MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233
SHA3-384 hash: 16217115826ab66836b2e2331ecd06c36aa6a1900cda2b0c053d84ab18cf1d1cfa232a51ed89fe4ae5f8872e271b94e3
SHA1 hash: ddf1c4b68907726b23e07cf8c7388075a9f914f5
MD5 hash: f337757e4dced3d702c5bf6f4f972723
humanhash: diet-north-floor-mississippi
File name:INTIMACAO_2025_006647.exe
Download: download sample
File size:84'464 bytes
First seen:2025-11-19 15:48:35 UTC
Last seen:2025-11-19 18:31:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep 1536:XfHLrLkSRoybCQUZsrs0DC1cu66pMdFMkXz8u0GBsoxMLfm:Xfr3k+o5buDC1cu66pMdD4ujLx4+
TLSH T1FE83AD40E660C467ECB2873224361E7669A7BD2A98F0568F176C75243FB73C2A51FB13
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter juroots
Tags:exe signed

Code Signing Certificate

Organisation:ALVES JUNIOR MAQUINAS E EQUIPAMENTOS LTDA
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-17T21:33:33Z
Valid to:2026-10-18T21:33:33Z
Serial number: 2ee2d41e4bd4cd3c3a3cc9b8
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: b8ad950c23d9266fbb3af4dbded813a36f749e3432130b3cb00ac11b360f4f25
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
103
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INTIMACAO_2025_006647.exe
Verdict:
Malicious activity
Analysis date:
2025-11-19 15:49:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8daf1a8a-1556-445f-a6b3-96b95575c75a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38683/
Detection(s):
SecuriteInfo.com.Trojan.Win32.SCTemp.Heur.30469.21944.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691de73b27c5936d7d0dc99f
Tags:
shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Creating a window
Searching for synchronization primitives
Changing a file
Reading critical registry keys
Moving a recently created file
Replacing files
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/691de6ff1f57ce8000db8644/reports/8c811572-2c2a-48b6-bd53-40c1a7b94cba/overview
Verdict:
Malicious
Labled as:
Trojan.SCTemp
Link:
https://www.hybrid-analysis.com/sample/4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-19T06:38:00Z UTC
Last seen:
2025-11-21T10:04:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan-Dropper.Win32.Sysn.gen
Link:
https://opentip.kaspersky.com/4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69e5d7db-2840-420c-8e4d-300987f65d51
Score:
65%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/f337757e4dced3d702c5bf6f4f972723
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233/
Verdict:
Malicious
Threat:
Trojan-Dropper.Win32.Sysn
Link:
https://tip.neiki.dev/file/4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=irbodnkf6csxdlyrhmgmork6zoq2ma6ido7yjjjltzq5gmxzoizq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/251119-s9g4aa1qgs/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://servidorunico.com/config/token.txt
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e52525ab-8a7f-41d0-9615-3a2e97d20545
Unpacked files
SH256 hash:
4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233
MD5 hash:
f337757e4dced3d702c5bf6f4f972723
SHA1 hash:
ddf1c4b68907726b23e07cf8c7388075a9f914f5
Link:
https://www.unpac.me/results/cffc8c49-271c-4779-bf5a-fd9f9c2832ac/
SH256 hash:
993dff08f417b232b65317382ae07faf4414e6b2bfb63b6001688995856c8c15
MD5 hash:
66f51bda6a404fbc54c90098a9e9c854
SHA1 hash:
d84529c2126e7c878f6ac52f7c3c2636c3995dda
Link:
https://www.unpac.me/results/cffc8c49-271c-4779-bf5a-fd9f9c2832ac/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/cffc8c49-271c-4779-bf5a-fd9f9c2832ac/
SH256 hash:
a921cc9cc4af332be96186d60d2539cb413dfa44cfd73e85687f9338505ff85e
MD5 hash:
f8b6dd1f9620be4ef2ad1e81fb6b79fa
SHA1 hash:
f06c8c8650335bace41c8dbe73307cbe4e61b3b1
Link:
https://www.unpac.me/results/cffc8c49-271c-4779-bf5a-fd9f9c2832ac/
SH256 hash:
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
MD5 hash:
11092c1d3fbb449a60695c44f9f3d183
SHA1 hash:
b89d614755f2e943df4d510d87a7fc1a3bcf5a33
Link:
https://www.unpac.me/results/cffc8c49-271c-4779-bf5a-fd9f9c2832ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4442e1b545f0a571af113b0cc7455ecba1a603c81bbf84a52b9e61d332f97233

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/38683/
  
URLhaus
https://urlhaus.abuse.ch/url/3712014/
  
Delivery method
Distributed via web download

Comments