MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802
SHA3-384 hash:	de11a778fc8e7530b656703f815f35181e0ee9a31c85979bc51f8ddd087a7f3c3e68807135b2be92aaa6f0d7c26fd5bf
SHA1 hash:	96e79d3e3412f8dcac06b91dba9a99dca83b0651
MD5 hash:	8ef405d7a3b5723e242b443229a58cb9
humanhash:	cardinal-magnesium-green-magnesium
File name:	update.exe
Download:	download sample
File size:	23'665'705 bytes
First seen:	2025-12-01 20:35:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep	393216:g5SK/2E53TUdvPRPm31+XMsSAKW0RwNTqUCmLwd0Ieitb6xt6AseSaPpCw4gKnK:g5SKOEJI7VOkkYeUCmLaeitstRCw4gKK
TLSH	T173373339D4ABFBA9C423EA35F382FFD34D29251A28565CFDF21F350670841BA9439419
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	juroots
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NSIS

Details

NSIS

extracted archive contents

Malware family:

n/a

ID:

File name:

_049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802.exe

Verdict:

Malicious activity

Analysis date:

2025-12-01 20:40:41 UTC

Tags:

auto-reg

Link:

https://app.any.run/tasks/0e0c34f5-04f3-4f77-825e-51a5fb8e0350

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42071/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692dfcb0264b106bd645acec

Tags:

madi

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Verdict:

Malicious

Labled as:

Malware_52.4

Link:

https://www.hybrid-analysis.com/sample/049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802

Result

Gathering data

Verdict:

Unknown

File Type:

exe x32

First seen:

2025-11-30T23:06:00Z UTC

Last seen:

2025-12-01T03:51:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802/results?tab=lookup

Score:

76%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802

Verdict:

RedLine Stealer

YARA:

5 match(es)

Tags:

.Net Executable Malicious Managed .NET NSIS Installer PDB Path PE (Portable Executable) PE File Layout RAT RECORDSTEALER RedLine Stealer SOS: 0.21 SOS: 0.25 SOS: 0.26 SOS: 0.30 SOS: 0.39 Stealer Win 32 Exe x86

Link:

https://app.malva.re/file/8ef405d7a3b5723e242b443229a58cb9

Gathering data

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=asn66dzedxilmnct474okr2wbtupfufty4wbrxhsqe5stug35aba._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/251201-zdsy8svreq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Loads dropped DLL

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2f646727-861c-43b4-b098-2c654f5432c6

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 049bef0f241dd0b63453e7f8e547560ce8f2d0b3c72c18dcf2813b29d0dbe802

(this sample)

Cape

https://www.capesandbox.com/analysis/42071/

URLhaus

https://urlhaus.abuse.ch/url/3722951/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample