D3B7F6266168D1A57F1184CCF354802ABF747
TrID 39.9% (.EXE) InstallShield setup (43053/19/16)
38.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 78fadac7dafa6881
Reporter abuse_ch
Tags:bin exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shrk.bin
Verdict:
Malicious activity
Analysis date:
2025-07-17 06:08:05 UTC
Tags:
auto-reg delphi
Link:
https://app.any.run/tasks/98b42d37-4eb1-4a1f-8bb1-4ac04f54bb26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14958/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68788f9884b37dd61eef1542
Tags:
shell sage blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Setting a single autorun event
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi expired-cert fingerprint invalid-signature keylogger masquerade overlay overlay packed signed
Link:
https://www.filescan.io/uploads/68788f907bc45bdee1af437a/reports/38e28ae3-79ce-472c-bfc5-a9d4237982dc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f12727864186fc323d2fd833c8acb2ddaed553ad53419cc0618fe3c5bd7d019d
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9722de77-bc9a-4ffd-86ea-168c37ddb13f
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1738555
Signature
Connects to many ports of the same IP (likely port scanning)
Joe Sandbox ML detected suspicious sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1738555 Sample: shrk.bin.exe Startdate: 17/07/2025 Architecture: WINDOWS Score: 48 24 x.ss2.us 2->24 26 windowsupdateorg.live 2->26 28 3 other IPs or domains 2->28 36 Connects to many ports of the same IP (likely port scanning) 2->36 38 Joe Sandbox ML detected suspicious sample 2->38 8 shrk.bin.exe 1 25 2->8         started        12 asus_framework.exe 2->12         started        14 asus_framework.exe 2->14         started        signatures3 process4 dnsIp5 30 84.54.44.48, 49701, 49704, 49705 DZINET-ASRU Russian Federation 8->30 32 crt.rootg2.amazontrust.com 18.164.96.95, 49693, 80 MIT-GATEWAYSUS United States 8->32 34 3 other IPs or domains 8->34 22 C:\ProgramData\asus_framework.exe, PE32 8->22 dropped 16 cmd.exe 1 8->16         started        file6 process7 process8 18 conhost.exe 16->18         started        20 reg.exe 1 1 16->20         started       
Score:
60%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f12727864186fc323d2fd833c8acb2ddaed553ad53419cc0618fe3c5bd7d019d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/d399d8af4e35dad453f12cf182b2f37a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f12727864186fc323d2fd833c8acb2ddaed553ad53419cc0618fe3c5bd7d019d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6etspbsbq36depjp3az4rlfs3wxnku5nknazzqdbr7r4lpl5agoq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery persistence spyware trojan
Link:
https://tria.ge/reports/250717-gkvgjavyet/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
TA_Abused_Service
YARA:
n/a
Link:
https://app.threat.zone/submission/0eb44715-9a28-4fa2-92a7-1a666de5de95
Unpacked files
SH256 hash:
f12727864186fc323d2fd833c8acb2ddaed553ad53419cc0618fe3c5bd7d019d
MD5 hash:
d399d8af4e35dad453f12cf182b2f37a
SHA1 hash:
45c2ae21bec956c84f915154e3ad0688f47ce35c
Link:
https://www.unpac.me/results/c790fcb6-1240-4d05-bdda-a176e53af718/
SH256 hash:
71c2080a73f0244320d836c75fc144c834b914bc1bbf2b44d3dca7a07f236488
MD5 hash:
c2f7b9754a34a1f31ee8f01cc27401e8
SHA1 hash:
6256deaa17cd5bce3ac89dce5758fb16934ae3f4
Link:
https://www.unpac.me/results/c790fcb6-1240-4d05-bdda-a176e53af718/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/f12727864186fc323d2fd833c8acb2ddaed553ad53419cc0618fe3c5bd7d019d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f12727864186fc323d2fd833c8acb2ddaed553ad53419cc0618fe3c5bd7d019d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3581740/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3583769/
Cape
Cape
https://www.capesandbox.com/analysis/14958/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
version.dll::GetFileVersionInfoSizeW
version.dll::GetFileVersionInfoW
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryInfoKeyW
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExW
user32.dll::FindWindowW
user32.dll::OpenClipboard

Comments