MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b
SHA3-384 hash: b6b4166cdaba552e5552748abf01027e0fe07a8a2cc8e508c46105fd366d97e29d9c4033e790f4c9d39ec1ce37c7ae1f
SHA1 hash: bebafa9491389a9265561841c7a964753608cb7e
MD5 hash: b9c1429d4bcb37a6d14a29f49271b713
humanhash: rugby-skylark-wisconsin-july
File name:mpclient.dll
Download: download sample
File size:2'650'171 bytes
First seen:2025-11-04 15:25:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96ea0a05de9bd8786a471a32a5c6040a (2 x XWorm, 1 x AsyncRAT)
ssdeep 24576:z+cJfeJVxthwuHIy24rIXRuriBnwSPYMRox1WaXJseJ6clMi81s3Adc+zM8f:z+cJfaxthwuH17rIh0OwchOkc+o8f
Threatray 35 similar samples on MalwareBazaar
TLSH T117C51A4359DF0DAACDD677B8A1835336B734FD308B295E3EAA48C23119536C4AE1BB50
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mpclient.dll
Verdict:
No threats detected
Analysis date:
2025-11-04 15:31:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2d5a5ab-d997-4349-837a-f29bedc09b06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35320/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690a1b49706befaf4ecbaaab
Tags:
vmdetect
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm evasive masquerade mingw overlay overlay packed
Link:
https://www.filescan.io/uploads/690a1b794425b0b1fd14035f/reports/1dd3b8c0-ad10-4c0f-a1b3-cd0cbff26c12/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b
Verdict:
Malicious
File Type:
dll x64
First seen:
2025-11-04T12:48:00Z UTC
Last seen:
2025-11-04T13:36:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Trojan.Win32.DLLhijack.sb Trojan.Win32.Agent.sb Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Generic Backdoor.MSIL.XWorm.fef Trojan.Win64.Agentb.sb Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2c1d8580-1cce-4b40-a16a-5b9099d20dff
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/b9c1429d4bcb37a6d14a29f49271b713
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b/
Verdict:
Malicious
Threat:
Trojan.MSIL.XWorm
Link:
https://tip.neiki.dev/file/446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 15:29:46 UTC
File Type:
PE+ (Dll)
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=irxoskgyskslridkms4g7qnl3fsyg4jdt4yd5xmidg5s6cfbrjfq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
Similar samples:
26d35dab5514132671d904227e1b2306054138b3e84fe04bf6b7af1c0bfe0505
37599b38dcbe50dd01c413d2c5aeccc6582d640cf81ad4eb1f5877ed25c40d5d
664e90e815ce56b91d51e107d0bb76b4bc5e4ae3ff57de6ce99635f6357771b5
72ac8cc42df3b7e913a8424004a82c930388c5dd0641a7200840bae2722f467d
74a40d2f809116abb9da9d754950e8ef484c6344087718d6f12ee36dff4db768
bef599d14222a9eccbebe09377f3a1ccc9e4e5367884c93c9af185c0f41bd335
cedcfe85d91b8e4cc835547efd2d7b761b4aad101f306435a925f708fbcf1037
dcdd29b2d64f816751cec2150be92711e46f67bc657dd930630616f658605cbb
error
f8343679b868073000380e233f32b10a04a9b4f3e28e7eb7bf58107566f9043c
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251104-sv25xact8g/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6b68d375-7324-4691-b71b-e75b8699f014
Unpacked files
SH256 hash:
446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b
MD5 hash:
b9c1429d4bcb37a6d14a29f49271b713
SHA1 hash:
bebafa9491389a9265561841c7a964753608cb7e
Link:
https://www.unpac.me/results/2c87ac2e-de73-4622-8886-df323a482187/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/446ee928d892/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35320/

Comments