Open-source atomic malware analysis

Analyze another

2026-02-08_f456f20a99389aef396fadbfb1c02500_akira_amadey_cobalt-strike_darkgate_elex_gcleaner_glassworm_hijackloader_icedid_luca-stealer_njrat_smoke-loader_stealc_vidar

PE
Verdict: SUSPICIOUS
SHA256: 94ba0e37f99c4b33514fe5bc442467dad2e7cf5e7b7d2557a8088feb36f7be8b
Mal-ecule
KO₁₀(CaAs₁₃Er₇Al₂C₁₃Co₂I₅PS₃Xe)H₉(MgOs₁₀Cm₇Cr₂Db₄DsF₃Po₁₁Hf)Md₇(Bi₇BkHePa₂Pt)
Size 11.6 MB download
First seen 55 days ago
Analyzed 49 days ago
Ecosystem _unknown

Well-known

suspicious severity, 95% confident.
malware/trojan Acrobat OAuth endpoint string
suspicious severity, 98% confident.
malware/trojan/elex/dropper Acrobat NGL entitlement write

Objectives

suspicious severity, 95% confident.
anti-static/obfuscation XOR-decoded CreateProcess API
suspicious severity, 94% confident.
command-and-control/dropper/delivery URLMon download then ShellExecute stager
suspicious severity, 95% confident.
command-and-control/dropper/execution WiX Burn bootstrapper persists via RunOnce
suspicious severity, 96% confident.
credential-access/cloud Multi-provider cloud OAuth token access
suspicious severity, 88% confident.
evasion/process Manipulate thread execution context (Hijacking)

Micro-behaviors

suspicious severity, 94% confident.
mem/create Native section mapping execution primitives
suspicious severity, 92% confident.
os/network Network share connect and disconnect cycle
notable severity, 95% confident.
communications/http Send HTTP request via WinInet
notable severity, 95% confident.
crypto/symmetric ChaCha20/Salsa20 cipher constant
notable severity, 95% confident.
data/embedded Complete PE resource extraction with data access
notable severity, 100% confident.
process/create CreateProcessAsUser API reference
notable severity, 98% confident.
process/inject CreateRemoteThread API reference
notable severity, 98% confident.
process/terminate Toolhelp process termination API cluster

Metadata

notable severity, 96% confident.
binary Compact mapped image with embedded stages
notable severity, 100% confident.
hardening Writable and executable section (W^X violation)
notable severity, 100% confident.
signed Signed by Adobe Inc.
notable severity, 100% confident.
unsigned Binary is not digitally signed

file

notable severity, 100% confident.
archive/self-extracting Self-extracting archive (CAB)

20 of 205 traits shown

Identity

SHA-256 94ba0e37f99c4b33514fe5bc442467dad2e7cf5e7b7d2557a8088feb36f7be8b
Canonical SHA-256 13de4adbc8f4819337b51f844535b9103c465b867f9c01466dc0472a091a58e7
Filename 2026-02-08_f456f20a99389aef396fadbfb1c02500_akira_amadey_cobalt-strike_darkgate_elex_gcleaner_glassworm_hijackloader_icedid_luca-stealer_njrat_smoke-loader_stealc_vidar

Origin

Source harvest
Feed vxug
Ecosystem _unknown

Timeline

First seen 24 Apr 2026 16:15 UTC
Last analyzed 30 Apr 2026 20:35 UTC
Last updated 30 Apr 2026 20:35 UTC

Labeling

Label bad
Label source harvest
Traits version 7a19b