MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32
SHA3-384 hash:	3a78d9b5bb9875515f68e113fb33e0be23bdf4c8aafdd71786c4d59863289d7a5bea0758a8a82d9990b1b36cbda4ed6c
SHA1 hash:	c5373670c4b2ed32115e20e006141fecabf342e9
MD5 hash:	003c8d2c18abb92a49daab159fb283aa
humanhash:	king-muppet-carpet-yankee
File name:	file
Download:	download sample
File size:	2'093'360 bytes
First seen:	2026-03-03 13:26:43 UTC
Last seen:	2026-03-03 15:01:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	88016fcdef7f227c62171d0afad9aae4 (4 x OffLoader, 3 x Gh0stRAT, 1 x XWorm)
ssdeep	24576:pXNrSLScusMmOkKIhzvL4Kc7RTVqP+GGDu+uZ2w6OqCu5+EmcB9535T0we6CRwHN:iuI5hNS9kP+bDuB63Cu8E9Bvd0/Nrbzm
TLSH	T1DCA5D03FB28B753EE06E5A367A72E210593B7661A4174C1696F4C84CCF250B02E3E797
TrID	61.4% (.EXE) Inno Setup installer (107240/4/30) 23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.7% (.EXE) Win64 Executable (generic) (6522/11/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 signed

Code Signing Certificate

Organisation:	TRUST & SIGN POLAND SP Z O O
Issuer:	SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-08-22T19:04:49Z
Valid to:	2026-08-22T19:04:49Z
Serial number:	6b902553d4faa01cd0fa62009c8f2db2
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	9b080c482d90022379588e97e4b432f70596fb9de25148cbd350e2f7603f8f3b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Bitsight

url: http://130.12.180.43/files/7362035837/tNRasRy.exe

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/b71e685b-c58e-4ae1-bceb-4e6bd898aaf8/

Malware family:

n/a

ID:

File name:

CryptoVista_Installer_2E65H.exe

Verdict:

Malicious activity

Analysis date:

2026-03-03 13:27:11 UTC

Tags:

delphi inno installer

Link:

https://app.any.run/tasks/729c9874-a60d-4861-b64d-15479afe32bf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55396/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a6e1b2002d37d5c9831ed2

Tags:

injection dropper delphi obfusc

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed signed soft-404

Link:

https://www.filescan.io/uploads/69a6e1b010e80629d4fa3a93/reports/e7d80383-f914-4776-911a-fa6996aad487/overview

Verdict:

Malicious

Labled as:

TrojanDldr.OffLoader.gen

Link:

https://www.hybrid-analysis.com/sample/18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-24T13:08:00Z UTC

Last seen:

2026-02-13T06:11:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d223667d-5257-4e73-968e-9a4c7be9b17f

Score:

74%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/003c8d2c18abb92a49daab159fb283aa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dbjvkcng2jmuq63la3w7f4ns346ereh6c3ldbsfc5rvpglf6rmza._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer

Link:

https://tria.ge/reports/260303-qp7gbsht3y/

Behaviour

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Unpacked files

SH256 hash:

18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32

MD5 hash:

003c8d2c18abb92a49daab159fb283aa

SHA1 hash:

c5373670c4b2ed32115e20e006141fecabf342e9

Link:

https://www.unpac.me/results/e6b81279-0da0-439b-a8aa-8a991858ab8d/

SH256 hash:

5775ed19b7c7e2ea5ea7d28abf98aa8070cf3e8f8caa87621fda6e2bd121a2c3

MD5 hash:

f524b1831fc29de5e560c8ca98797adc

SHA1 hash:

b310c0f962e164bae2c1bf3da5847744d81e95bd

Link:

https://www.unpac.me/results/e6b81279-0da0-439b-a8aa-8a991858ab8d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3789057/

Cape

https://www.capesandbox.com/analysis/55396/

URLhaus

https://urlhaus.abuse.ch/url/3789111/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample