MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39
SHA3-384 hash: 23c602fff192e755c6f9c476bf9cb6cc024d22c65388f19c47baf7615ad62de8c8fa326ee60d8d4d77b86221939fbffd
SHA1 hash: cafc2a27333bad3960a14cd3a132d2cad4ab0f1d
MD5 hash: 10f5cae3f3bd17583e3c9572f656d5dd
humanhash: mexico-king-early-oklahoma
File name:MAWS_keeaOzExe_Setup.exe?ver=1.0
Download: download sample
File size:13'810'776 bytes
First seen:2025-11-20 15:24:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 393216:FLMVYQeM9qMxVhizNvrJQEAJCAkk0tKq7e1QYo:hAeM95a9JQ3JCtk0tL7YI
TLSH T1FDD6334B14C8B83BF681543339A257330B721A7653E59D93AF0B96260D432BB83FA757
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter juroots
Tags:exe signed

Code Signing Certificate

Organisation:MarkAny Inc.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-01-20T00:00:00Z
Valid to:2028-01-19T23:59:59Z
Serial number: 0fbbbf19e1daeb384b3d1b6846ffaca8
Thumbprint Algorithm:SHA256
Thumbprint: 2e7ee88c35e2c3349eff48a5914d38e4eaf9f69316f1d60fda1babded88d4ce3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MAWS_keeaOzExe_Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-11-20 15:26:19 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/244c1428-955e-4c35-a579-5f7af6baf745

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38857/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691f32e34917b5d23dafc02f
Tags:
emotet virut
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the Windows directory
Creating a file in the Windows subdirectories
Creating a file in the system32 directory
Creating a process with a hidden window
Creating a service
Launching a service
Searching for synchronization primitives
Loading a system driver
Setting a global event handler
Enabling autorun for a service
Setting a global event handler for the keyboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole fingerprint installer installer installer-heuristic lolbin microsoft_visual_cc nsis overlay regsvr32 signed
Link:
https://www.filescan.io/uploads/691f32b6f3f7dde3ec80f6ca/reports/31fb97d4-527c-42bc-b03a-405fc0e1ce87/overview
Verdict:
Malicious
Labled as:
Malware_49.8
Link:
https://www.hybrid-analysis.com/sample/1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-04-14T01:47:00Z UTC
Last seen:
2025-11-21T03:42:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Win32.Xegumumune.sbc BSS:Trojan.Win32.Generic HEUR:Trojan-Spy.Win32.Xegumumune.gen
Link:
https://opentip.kaspersky.com/1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39/results?tab=lookup
Malware family:
PC Hunter
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d2d1c384-55e9-47cd-87ca-0c0993205c73
Score:
10%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) Win 32 Exe x86
Link:
https://app.malva.re/file/10f5cae3f3bd17583e3c9572f656d5dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39/
Verdict:
Malicious
Threat:
Trojan-Spy.Win32.Xegumumune
Link:
https://tip.neiki.dev/file/1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-22 08:49:40 UTC
File Type:
PE (Exe)
Extracted files:
483
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6bcahrvf3kozfrvz4ef535habqge7m5tpkt5jhrnzmh7ikjzi4q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery installer persistence spyware stealer trojan
Link:
https://tria.ge/reports/251120-svcv1sey2c/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Modifies trusted root certificate store through registry
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Adds Run key to start application
Drops file in Drivers directory
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cda65571-7cab-47d7-89af-d6af5cae4d2b
Unpacked files
SH256 hash:
1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39
MD5 hash:
10f5cae3f3bd17583e3c9572f656d5dd
SHA1 hash:
cafc2a27333bad3960a14cd3a132d2cad4ab0f1d
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
2773f38552129f9e884a032d75af398669b9f7d91186ef2b0c47ffa0baae713c
MD5 hash:
16c01604499ca058cdfc2f68317d1400
SHA1 hash:
eb64d38e3ad30821b5578fa761f290224f498328
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
09a4ecd05bed0772d67452ae3a0e3a10784513f45ff2edc63affb11bddae5f35
MD5 hash:
3e6542534f5343184944ae1d0dc0eb54
SHA1 hash:
b77fadee6d7bfda6b6d2e47329c9235d2a3228d2
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
b7080284eab839043e2e621db4e9dbc2ea49da33619976fa09ffa9e1c4c8acb7
MD5 hash:
c995c9f923dc440f30f1d7ae8d57ad13
SHA1 hash:
ff0ab42da3e4030affca21ac0d8068049cd65130
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
fb3b6231e892824f95956b8770a54be33a4487ce2d632cb5d2b029bf444ad093
MD5 hash:
8991ee5968e1126306faa2187c060615
SHA1 hash:
50c08106aa8f3d7a0560d845d6db4d263e2cad8a
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
f5783cd10f412fc93254855e73dbaef884f644c05856c73ef708158cd9df6b67
MD5 hash:
3a6c2f671f257bf10395964e8192b90a
SHA1 hash:
b268112bbb24bd5aff407b92c46e54425b64259b
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
32b2a83c93edefbd072b8983e9bb54a817f9a0fa2768ebce82a38cca6cd96a71
MD5 hash:
0a390130606db7f77266e143c7911078
SHA1 hash:
ea7498c3840957980b4c430a12e857f15040bb29
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
5aa8219ac37451ce354c6ce66166ba3db62c347de3e5a46f0cbb4ba4505efe95
MD5 hash:
4b454a3e89c20ef58e14acae1ba60c45
SHA1 hash:
0ad6052c6515e29a1df3ef78f8dd9de357841095
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
45d24ca2fd9a0f6603365001e770a5e1d0103caa32d9667dec55d26f3598d110
MD5 hash:
5450157ded399912b02d03aaf03053c2
SHA1 hash:
4f7b7f20256fb5b98cdc75e7ae892600f8232383
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
5636fd7ed8c314331163ed71fd9b2956cd4822722ff8c7e2982adb5f286119b6
MD5 hash:
59dcd898b60b50ee96e4b07522787bf7
SHA1 hash:
2dce416ba70fad87486af79947efe3324ad6d4e5
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
6785ab17a6c27be18072aa1c274078321b4ea27bfa752d3c882ec3093dc4637b
MD5 hash:
c8222584e91b74c47f5ce2a84d1cdc4f
SHA1 hash:
750359dd536c840b1d4016826af7f34a8562e242
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
ee6c5fe451dcf57a2feb3e49f8ad607f0132f2e7b06f351c4d3bf102cc0ed8e8
MD5 hash:
1f9b2f80b4ee174ae6d1b9f9cb78b7de
SHA1 hash:
2d9ce48cb469f4963892b1d044d13f973f8ba65a
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
MD5 hash:
2ae993a2ffec0c137eb51c8832691bcb
SHA1 hash:
98e0b37b7c14890f8a599f35678af5e9435906e1
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
SH256 hash:
379a34474a239a118746a67170aa9c3aa22c86ac5b646ed58f2f3023639cc137
MD5 hash:
72d4d22b2f59af9e40333c6c35cd9da0
SHA1 hash:
4ae18123f36e08430de0d8cc934eb45ec4231ea3
Link:
https://www.unpac.me/results/8ffb35e5-0e9a-4db0-8851-cd351427c0f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1782201e352ed4ec9635cf085eefa70060627d9d9bd53ea4f16e587fa149ca39

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/38857/
  
URLhaus
https://urlhaus.abuse.ch/url/3712998/
  
Delivery method
Distributed via web download

Comments