MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2247dfe9d3ef409c31d8ec980b6c92c78aa4f4f31b3de5fe7287d7ac17936f63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash: 2247dfe9d3ef409c31d8ec980b6c92c78aa4f4f31b3de5fe7287d7ac17936f63
SHA3-384 hash: dfc03ee710e39b39cf1cce55ce143bbe1f48480c94636291776711b7c3c3c548f9d7cb96ec3f59dadf9cc652313e7d10
SHA1 hash: 10d1f425a8cb44c7c48d8f42c3003db47682021d
MD5 hash: 0d5d3e1896b4f842041ba17cbe63aa14
humanhash: princess-pip-berlin-apart
File name:SecuriteInfo.com.Trojan.Win32.Agent.8392.1724
Download: download sample
File size:1'215'513 bytes
First seen:2026-01-19 05:20:53 UTC
Last seen:2026-01-19 06:20:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 23 x HijackLoader, 5 x Adware.IObit)
ssdeep 24576:q86avqKNIYzqm6LK3ueFdsI5syjSUY4pv1LNdYryu:4aIY+m67eXsI5jZY4pviF
TLSH T161452203B3CB1432F4991D369D61C404AEA77DF91DF6A01A2CB8D60E0ABD5D69C737A2
TrID 70.9% (.EXE) Inno Setup installer (107240/4/30)
9.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b298acbab2ca7a72 (2'335 x GCleaner, 1'821 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
126
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Agent.8392.1724
Verdict:
Malicious activity
Analysis date:
2026-01-19 05:21:27 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Tags:
injection dropper sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi evasive expired-cert fingerprint inno installer installer installer-heuristic invalid-signature overlay packed signed
Verdict:
Clean
File Type:
exe x32
First seen:
2025-12-01T19:22:00Z UTC
Last seen:
2026-01-19T05:12:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2025-12-02 00:36:53 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer persistence privilege_escalation
Behaviour
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
2247dfe9d3ef409c31d8ec980b6c92c78aa4f4f31b3de5fe7287d7ac17936f63
MD5 hash:
0d5d3e1896b4f842041ba17cbe63aa14
SHA1 hash:
10d1f425a8cb44c7c48d8f42c3003db47682021d
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
SH256 hash:
8f0beb5863d190b7b2cfe7f506f3b721ab6b9e892337a133364f2ba710931b25
MD5 hash:
be3cc5717f5951662adb399d613f20cc
SHA1 hash:
f776bc4344ad59fbd6950d24d3aa6dddb3df215a
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2247dfe9d3ef409c31d8ec980b6c92c78aa4f4f31b3de5fe7287d7ac17936f63

(this sample)

  
Delivery method
Distributed via web download

Comments