MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f99db7a12ab80b11c3fdec7bf6688e3f6a8d028fe07de01d5fd8fc5d5ac8a577. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



OverlordRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments

SHA256 hash: f99db7a12ab80b11c3fdec7bf6688e3f6a8d028fe07de01d5fd8fc5d5ac8a577
SHA3-384 hash: 85752ccc8ffd5fd6c9136a5aed095a4030d8d1f7b9babdbb8a9fb7b2b314b02282a8f35b81893395c5c0a081b353582e
SHA1 hash: c779ca8d539832e84941e51c4e557a454680b984
MD5 hash: 9ac739f69647379eb083546f9c126bf3
humanhash: wyoming-massachusetts-artist-iowa
File name:VMAX_spoof_cracked.exe
Download: download sample
Signature OverlordRAT
File size:51'343'872 bytes
First seen:2026-07-10 10:13:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ed8b780a3ce7ca4aba78a21f6bc3d4e0 (4 x OverlordRAT, 2 x RodexRMM, 1 x Chisel)
ssdeep 393216:wu2mri78R33vqe6cA2z1m21UYxYGLeo2GBwsg2duWbq6YioaUrRKBA9Nrm2XE:wu2nG3fFAP2GtquWbLEKBCNr
TLSH T1D0B74B53F8E22A85D4EAC570C772817BBB613C19077823D70691F7206F3ABD0AAB6745
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 20d06c3931100a0c (1 x OverlordRAT)
Reporter burger
Tags:exe OverlordRAT SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
177
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
VMAX_spoof_cracked.exe
Verdict:
Malicious activity
Analysis date:
2026-07-10 10:13:35 UTC
Tags:
auto-startup etherhiding silentnet stealer auto-reg overlord rat websocket golang arch-exec arch-doc python

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Moving a file to the %AppData% subdirectory
Launching a process
Creating a process with a hidden window
Creating a file
Moving a recently created file
Deleting a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a window
Delayed reading of the file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context crypto golang overlay packed reconnaissance
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-07-08T20:20:00Z UTC
Last seen:
2026-07-11T22:01:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan-PSW.Agent.HTTP.C&C Trojan-Downloader.Win32.Agent.sb HEUR:Trojan.Win64.Convagent.gen HEUR:Trojan-Downloader.Win32.Magnar.gen Trojan-Dropper.Win32.FrauDrop.sb Trojan-Dropper.Win32.FrauDrop.amilx NetTool.cURLGet.HTTP.C&C
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Creates autostart registry keys with suspicious names
Creates files with lurking names (e.g. Crack.exe)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: HackTool - Covenant PowerShell Launcher
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses Register-ScheduledTask to add task schedules
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1940485 Sample: VMAX_spoof_cracked.exe Startdate: 10/07/2026 Architecture: WINDOWS Score: 100 149 rpc-mainnet.matic.quiknode.pro 2->149 151 www.python.org 2->151 153 7 other IPs or domains 2->153 163 Suricata IDS alerts for network traffic 2->163 165 Antivirus / Scanner detection for submitted sample 2->165 167 Multi AV Scanner detection for submitted file 2->167 169 2 other signatures 2->169 10 ovd_acb9e296e3b7.exe 2->10         started        14 VMAX_spoof_cracked.exe 1 8 2->14         started        17 ovd_acb9e296e3b7.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 99 C:\Users\user\AppData\...\agent-685531544.tmp, PE32+ 10->99 dropped 109 2 other malicious files 10->109 dropped 173 Suspicious powershell command line found 10->173 175 Creates files with lurking names (e.g. Crack.exe) 10->175 21 cmd.exe 10->21         started        36 2 other processes 10->36 161 skarn.cc 172.67.186.163, 443, 49728 CLOUDFLARENET-CloudflareIncUS Canada 14->161 101 C:\Users\user\...\ovd_3ed3c9cf1f2a.exe (copy), PE32+ 14->101 dropped 103 C:\Users\user\...\agent-4051716655.tmp, PE32+ 14->103 dropped 111 6 other files (3 malicious) 14->111 dropped 177 Protects its processes via BreakOnTermination flag 14->177 179 Creates autostart registry keys with suspicious names 14->179 181 Creates multiple autostart registry keys 14->181 183 Uses Register-ScheduledTask to add task schedules 14->183 23 cmd.exe 1 14->23         started        25 powershell.exe 14->25         started        28 cmd.exe 1 14->28         started        105 C:\Users\user\...\agent-3610768482.tmp, PE32+ 17->105 dropped 113 2 other malicious files 17->113 dropped 30 cmd.exe 17->30         started        32 cmd.exe 17->32         started        107 C:\Users\user\...\agent-2720192165.tmp, PE32+ 19->107 dropped 115 7 other files (3 malicious) 19->115 dropped 185 Drops PE files to the startup folder 19->185 34 cmd.exe 19->34         started        38 2 other processes 19->38 file6 signatures7 process8 signatures9 42 2 other processes 21->42 47 2 other processes 23->47 171 Loading BitLocker PowerShell Module 25->171 40 conhost.exe 25->40         started        49 2 other processes 28->49 51 2 other processes 30->51 53 2 other processes 32->53 55 2 other processes 34->55 57 3 other processes 36->57 59 3 other processes 38->59 process10 dnsIp11 155 132.145.155.63, 443, 49712, 49721 ORACLE-BMC-31898-OracleCorporationUS United States 42->155 117 C:\Users\user\AppData\Local\...\main.py, Python 42->117 dropped 61 python.exe 42->61         started        64 curl.exe 42->64         started        157 rpc-mainnet.matic.quiknode.pro 150.136.141.142, 443, 49694, 49760 ORACLE-BMC-31898-OracleCorporationUS United States 47->157 159 polygon-rpc.com 198.178.224.35, 443, 49693, 49711 LATITUDE-SH-LatitudeshUS United States 47->159 67 tar.exe 36 47->67         started        69 python.exe 1033 47->69         started        71 curl.exe 2 47->71         started        73 curl.exe 2 47->73         started        75 python.exe 51->75         started        77 curl.exe 51->77         started        187 Found direct / indirect Syscall (likely to bypass EDR) 55->187 79 curl.exe 55->79         started        file12 signatures13 process14 dnsIp15 119 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 61->119 dropped 121 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 61->121 dropped 123 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 61->123 dropped 133 378 other files (none is malicious) 61->133 dropped 93 2 other processes 61->93 137 151.101.0.175, 443, 49715, 49724 FASTLY-FastlyIncUS Canada 64->137 81 conhost.exe 64->81         started        125 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 67->125 dropped 127 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 67->127 dropped 129 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 67->129 dropped 135 28 other files (none is malicious) 67->135 dropped 83 conhost.exe 67->83         started        139 151.101.0.223, 443, 49719, 49751 FASTLY-FastlyIncUS Canada 69->139 141 pypi.org 151.101.128.223, 443, 49718, 49726 FASTLY-FastlyIncUS Canada 69->141 95 2 other processes 69->95 143 dualstack.c.ssl.global.fastly.net 151.101.128.175, 443, 49710 FASTLY-FastlyIncUS Canada 71->143 131 C:\Users\user\AppData\Local\...\get-pip.py, Python 71->131 dropped 85 conhost.exe 71->85         started        145 dualstack.python.map.fastly.net 151.101.64.223, 443, 49697 FASTLY-FastlyIncUS Canada 73->145 147 127.0.0.1 unknown unknown 73->147 87 conhost.exe 73->87         started        97 2 other processes 75->97 89 conhost.exe 77->89         started        91 conhost.exe 79->91         started        file16 process17
Gathering data
Threat name:
Win64.Trojan.Ravartar
Status:
Malicious
First seen:
2026-07-09 00:45:48 UTC
File Type:
PE+ (Exe)
Extracted files:
8
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:xmrig defense_evasion discovery execution miner persistence privilege_escalation spyware stealer
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
XMRig Miner payload
Family: xmrig
Malware family:
OverlordRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments