MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f99db7a12ab80b11c3fdec7bf6688e3f6a8d028fe07de01d5fd8fc5d5ac8a577. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
OverlordRAT
Vendor detections: 15
| SHA256 hash: | f99db7a12ab80b11c3fdec7bf6688e3f6a8d028fe07de01d5fd8fc5d5ac8a577 |
|---|---|
| SHA3-384 hash: | 85752ccc8ffd5fd6c9136a5aed095a4030d8d1f7b9babdbb8a9fb7b2b314b02282a8f35b81893395c5c0a081b353582e |
| SHA1 hash: | c779ca8d539832e84941e51c4e557a454680b984 |
| MD5 hash: | 9ac739f69647379eb083546f9c126bf3 |
| humanhash: | wyoming-massachusetts-artist-iowa |
| File name: | VMAX_spoof_cracked.exe |
| Download: | download sample |
| Signature | OverlordRAT |
| File size: | 51'343'872 bytes |
| First seen: | 2026-07-10 10:13:37 UTC |
| Last seen: | Never |
| File type: | |
| MIME type: | application/x-dosexec |
| imphash | ed8b780a3ce7ca4aba78a21f6bc3d4e0 (4 x OverlordRAT, 2 x RodexRMM, 1 x Chisel) |
| ssdeep | 393216:wu2mri78R33vqe6cA2z1m21UYxYGLeo2GBwsg2duWbq6YioaUrRKBA9Nrm2XE:wu2nG3fFAP2GtquWbLEKBCNr |
| TLSH | T1D0B74B53F8E22A85D4EAC570C772817BBB613C19077823D70691F7206F3ABD0AAB6745 |
| TrID | 33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| dhash icon | 20d06c3931100a0c (1 x OverlordRAT) |
| Reporter | |
| Tags: | exe OverlordRAT SilentNet |
Intelligence
File Origin
# of uploads :
1
# of downloads :
177
Origin country :
USVendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
VMAX_spoof_cracked.exe
Verdict:
Malicious activity
Analysis date:
2026-07-10 10:13:35 UTC
Tags:
auto-startup etherhiding silentnet stealer auto-reg overlord rat websocket golang arch-exec arch-doc python
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Moving a file to the %AppData% subdirectory
Launching a process
Creating a process with a hidden window
Creating a file
Moving a recently created file
Deleting a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a window
Delayed reading of the file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
adaptive-context crypto golang overlay packed reconnaissance
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-07-08T20:20:00Z UTC
Last seen:
2026-07-11T22:01:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan-PSW.Agent.HTTP.C&C Trojan-Downloader.Win32.Agent.sb HEUR:Trojan.Win64.Convagent.gen HEUR:Trojan-Downloader.Win32.Magnar.gen Trojan-Dropper.Win32.FrauDrop.sb Trojan-Dropper.Win32.FrauDrop.amilx NetTool.cURLGet.HTTP.C&C
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Creates autostart registry keys with suspicious names
Creates files with lurking names (e.g. Crack.exe)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: HackTool - Covenant PowerShell Launcher
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses Register-ScheduledTask to add task schedules
Behaviour
Behavior Graph:
Score:
96%
Verdict:
Malware
File Type:
PE
Gathering data
Verdict:
Malicious
Threat:
Family.XMRIG
Threat name:
Win64.Trojan.Ravartar
Status:
Malicious
First seen:
2026-07-09 00:45:48 UTC
File Type:
PE+ (Exe)
Extracted files:
8
AV detection:
16 of 37 (43.24%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
xmrig
Score:
10/10
Tags:
family:xmrig defense_evasion discovery execution miner persistence privilege_escalation spyware stealer
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
XMRig Miner payload
Family: xmrig
Malware family:
OverlordRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.