MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MaksRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a
SHA3-384 hash: ead048b9dcd5d85a960a7b26239d6ea363258f8c3c0da4dc91058beab43ccedbd1602e66aa31cb52d3e6487a1a7cd1a3
SHA1 hash: c8de4b1aa279ac024c15af0b8807ae17901540dd
MD5 hash: 46d05fdaa78f76e0c4cb99f11edc55eb
humanhash: delaware-dakota-six-butter
File name:fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a.jar
Download: download sample
Signature MaksRAT
Create hunting rule
File size:22'621'794 bytes
First seen:2025-12-10 07:01:05 UTC
Last seen:Never
File type:Java file jar
MIME type:application/java-archive
ssdeep 393216:QC459yivP7z2sxqGZMW2iLmvepm4YzkLW6apagpN0aA+Z3X57+ym8Wex4wv:viflxqGZh7CfdMQVA+pa7Y
TLSH T14D371217BEE4D02AED134E7AA0D5C592942D10D8D48BD01F0BA449E98A64DCB07FBFED
TrID 51.7% (.SPE) SPSS Extension (30000/1/7)
23.2% (.JAR) Java Archive (13500/1/2)
18.1% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3)
6.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter JAMESWT_WT
Tags:avocado-gay jar maksrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a.jar
Verdict:
Malicious activity
Analysis date:
2025-12-10 07:17:05 UTC
Tags:
java auto-reg stealer maksrat rat remote arch-doc
Link:
https://app.any.run/tasks/39c0b0d0-e795-4906-91af-c022364eeacc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44065/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69391acfa675b653bd0f9bc0
Tags:
n/a
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
jar
First seen:
2025-12-10T04:37:00Z UTC
Last seen:
2025-12-10T08:11:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win64.Stealer.sb Trojan-Dropper.Win32.Dapato.sb Trojan-PSW.Win32.Pycoon.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Stealer.sb Trojan.Java.SAgent.sb HEUR:Trojan.Java.Alien.gen
Link:
https://opentip.kaspersky.com/fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a/results?tab=lookup
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=772iwrghv7hvf7kzv7nnajzgf67nbwkvs6yn7us6v5iyxvhkskna._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution persistence stealer
Link:
https://tria.ge/reports/251210-htf6yafq8s/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fff48b44c7af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fff48b44c7afcf52fd59afdad027262fbed0d95597b0dfd25eaf518bd4ea929a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44065/

Comments