YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash e5dc4a3d5003bf99535816ef5a2a08827aa92796c8a9e1d9e151f66e1fc76693.

SHA256 hash:	e5dc4a3d5003bf99535816ef5a2a08827aa92796c8a9e1d9e151f66e1fc76693
File size:	3'810'816 bytes
File download:	Original
MIME type:	application/x-dosexec
MD5 hash:	0c66735d88513cc53123c16fc87f5554
SHA1 hash:	93f4ff058dc8ac7382145223ac3c9bec916a3d57
SHA3-384 hash:	e8c9cb0e9f7cfff206e91973c07a9ac9f0e02f9a1f41c06cbe056c81525aaac588d81b1522d27f4403ced247061edc23
First seen:	2026-03-29 17:17:32 UTC
Last seen:	Never
Sightings:	1
imphash :	adcd9682585d11d95f17bb6ffa76f15e Create hunting rule
ssdeep :	49152:+44B+lNsHPWeelGdwSxQRw9CuL0wijepA8oGd9Tg70azpkf4333zTyEmY:NIPp70wijepoGzgbA4333HDn
TLSH :	n/a
telfhash :	n/a
gimphash :	n/a
dhash icon :	c0d2e2f0c262b0c9 Create hunting rule

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

The file matched the following open source and commercial ClamAV rules.

No matches

The following YARA rules matched on the file (static analysis).

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants
TLP:	TLP:WHITE
Repository:

Rule name:	pe_detect_tls_callbacks Create hunting rule
Author:
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants
TLP:	TLP:WHITE
Repository:

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants
TLP:	TLP:WHITE
Repository:

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants
TLP:	TLP:WHITE
Repository:

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	TH_APT_EquationGroup_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Equation Group (G0020) APT malware detection - covers EquationDrug, GrayFish, DoubleFantasy, TripleFantasy, Fanny, GROK, nls_933w HDD firmware module, and Shadow Brokers tooling
Reference:	https://cyfare.net/
TLP:	TLP:WHITE
Repository:	YARAify

The following YARA rules matched on the unpacked file.

Disabled by submitter

The following files could be unpacked from this sample.

Disabled by submitter

2026-03-29 17:17:32 UTC Static: 18 Unpacker: 0 ClamAV: 0