YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 8fc3c22387479bc46260326613b883db581dab1a4b3d68b2e8d22fa8e1fe47e8.

SHA256 hash:	8fc3c22387479bc46260326613b883db581dab1a4b3d68b2e8d22fa8e1fe47e8
File size:	44'328'416 bytes
File download:	Original
MIME type:	application/x-dosexec
MD5 hash:	0d197fa5219cab98d0dcc09bc9dd1952
SHA1 hash:	6e33ac31d743d85905e5ece1f1cf6ecaff99dc1d
SHA3-384 hash:	a4d5286e70620b40365c67fa90c79a53d65caa8694b08a1f8e5a29b46ece70ef539e240adea5b87ad1b9d1b5142159c3
First seen:	2026-04-27 15:04:18 UTC
Last seen:	Never
Sightings:	1
imphash :	3c10d2aa2614755ccdb513472bf0a6a1 Create hunting rule
ssdeep :	786432:gEIvs4EIvs4EIvsE7EIvs4EIvs4EIvs4EIvsEn:wXXZzXXXZn
TLSH :	n/a
telfhash :	n/a
gimphash :	n/a
dhash icon :	n/a

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

The file matched the following open source and commercial ClamAV rules.

No matches

The following YARA rules matched on the file (static analysis).

Rule name:	APT_Sandworm_ArguePatch_Apr_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
TLP:	TLP:WHITE

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
TLP:	TLP:WHITE
Repository:	bartblaze

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	skip20_sqllang_hook Create hunting rule
Author:	Mathieu Tartare <mathieu.tartare@eset.com>
Description:	YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:	https://www.welivesecurity.com/
TLP:	TLP:WHITE
Repository:

Rule name:	test_rule_vldslv Create hunting rule
Author:
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026 Create hunting rule
Author:	SixHands
Description:	Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits
TLP:	TLP:WHITE
Repository:	YARAify

The following YARA rules matched on the unpacked file.

Disabled by submitter

The following files could be unpacked from this sample.

Disabled by submitter

2026-04-27 15:04:19 UTC Static: 15 Unpacker: 0 ClamAV: 0