MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21a68975feeb28b5369222f8e148899ca767228ff5a111a27393f23a57224fbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21a68975feeb28b5369222f8e148899ca767228ff5a111a27393f23a57224fbb
SHA3-384 hash: f5b7817efd555ab5d1c5e4540301471a6ecebfe211e850bbbfdd93d726164ea62f0fc5497f0b83ba73ff5a57d2f8ba05
SHA1 hash: 1ec39cf26540cc815f126edd71ffd4c1c1bec9d6
MD5 hash: ff2a4034a5b9f436fce9f313afe3da8f
humanhash: whiskey-seven-mike-oven
File name:DeepSeekLocal1.5@bd01_11888651966485814223.exe
Download: download sample
File size:85'655'592 bytes
First seen:2025-03-21 16:42:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:UofVdYFfwp+Q9B7L6FTPdiRkFjztyDP0KKzYtLC2MrP8r61/lTUJ:Uo7YFNwp6FDdiyFj4eb2Mb8k1a
Threatray 459 similar samples on MalwareBazaar
TLSH T10A1833664E9DD80CD2472EBC0EC22E3E39BA37C98BFF94A6A09F36E159167115D05CD0
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon a258a2ced2d6b8b2
Reporter SquiblydooBlog
Tags:exe Keroro Technology Co Ltd signed

Code Signing Certificate

Organisation:Keroro Technology Co., Ltd.
Issuer:Certum Extended Validation Code Signing 2021 CA
Algorithm:sha256WithRSAEncryption
Valid from:2025-02-22T07:09:42Z
Valid to:2026-02-22T07:09:41Z
Serial number: 5f737e82330734c32297ef89b72fb607
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: a2e0b7aaa5b7f1ff1c15291f5b08936659a05c7909648bdd8ab8b1b9a71fce40
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
673
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DeepSeekLocal1.5@bd01_11888651966485814223.exe
Verdict:
Malicious activity
Analysis date:
2025-03-21 17:23:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/821138b8-6225-44ee-9534-fec2d6b307bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context blackhole installer microsoft_visual_cc overlay packed signed
Link:
https://www.filescan.io/uploads/67dd9732a175d31773441242/reports/05f1ab89-9749-43d8-93ae-c4d72dd1eee2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/21a68975feeb28b5369222f8e148899ca767228ff5a111a27393f23a57224fbb
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/1645376
Signature
AI detected suspicious PE digital signature
Drops large PE files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1645376 Sample: DeepSeekLocal1.5@bd01_11888... Startdate: 21/03/2025 Architecture: WINDOWS Score: 24 42 AI detected suspicious PE digital signature 2->42 7 DeepSeekLocal1.5@bd01_11888651966485814223.exe 12 245 2->7         started        11 DeepSeekLocal.exe 45 2->11         started        process3 file4 30 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 7->34 dropped 36 15 other files (none is malicious) 7->36 dropped 44 Drops large PE files 7->44 13 cmd.exe 1 7->13         started        15 DeepSeekLocal.exe 7 11->15         started        18 DeepSeekLocal.exe 1 11->18         started        20 DeepSeekLocal.exe 1 11->20         started        22 explorer.exe 17 1 11->22 injected signatures5 process6 dnsIp7 24 conhost.exe 13->24         started        26 tasklist.exe 1 13->26         started        28 find.exe 1 13->28         started        38 chrome.cloudflare-dns.com 162.159.61.3, 443, 49704 CLOUDFLARENETUS United States 15->38 40 172.64.41.3, 443, 49705 CLOUDFLARENETUS United States 15->40 process8
Score:
44%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/21a68975feeb28b5369222f8e148899ca767228ff5a111a27393f23a57224fbb
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egtis5p65mulknusel4ocsejtstwoiup6wqrdittspzduvzcj65q._file
Verdict:
malicious
Label(s):
hacktool_uac_dll
Create hunting rule
Similar samples:
21a68975feeb28b5369222f8e148899ca767228ff5a111a27393f23a57224fbb
30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966
73cb3d7601ea224b083d2348a3c1e69de9d9105e85ac501565108a88bd663ecd
77f6187a0fb4343ce16a0cf83ac34445df92563328b12ad422ee3f255fd8b937
7897d212eaa82c5fa94da40b66db07ff4432574f9ff816b3821156a54d2b88e0
7fe4c2297ab763a43c7ea377eae860ea0bbe4533538dd918d97421d574c9550e
c0e796dd18f9f0997147965e162bdcd45a36225f71c2972456c0e2d3571f8d90
c2c83aaf84f01489752afd8008228fa9c1ec096893585ba7ee114eeded729749
error
+ 449 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250321-t8ahgsszd1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates processes with tasklist
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5abd46d4-9225-4d66-861e-2364761b915e
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments