Threat Feed | Online Malware Sandbox

Shell Script

lol.sh

malicious

SHA256: aa06874309e93840641f018e25d822db99b1ac398e27af5854dd305a0b1685e7

VMRay Threat Identifiers

Severity

Operation

5/5

Malicious content matched by YARA rules

3/5

Creates an unusually large number of processes

2/5

Tries to execute downloaded binary of different architecture than the host

2/5

Downloads file

1/5

Connects to remote host

Downloader

Bot

file.exe

2026-05-01T12:16:07.790

Windows Exe (x86-32)

file.exe

malicious

SHA256: 9dfbd4ad0dde7ed7833f3120992f7c40b60aa48ab27041a600ace20e0c316aaf

VMRay Threat Identifiers

Severity

Operation

5/5

Tries to read cached credentials of various applications

5/5

Combination of other detections shows multiple input capture behaviors

5/5

Malicious content matched by YARA rules

3/5

Tries to detect the presence of antivirus software

3/5

Modifies native system functions

3/5

Takes screenshot

2/5

Searches for sensitive browser data

2/5

Sets up server that accepts incoming connections

2/5

Reads network adapter information

2/5

Searches for sensitive mail data

2/5

Queries OS info via WMI

2/5

Reads sensitive mail data

2/5

Searches for sensitive application data

1/5

Query OS Information

1/5

Enables process privileges

1/5

Resolves API functions dynamically

1/5

Creates a page with write and execute permissions

1/5

Uses encryption API

1/5

Possibly does reconnaissance

1/5

Enumerates running processes

1/5

Installs system startup script or application

1/5

Connects to remote host

1/5

Downloads file

1/5

Tries to connect using an uncommon port

1/5

Content matched by YARA rules

1/5

Unusual large memory allocation

1/5

Overwrites code

1/5

Creates mutex

Spyware

Backdoor

file.exe

2026-05-01T12:15:39.562

Windows Exe (x86-64)

file.exe

malicious

SHA256: acd9d233aea92fb8c10968d7230e5c8374c76f78386a742c61ccf7a000191227

VMRay Threat Identifiers

Severity

Operation

5/5

Combination of other detections shows configuration discovery

3/5

Reads installed applications

2/5

Sets up server that accepts incoming connections

2/5

Collects information about services

2/5

Enumerates running processes

2/5

Collects BIOS properties

2/5

Collects user account information

2/5

Reads network configuration

2/5

Queries OS info via WMI

2/5

Reads network adapter information

2/5

Collects hardware properties

1/5

Enumerates running processes

1/5

Reads from memory of another process

1/5

Enables process privileges

1/5

Executes WMI query

1/5

Query OS Information

1/5

Performs DNS request

1/5

Connects to remote host

1/5

URL contains a TLD highly associated with phishing

1/5

Content matched by YARA rules

1/5

Resolves API functions dynamically

8yzeyC3L4PcMnJMd.exe

2026-05-01T12:00:54.369

Windows Exe (x86-32)

8yzeyC3L4PcMnJMd.exe

malicious

SHA256: 066644e9265c39f3447f78509b23c2912c7d8e9a74e984780dbed6c1ce803095

VMRay Threat Identifiers

Severity

Operation

5/5

Tries to read cached credentials of various applications

5/5

Combination of other detections shows multiple input capture behaviors

3/5

Suspicious content matched by YARA rules

3/5

Takes screenshot

3/5

Sends data via a Telegram bot

2/5

Searches for sensitive password manager data

2/5

Searches for sensitive application data

2/5

Tries to detect application sandbox

2/5

Searches for sensitive browser data

2/5

Searches for sensitive mail data

2/5

Network configuration discovery

2/5

Searches for sensitive remote access configuration data

2/5

Sets up server that accepts incoming connections

2/5

Signed executable failed signature validation

2/5

Collects hardware properties

2/5

Reads sensitive browser data

1/5

Content matched by YARA rules

1/5

Possibly does reconnaissance

1/5

Obfuscates control flow

1/5

Resolves API functions dynamically

1/5

Creates mutex

1/5

Creates process with hidden window

1/5

Enumerates running processes

1/5

Executes WMI query

1/5

Performs DNS request

1/5

Connects to remote host

1/5

Enables process privileges

1/5

Query OS Information

Spyware

NKgXbRGdgt521jeQ.exe

2026-05-01T11:52:39.489

Windows Exe (x86-64)

NKgXbRGdgt521jeQ.exe

malicious

SHA256: 3e691a13c54a6cde8ce0c6c9cf47a6aa225fa6e3d0f0da543c8512f16b801392

VMRay Threat Identifiers

Severity

Operation

5/5

Malicious content matched by YARA rules

4/5

Malicious content matched by YARA rules

2/5

Tries to detect virtual machine

2/5

Dead Drop Resolver

2/5

Allows invalid SSL certificates

1/5

Unusual large memory allocation

1/5

Tries to detect debugger

Spyware