ThreatFox IOC Database

You are viewing the ThreatFox database entry for sha256_hash 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1785153
IOC: 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
IOC Type :sha256_hash
Threat Type :payload
Malware: Unknown RAT
Confidence Level : Confidence level is elevated (75%)
Is compromised? : False
First seen:2026-04-13 12:58:18 UTC
Last seen:never
UUID:ccc73748-372f-11f1-8759-42010aa4000a
Reporter Omaha
Reward 5 credits from ThreatFox
Tags:BYOR infostealer java persistence RAT ZKM-Stealer
Reference: https://tria.ge/260407-s8dpgahs5l/behavioral1

Avatar
Omaha
Additional component hashes for malware that self identifies as ZKM Stealer 26.0.0.

SHA256: 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
File: elevate.exe - repurposed legitimate UAC elevation
binary used to display genuine Windows UAC prompt.
Socially engineered victim clicks yes. VT: 0/71 clean
as legitimate binary but used maliciously here.

SHA256: 7ae34abfc96de00ded88118f432251d114e517ccacc4bfc18e56dd1eb6ded39f
File: jre.zip - bundled Java JRE 1.8.0_101
BYOR technique - complete Java runtime bundled in
installer. Compiled November 17-18 2025.

SHA256: ced385f69e56db2f63bafade76c6285b4a2e058880f271d30deadc52459d419d
File: App_[username].xml - Windows Scheduled Task XML
Persistence mechanism. Task named App_[WindowsUsername]
runs javaw.exe -jar update.jar at every login with
HighestAvailable privilege. Created: 2026-03-31T16:32:40
NOTE: Task name uses actual Windows username not App_root
App_root was VirusTotal sandbox username only.

Law enforcement notified:
FBI IC3: fad477e92b9f4692b96be4eac6236d20
CISA: CCASE0175447