MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce
SHA3-384 hash: 1cfe140ed75ec45aff7d90e07c868b23829e62c19c5a2725a7d81dfd7117bc337049d9797fa8a5c22db6c9862e655d36
SHA1 hash: d5fbdd2ae653daed020a4040c00e1591a80e9d68
MD5 hash: ac95ef83cdf09422ac04b2f97025cade
humanhash: cola-twenty-happy-quebec
File name:file
Download: download sample
File size:56'320 bytes
First seen:2026-04-29 18:02:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e54ed313aa15b1c2c7cc3929ddb713c2
ssdeep 1536:VjVii+SgaHaOzRAy1RR+t5utYfA19z9Zwz:Vjt+Sv6SD1RYtMafAU
TLSH T1B6436C47B2A386FCC016C17489E756326F72F87604306B6F2785EA312F10F619F6E95A
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 6e6f40cef29357b48857d891867b35f2605b3c15b8199cff0e1b798656bc3470
File size (compressed) :29'696 bytes
File size (de-compressed) :56'320 bytes
Format:win64/pe
Packed file: 6e6f40cef29357b48857d891867b35f2605b3c15b8199cff0e1b798656bc3470

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce.exe
Verdict:
No threats detected
Analysis date:
2026-04-29 18:04:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/826144fb-89ad-430e-aa14-9e88592efde5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64028/
Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce
Verdict:
Adware
File Type:
exe x64
First seen:
2026-04-29T15:10:00Z UTC
Last seen:
2026-05-01T07:21:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HackTool.Win64.Knotweed.afk
Link:
https://opentip.kaspersky.com/65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2b3b70f5-9d3d-40ee-a1d2-e9001a36d0b9
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1906456
Signature
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce/
Verdict:
Malicious
Threat:
Trojan.Win32
Link:
https://tip.neiki.dev/file/65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-29 18:03:43 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxcnj5l6mtnwtpku4tucm7vc7rs6hct23xeyxmakhwr54npa4tha._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260429-wncs8ah17m/
Unpacked files
SH256 hash:
65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce
MD5 hash:
ac95ef83cdf09422ac04b2f97025cade
SHA1 hash:
d5fbdd2ae653daed020a4040c00e1591a80e9d68
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/59a36476-aea1-4ada-a67e-d7d5c90965c2/
Parent samples :
6e6f40cef29357b48857d891867b35f2605b3c15b8199cff0e1b798656bc3470
65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6e6f40cef29357b48857d891867b35f2605b3c15b8199cff0e1b798656bc3470

Executable exe 65c4d4f57e64db69bd54e4e8267ea2fc65e38a7addc98bb00a3da3de35e0e4ce

(this sample)

  
Dropped by
SHA256 6e6f40cef29357b48857d891867b35f2605b3c15b8199cff0e1b798656bc3470
  
Dropped by
MD5 dea832173d18360f741d5cffc9d958e2
Cape
Cape
https://www.capesandbox.com/analysis/64028/

Comments