MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa361c712381c82552952e348c36dca949329db6ea6088c7228c3884ebb0bfe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlackMatter

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	fa361c712381c82552952e348c36dca949329db6ea6088c7228c3884ebb0bfe7
SHA3-384 hash:	4d1ad8f05afcd841ac56e4b3420e96bcab6fcdb264a708b9a671c04a55495382a5920238b64882d48207bae2b623cdaf
SHA1 hash:	c3927aaa94c768095fe983d5b46876fa080dca02
MD5 hash:	b72d50ea8dc21d86430efdcba9646d39
humanhash:	video-batman-muppet-bakerloo
File name:	file
Download:	download sample
Signature	BlackMatter Create hunting rule
File size:	149'504 bytes
First seen:	2026-06-10 13:09:03 UTC
Last seen:	2026-06-10 13:40:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	41fb8cb2943df6de998b35a9d28668e8 (156 x BlackMatter, 9 x LockBit, 1 x DragonForce)
ssdeep	3072:O6glyuxE4GsUPnliByocWepu7JFibU4BQu:O6gDBGpvEByocWeM7JFio4W
Threatray	2'518 similar samples on MalwareBazaar
TLSH	T1B8E37E21F212D0B3C87718F1273675B2F39E4D2C199A6857EAE80F9DBC648232F54997
TrID	20.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.8% (.EXE) Win64 Executable (generic) (6522/11/2) 15.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	Bitsight
Tags:	BlackMatter dropped-by-phorpiex exe

Bitsight

url: http://178.16.54.109/lb18.exe

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

LockBit

Details

Link:

https://research.acce.ciphertechsolutions.com/results/c28219dc-b219-4e86-bb7f-1f1e4c51aa61/

Malware family:

n/a

ID:

File name:

_fa361c712381c82552952e348c36dca949329db6ea6088c7228c3884ebb0bfe7.exe

Verdict:

No threats detected

Analysis date:

2026-06-10 13:22:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a51552d9-c776-4c8e-96cd-8ac7f5d2283a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70512/

Detection(s):

Win.Ransomware.LockBitBlack-10033143-1

Win.Ransomware.BlackMatter-9965914-0

Win.Ransomware.Lazy-10003135-0

YARA.CRAIU_Crime_Lockbit3_Ransomware.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a296229a15110463ee47d5b

Tags:

spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

Launching a service

Changing a file

Reading critical registry keys

Creating a file in the %AppData% directory

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Modifies multiple files

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Connection attempt

Using the Windows Management Instrumentation requests

Deleting a system file

Creating a window

Searching for the window

Stealing user critical data

Creating a file in the mass storage device

Forced shutdown of a system process

Forced shutdown of a browser

Encrypting user's files

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fa361c712381c82552952e348c36dca949329db6ea6088c7228c3884ebb0bfe7

Malware family:

BlackMatter Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/618e42c6-c519-4814-8bfe-f7080f142bbb

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fa361c712381c82552952e348c36dca949329db6ea6088c7228c3884ebb0bfe7

Gathering data

Detection:

lockbit

Link:

https://mwdb.cert.pl/sample/fa361c712381c82552952e348c36dca949329db6ea6088c7228c3884ebb0bfe7/

Threat name:

Win32.Ransomware.Lockbit

Status:

Malicious

First seen:

2026-06-10 13:10:55 UTC

File Type:

PE (Exe)

AV detection:

33 of 36 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7i3by4jdqheckuuvfy2iynw4vfetfhnw5jqirrzcrq4ij25qx7tq._file

Verdict:

malicious

Label(s):

lockbit

BlackMatter

55cc603248b4c0858d18c029c500c2663394102b6b63b06cb147eab2168448ae

BlackMatter

a397bea4c70bf3264348c88fca652fcbb2d421832672fa58a790af67bf419469

BlackMatter

cdc7d79ae4215dccf60882afb6c3abee6b95d9db7c1587746fc8d533d1631e9d

BlackMatter

error

BlackMatter

+ 2'508 additional samples on MalwareBazaar

Result

Malware family:

lockbit

Score:

10/10

Tags:

family:lockbit defense_evasion discovery ransomware spyware stealer

Link:

https://tria.ge/reports/260610-qd933scw3m/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Control Panel

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops desktop.ini file(s)

Enumerates connected drives

Indicator Removal: File Deletion

Checks computer location settings

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Renames multiple (1014) files with added filename extension

Unpacked files

SH256 hash:

fa361c712381c82552952e348c36dca949329db6ea6088c7228c3884ebb0bfe7

MD5 hash:

b72d50ea8dc21d86430efdcba9646d39

SHA1 hash:

c3927aaa94c768095fe983d5b46876fa080dca02

Detections:

triage_blackmatter_ransomware

triage_lockbit3_ransomware

triage_lockbit_ransomware

Link:

https://www.unpac.me/results/8e6cf2e1-d1ea-47ff-a76a-322ff89e2a6d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.82

Link:

https://yomi.yoroi.company/submissions/fa361c712381c82552952e348c36dca949329db6ea6088c7228c3884ebb0bfe7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CRIME_WIN32_RANSOM_BLACKMATTER Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects Blackmatter ransomware

Rule name:	Darkside Create hunting rule
Author:	@bartblaze
Description:	Identifies Darkside ransomware.

Rule name:	Detect_all_IPv6_variants Create hunting rule
Author:	Bierchermuesli
Description:	Generic IPv6 catcher

Rule name:	lb_stack_string_decrypt_1 Create hunting rule
Author:	CTI Purple Team
Description:	This rule detects the code pattern of the Stack Strings decryption algorithm.

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.