MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab
SHA3-384 hash: 836dd2e0f80c8d6a8eb252de595b7f6808047ee5a1e169c60f50241795feab1e115fc8f48aa6840670d2fed2a082ae5e
SHA1 hash: 04ccc8f9f5e343f94ad9f41f08439b545d4b8486
MD5 hash: b5b603ff57142a454c3b0fb12eb8a4eb
humanhash: alabama-bulldog-skylark-seven
File name:Setup_File_31.494.76090.zip
Download: download sample
File size:43'240'050 bytes
First seen:2026-05-28 23:28:05 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: 2026
ssdeep 786432:8Lfnns3J6tCEgRWUd9rs7s1CBf+MmzfaG14m9WjXaPn8fxGp99:8LvsWCpWUd9rsYCq4+aXaP8fxGpn
TLSH T193973302E67E8CE49358096A3CAFBD6B7C450C480DDF48796364A16DCDCB7AC78A25C7
TrID 60.0% (.WMZ) Windows Media Player skin (6000/1/1)
40.0% (.ZIP) ZIP compressed archive (4000/1)
Magika zip
Reporter aachum
Tags:akmuniverstall-top file-pumped OnyxC2 pw-2026 zip


Avatar
iamaachum
https://limewire.com/d/4WUQN#Fa6eZfJij1

OnyxC2 C2: https://akmuniverstall.top/backend/api/app.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
ES ES
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:borlndmm.dll
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:133'297'536 bytes
SHA256 hash: 78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1
MD5 hash: f1b71a39ef5ba5b6f9890f41ceacae9e
De-pumped file size:55'297'536 bytes (Vs. original size of 133'297'536 bytes)
De-pumped SHA256 hash: aa0a144620467804767811f4db8a020743fd89a75d86c94342695c0d99414226
De-pumped MD5 hash: a18fe03c22b6b0727a170c55d8a4a4cc
MIME type:application/x-dosexec
File name:Setup_File_75.593.2113.exe
File size:3'567'528 bytes
SHA256 hash: 41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2
MD5 hash: cf64c7e2e3897ae5fce3d5414e3d1d27
MIME type:application/x-dosexec
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/2cbd27b3-9a06-47e0-b28c-30c10458cfb1/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a18cf9d33dfa243d40a9b57
Tags:
n/a
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab
Verdict:
Unknown
File Type:
zip
Link:
https://opentip.kaspersky.com/f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab/results?tab=lookup
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=63slbhxxrcw66p3f7uvztwuplpstsg7csrywo3oaobakk3ep36vq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Any_SU_Domain
Create hunting rule
Author:you
Description:Detect any reference to .su domains or subdomains
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_all_IPv6_variants
Create hunting rule
Author:Bierchermuesli
Description:Generic IPv6 catcher
Rule name:goLangMatch3
Create hunting rule
Rule name:goLangMatch4
Create hunting rule
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab

(this sample)

  
Link
https://tria.ge/260528-2v9dnadz2r/behavioral2
  
Delivery method
Distributed via web download

Comments