MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcc64b5263eb56df719d9ac9d73d6e7c07f23c5c81de0bcee3ed55d364520bd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TelegramStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcc64b5263eb56df719d9ac9d73d6e7c07f23c5c81de0bcee3ed55d364520bd7
SHA3-384 hash: 74aaa1ecd0315685582e6b81d43dba52fb61109d19f1edbeb99ec8066ea44b553e847a4913cfabf3c66b70be13e50d0a
SHA1 hash: 2f9128796f577b212cdcd581ea57b4fa559ddbd9
MD5 hash: 9dfc250298f5779436e17748250d3a60
humanhash: carpet-five-avocado-illinois
File name:AnyDesk_vip.exe
Download: download sample
Signature TelegramStealer
Create hunting rule
File size:4'161'024 bytes
First seen:2025-09-01 09:26:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 812c74bb7007893784ce4d42a40fcdfb (1 x TelegramStealer)
ssdeep 49152:cOUVOBgM75MukiXEevkDmvuMyatahJsU7y8PSv0/k0k7Pc1xP5YXlRBgdx0QjC:HJVm0rmsV0/k/cfP5+lRBgD
TLSH T116164B7129C240C6E0F7F5B03AD8AD98A9736A57C4F5F3DA6DC18F5D866B82008E76C1
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe TelegramStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AnyDesk_vip.exe
Verdict:
Malicious activity
Analysis date:
2025-09-01 09:38:34 UTC
Tags:
stealer anydesk rmm-tool raven ims-api generic telegram
Link:
https://app.any.run/tasks/4f9133d3-e950-4450-a07b-06d2d5ee767c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24483/
Detection(s):
Win.Malware.Zusy-10056513-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b566c8eb163e0ec183f654
Tags:
ransomware spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a file
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc packed threat
Link:
https://www.filescan.io/uploads/68b5672139a6221faa787483/reports/bbc52e1c-e3bd-4cb2-96e2-451d4ad9313b/overview
Verdict:
Malicious
Labled as:
HackTool/Injecter
Link:
https://www.hybrid-analysis.com/sample/fcc64b5263eb56df719d9ac9d73d6e7c07f23c5c81de0bcee3ed55d364520bd7
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-31T04:22:00Z UTC
Last seen:
2025-08-31T04:22:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/fcc64b5263eb56df719d9ac9d73d6e7c07f23c5c81de0bcee3ed55d364520bd7/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d4e147f-0ad6-480e-b00e-b48e3c2c4cac
Result
Threat name:
Chrome Injector, Telegram Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768812
Signature
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Chrome Injector
Yara detected Telegram RAT
Yara detected Telegram Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768812 Sample: AnyDesk_vip.exe Startdate: 01/09/2025 Architecture: WINDOWS Score: 100 40 api.telegram.org 2->40 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 7 other signatures 2->50 8 AnyDesk_vip.exe 19 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 48 Uses the Telegram API (likely for C&C communication) 40->48 process4 signatures5 52 Suspicious powershell command line found 8->52 54 Found many strings related to Crypto-Wallets (likely being stolen) 8->54 56 Bypasses PowerShell execution policy 8->56 58 4 other signatures 8->58 13 powershell.exe 26 8->13         started        17 curl.exe 1 8->17         started        20 chrome.exe 1 8->20         started        22 msedge.exe 4 8->22         started        process6 dnsIp7 34 C:\Users\user\...\user_RavenStealer.zip, Zip 13->34 dropped 60 Loading BitLocker PowerShell Module 13->60 24 conhost.exe 13->24         started        36 api.telegram.org 149.154.167.220, 443, 49700 TELEGRAMRU United Kingdom 17->36 38 127.0.0.1 unknown unknown 17->38 26 conhost.exe 17->26         started        28 WerFault.exe 2 20->28         started        30 chrome.exe 20->30         started        32 msedge.exe 22->32         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fcc64b5263eb56df719d9ac9d73d6e7c07f23c5c81de0bcee3ed55d364520bd7
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/9dfc250298f5779436e17748250d3a60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcc64b5263eb56df719d9ac9d73d6e7c07f23c5c81de0bcee3ed55d364520bd7/
Threat name:
Win64.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-08-31 09:12:30 UTC
File Type:
PE+ (Exe)
Extracted files:
16
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tdewutd5nln64m5tle5oplopqd7epc4qhpaxtxd5vk5gzcsbplq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/250901-le8jestmt4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5d21ebc2-dac6-4bc6-8c77-9df72f63b74c
Unpacked files
SH256 hash:
6c47d7fb6ad95e6895450c0184c482df76d24722c65a977231cc4536fe5337a6
MD5 hash:
76cc6190ba2d284f97b8e8b61d598925
SHA1 hash:
acd61392856fe40669d508a57bf097ce09c9c700
Link:
https://www.unpac.me/results/d46befb4-56d1-4f0d-8788-25f645070819/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcc64b5263eb56df719d9ac9d73d6e7c07f23c5c81de0bcee3ed55d364520bd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TelegramStealer

Executable exe fcc64b5263eb56df719d9ac9d73d6e7c07f23c5c81de0bcee3ed55d364520bd7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3612570/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/24483/

Comments