MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pay2Key

Vendor detections: 17

Intelligence 17 IOCs YARA 1 File information Comments

SHA256 hash:	ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29
SHA3-384 hash:	869757d061ff2eb2713fc26f87e217c28e7420a74f16f9ac39b62f8a15a14abd30f33d6036575c59058ae89c0fc4c396
SHA1 hash:	701329d9ef8c36ef89e402d25ba1b76dcb2ff14b
MD5 hash:	6a53423827f43647cd5f0b23ab785f7e
humanhash:	fifteen-lactose-uniform-six
File name:	file
Download:	download sample
Signature	Pay2Key Create hunting rule
File size:	2'342'551 bytes
First seen:	2026-03-31 14:57:41 UTC
Last seen:	2026-03-31 16:28:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f6baa5eaa8231d4fe8e922a2e6d240ea (66 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep	49152:AgwRW3PSS0qm4ZqQn+NNozrP4Fw+JGTb1/t08EHBDlW:AgwR8k2dnAezAw+Ji1/rUZW
Threatray	53 similar samples on MalwareBazaar
TLSH	T1BEB5331137E3CCF5F589663225919BA23D9BFB2103E653DF3BDC2A9208205C5D9F0A96
TrID	42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 16.8% (.EXE) Win64 Executable (generic) (6522/11/2) 13.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.6% (.EXE) Win32 Executable (generic) (4504/4/1) 5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	34f0c4c2d2c4c4d4 (4 x Mimic, 1 x Pay2Key)
Reporter	Bitsight
Tags:	c dropped-by-gcleaner exe MIX7.file Pay2key

Bitsight

url: http://158.94.209.95/service

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-03-31 14:59:11 UTC

Tags:

everything tool auto-reg auto generic smb ransomware pay2key

Link:

https://app.any.run/tasks/1f8623ad-cc30-41f5-a00b-4ce48813fe33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.PowerShell.Dropper.54.27276.6299.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69cbe10a3a18a6e1ddf010a8

Tags:

obfusc shell sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a custom TCP request

Moving a file to the %temp% subdirectory

Creating a process from a recently created file

Creating a file in the Program Files subdirectories

Launching cmd.exe command interpreter

Creating a service

Launching a service

Сreating synchronization primitives

Creating a file

Moving a recently created file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Enabling autorun for a service

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context fingerprint installer keylogger masquerade microsoft_visual_cc obfuscated overlay overlay packed packer_detected

Link:

https://www.filescan.io/uploads/69cbe1072346b9da57b3afef/reports/e3f6b609-c9f0-4bf9-bf93-df58e12d6ebe/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-03-31T18:09:00Z UTC

Last seen:

2026-04-01T15:49:00Z UTC

Hits:

~10

Detections:

Trojan.PowerShell.Kriptik.sba BSS:HackTool.Win32.Yzon.a Trojan-Ransom.Win32.Mimic.sb Trojan-Ransom.Win32.Agent.sb Trojan.Win32.Agentb.tqma Trojan.PowerShell.Cobalt.sb HEUR:Trojan-Ransom.Win32.Generic HEUR:HackTool.Win64.NoDefender.a

Link:

https://opentip.kaspersky.com/ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29/results?tab=lookup

Malware family:

Mimic Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aef0777e-797e-48fa-9b65-10f0f666f242

Score:

76%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29

Verdict:

Malware

YARA:

5 match(es)

Tags:

DeObfuscated Executable PE (Portable Executable) PE File Layout PowerShell SFX 7z Win 32 Exe x86

Link:

https://app.malva.re/file/6a53423827f43647cd5f0b23ab785f7e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29/

Verdict:

Malicious

Threat:

Family.PAY2KEY

Link:

https://tip.neiki.dev/file/ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29

Threat name:

Win32.Ransomware.Pay2Key

Status:

Malicious

First seen:

2026-03-31 14:58:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=76p6dhzp44kideatdnepy3ususrtk2ojsaaj5x4hon7ezpswz4uq._file

Verdict:

malicious

Label(s):

hacktool_defendnot

Pay2Key

2423f6e4b6f015042c4de4a4ad457629b7c4737ec19352abac9dd6136ba46d68

Pay2Key

3cd2ca1a45a96733269d60397d84b451e4b4f0b7f7cdc3c152bf9e88db773199

Pay2Key

518e83f226c9a0ab4bfd27b3561331da201041c1c88c38e17b0dcdb4c8a7b742

Pay2Key

5a4be7cb16147df1b37015d912183431e3fc98c0d7b52d736849d1fea93f5ac5

Pay2Key

ab960e62b411ac05fc55137a7fc0d653347c4c38ad212939c3e6a719372a7b2e

Pay2Key

c9a5e60fd024d07aaf86a0403edc8a3d0af5fcf8bd3216925774096f6ceab326

Pay2Key

error

Pay2Key

fce5f95d9a8d8a4003af3fd63365d5f3a7746536d054d290534674fa8ef4b844

Pay2Key

+ 43 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution upx

Link:

https://tria.ge/reports/260331-sb9ewaev8y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

UPX packed file

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Unpacked files

SH256 hash:

ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29

MD5 hash:

6a53423827f43647cd5f0b23ab785f7e

SHA1 hash:

701329d9ef8c36ef89e402d25ba1b76dcb2ff14b

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76

MD5 hash:

5cac4fe734fc8454ccb847e030beee38

SHA1 hash:

34298fe220e35f614b2c837cf1dc2604ab0882d6

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0

MD5 hash:

a35ee23aaab26afc575ac83df9572b57

SHA1 hash:

81ea38c694ce9702faddfb961f17c1bbf628a76d

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb

MD5 hash:

bd1f243ee2140f2f6118a7754ea02a63

SHA1 hash:

cdf7dd7dd1771edcc473037af80afd7e449e30d9

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4

MD5 hash:

13d3997b43c3d5cbafb0ff10b6f0dee1

SHA1 hash:

e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

0a541663c31c478124001f574a3a2b6dfee902d1c720cb7099036cde2f25f351

MD5 hash:

67dcc7f8776450e7768ca362db0808f3

SHA1 hash:

d04fe29bdc5f983ffb29c5c9aa68e81ce5541c9b

Detections:

INDICATOR_SUSPICIOUS_GENRansomware

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

INDICATOR_SUSPICIOUS_ClearWinLogs

INDICATOR_SUSPICIOUS_USNDeleteJournal

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

61f777f7de5f691067a4fc8a4bcac453604f9f5e0f8326e38d0d4b918379a0ae

MD5 hash:

bff56325423a7d8e03511b7de1dde8a4

SHA1 hash:

7b2c4930bcf1228aa45a851372d982a9d0a2b550

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

49f23f83807913b84917cfdb800ac04d905fdc844f4b41b6aaf894506864355b

MD5 hash:

0faecd43382ab6f35d8b2be61939377e

SHA1 hash:

c6295657d52bc5dc16fa2542be23dac7948fa400

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

8d66f78c5627b4309b12e6294f04fa7bf959e2c37e6bb6c038e4d9996bf10172

MD5 hash:

21801ef8c698706b0803fb597a7fc609

SHA1 hash:

de723b1444e3ce4ff3cbd2f2f5969578ee44061e

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

f457b1cb1b146ab07117e34dc50881ef787946a0311467d82469fdaa3e54884c

MD5 hash:

52b7073101ce2f83c85ed698f1ee0445

SHA1 hash:

cd2f016c79de7d4bf20d1366cc9483b610b4ffc2

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

SH256 hash:

e273a05ae99bbf547c5f7fc0d027c416eeabe1829a8ece661f587d6d8965f8b7

MD5 hash:

91c0d86df5a6c28167839ba56c83288c

SHA1 hash:

2d2f65d854edfc55ab75dd4babf6e920a8573f48

Link:

https://www.unpac.me/results/b6f4d878-3f40-48b0-b5f0-6dc10e3c03c9/

Malware family:

Mimic

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ff9fe19f2fe7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Pay2Key

exe ff9fe19f2fe7148190131b48fc6e92a4a33569c990009edf87737e4cbe56cf29

(this sample)

Dropped by

Gcleaner

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/59921/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample