MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877
SHA3-384 hash: 80a954dbb5dfd469a6055f27761b30e3662054a08d9b5d8bb1d3c04af9bc44654ffe82e841a4be8bfdd2a381b3bde60e
SHA1 hash: 5299fe4a1715a3da69f5efa3206f7216ddd2db65
MD5 hash: 1b3e63ee5fd5c3bbbf43084fe986dcd9
humanhash: louisiana-harry-avocado-spaghetti
File name:r_loc.exe
Download: download sample
File size:2'382'424 bytes
First seen:2025-08-13 08:22:10 UTC
Last seen:2025-08-13 10:18:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a26e00e8878eb26dc978d3501171719e
ssdeep 24576:g38r8ZII5r3/JGFbvOt1Sw19+yOaO67G88IIM6RVKJ6clMi81s3AQ46luD:g38r8Hr3/JG5vOtgw/e67Oq46luD
TLSH T114B50A4369DB0DE9C9D67BB8A1D31335A734FD748B295E3E6A08C2311D636C4AE1BB10
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Joker
Tags:exe trojan

Intelligence

File Origin
# of uploads :
3
# of downloads :
66
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
r_loc.exe
Verdict:
No threats detected
Analysis date:
2025-08-13 08:56:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b801a58c-6f21-4100-ae81-ad7eaada31d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21084/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689c4b60642b4839d1b5b17c
Tags:
injection rozena obfusc virus
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug obfuscated overlay
Link:
https://www.filescan.io/uploads/689c4b53397fd3ce6fa7490f/reports/e793b69a-c72a-4f78-8fe4-7ac886ebc45f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4b6d2013-7b71-4c4a-b693-0682ca3bc005
Score:
60%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/1b3e63ee5fd5c3bbbf43084fe986dcd9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877/
Verdict:
Malicious
Threat:
UDS:DangerousObject.Multi
Link:
https://tip.neiki.dev/file/2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-13 08:22:35 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eejmmtbj66fzdxbfoarq7of57k5k4jhqe4o2mu4ru3ksvechxb3q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250813-j9tmmsvks2/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57a1d6bd-743f-4ebb-9be2-83b8ebe1f69a
Unpacked files
SH256 hash:
2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877
MD5 hash:
1b3e63ee5fd5c3bbbf43084fe986dcd9
SHA1 hash:
5299fe4a1715a3da69f5efa3206f7216ddd2db65
Link:
https://www.unpac.me/results/4224a6a2-18ff-4684-bc80-bc6d79213a12/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3601732/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21084/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW

Comments