MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30173a37813bdba5d72674321428071f90ed8716c3d57ba625f7311017e090db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30173a37813bdba5d72674321428071f90ed8716c3d57ba625f7311017e090db
SHA3-384 hash: 4596303ad6f02460b55701f396af712dc1f9a4144d1b37b5bde242d288517b83b09078f035861053de263528145858ce
SHA1 hash: e876771c62b15bfc2094bf874c995f7cd807379f
MD5 hash: 8a5dd01e56114f2996eecb2347f095d9
humanhash: video-moon-coffee-freddie
File name:file
Download: download sample
File size:2'612'736 bytes
First seen:2026-06-27 15:57:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b7e8cfefed3a2b3f4a16e2ad1e6d5ac6
ssdeep 24576:veG2hojUVnlganD8KgZTrgltC2yH8My9bfvt:AojcnF8KgZGC96rv
TLSH T104C5F63B6954B168C01FC1BBD0925B24D83374781772A1E7318C2E5AFA4AECA4EFB751
TrID 51.8% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable (generic) (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Magika pebin
dhash icon 385c888c8ce6c5e0
Reporter abuse_ch
Tags:exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 3c414f24f823b072019b5ef2bf9ba0bcdb44fed8f4d9793b49dfda55b8ec701e
File size (compressed) :735'744 bytes
File size (de-compressed) :2'612'736 bytes
Format:win64/pe
Packed file: 3c414f24f823b072019b5ef2bf9ba0bcdb44fed8f4d9793b49dfda55b8ec701e

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Suspicious activity
Analysis date:
2026-06-27 16:01:25 UTC
Tags:
auto-startup delphi
Link:
https://app.any.run/tasks/926e8486-3a32-4566-9806-05ec877e12a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72223/
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3ff32a1548daf709fa4e8b
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint packed reconnaissance
Link:
https://www.filescan.io/uploads/6a3ff327e84debbb1b8e09dc/reports/e22250ac-24c9-4c1c-8ffd-da1e43cefa90/overview
Verdict:
Malicious
Labled as:
Malware_
Link:
https://www.hybrid-analysis.com/sample/30173a37813bdba5d72674321428071f90ed8716c3d57ba625f7311017e090db
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3c9ce6a8-3bca-4860-bce7-9cddb20e3621
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
7 / 100
Link:
https://www.joesandbox.com/analysis/1934483
Behaviour
Behavior Graph:
n/a
Score:
63%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/30173a37813bdba5d72674321428071f90ed8716c3d57ba625f7311017e090db
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30173a37813bdba5d72674321428071f90ed8716c3d57ba625f7311017e090db/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/30173a37813bdba5d72674321428071f90ed8716c3d57ba625f7311017e090db
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=galtun4bhpn2lvzgoqzbikahd6io3bywypkxxjrf64yraf7asdnq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware persistence ransomware spyware
Link:
https://tria.ge/reports/260627-ter6facs5p/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Enumerates connected drives
Drops startup file
Boot or Logon Autostart Execution: Active Setup
Unpacked files
SH256 hash:
30173a37813bdba5d72674321428071f90ed8716c3d57ba625f7311017e090db
MD5 hash:
8a5dd01e56114f2996eecb2347f095d9
SHA1 hash:
e876771c62b15bfc2094bf874c995f7cd807379f
Link:
https://www.unpac.me/results/a0bf5b4b-93a8-4667-ba01-b1f8c66d9e94/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3c414f24f823b072019b5ef2bf9ba0bcdb44fed8f4d9793b49dfda55b8ec701e

Executable exe 30173a37813bdba5d72674321428071f90ed8716c3d57ba625f7311017e090db

(this sample)

  
Dropped by
SHA256 3c414f24f823b072019b5ef2bf9ba0bcdb44fed8f4d9793b49dfda55b8ec701e
  
Dropped by
MD5 c1f9600e7537b494cc41ed716585384f
Cape
Cape
https://www.capesandbox.com/analysis/72223/

Comments