MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44b6aceca9302e75538237faf85946c7833c28e290de8941e50c72e6310e043a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	44b6aceca9302e75538237faf85946c7833c28e290de8941e50c72e6310e043a
SHA3-384 hash:	7e0b3852220611f492446d959fe2f9e8b3fdcca4db5b8d879937b90c4985f37df5a7203c3854f7502158d03a38d10f56
SHA1 hash:	d77d9035f7572402b428c275cce64149f6616507
MD5 hash:	d0f9bcc531924ab206b7d39b4f5e5cd9
humanhash:	kentucky-eighteen-whiskey-london
File name:	Reader_en_install.exe
Download:	download sample
File size:	76'020'352 bytes
First seen:	2026-03-28 10:27:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5d3ce44460b794187f3e238adc502a4 (1 x SalatStealer)
ssdeep	393216:446Mb5vrfwR48vaVWacyWaceWac+WacpWaceWac305FBdkUlGwd/qj0lc2lhbG83:LmRXqFNXQjdlqQLlUqtWmVvJpXFUSI01
Threatray	1'816 similar samples on MalwareBazaar
TLSH	T1FCF7BE15E3E84716E52FC2BDC563C113D6B1B8971712D7CF0414EA992F63BD2AB3A222
TrID	29.5% (.EXE) Win64 Executable (generic) (6522/11/2) 22.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	4db292f2d88cb40b (26 x DarkTortilla, 17 x AgentTesla, 15 x RemcosRAT)
Reporter	zhuzhu0009
Tags:	exe signed

Code Signing Certificate

Organisation:	Juan Benavidez
Issuer:	Microsoft ID Verified CS EOC CA 01
Algorithm:	sha384WithRSAEncryption
Valid from:	2026-03-24T13:39:19Z
Valid to:	2026-03-27T13:39:19Z
Serial number:	3300079ebc390dfe053b615058000000079ebc
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	ee411a8ba39f136f04cf7e39a783b933cdc185fb17376cd30b4c1e48d25904ba
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/6c5aad44-fa0e-4f47-9967-30912957bcc9/

Malware family:

n/a

ID:

File name:

_44b6aceca9302e75538237faf85946c7833c28e290de8941e50c72e6310e043a.exe

Verdict:

Malicious activity

Analysis date:

2026-03-28 10:31:04 UTC

Tags:

screenconnect rmm-tool tool remote amsi-bypass upx rat

Link:

https://app.any.run/tasks/59663e5a-a64c-44b8-9a9e-84b5eb717819

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69c7ad53aacb4c376b150638

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Launching a process

Creating a window

Сreating synchronization primitives

Creating a file

Searching for the window

Modifying a system file

DNS request

Loading a suspicious library

Creating a file in the Windows subdirectories

Creating a file in the Program Files subdirectories

Creating a service

Launching a service

Searching for synchronization primitives

Possible injection to a system process

Enabling autorun with the shell\open\command registry branches

Enabling autorun

Enabling autorun for a service

Unauthorized injection to a recently created process

Verdict:

Suspicious

Labled as:

Win64/Inoci.A trojan

Link:

https://www.hybrid-analysis.com/sample/44b6aceca9302e75538237faf85946c7833c28e290de8941e50c72e6310e043a

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-03-28T12:47:00Z UTC

Last seen:

2026-03-28T16:56:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Agent.smfwbq

Link:

https://opentip.kaspersky.com/44b6aceca9302e75538237faf85946c7833c28e290de8941e50c72e6310e043a/results?tab=lookup

Score:

11%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/44b6aceca9302e75538237faf85946c7833c28e290de8941e50c72e6310e043a

Gathering data

Verdict:

Malicious

Threat:

Family.SCREENCONNECT

Link:

https://tip.neiki.dev/file/44b6aceca9302e75538237faf85946c7833c28e290de8941e50c72e6310e043a

Threat name:

Win64.Trojan.Kepavll

Status:

Malicious

First seen:

2026-03-28 10:28:33 UTC

File Type:

PE+ (Exe)

Extracted files:

728

AV detection:

9 of 38 (23.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=is3kz3fjgaxhku4cg75pqwkgy6btykhcsdpisqpfbrzommioaq5a._file

Verdict:

malicious

Label(s):

admintool_screenconnect

38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc

ab4e3cdb02791dda97abd220f89cd5e9f0ba404d48b87e17213a526674729abf

ba6cffff4ea8e18385f54a24744dd905fd74559c1b8f67f2533f0d8f5343b2e0

d09a41581c732f175b4017608a74afd636cc32bde5f56e3d9bd1ca53ef6ec29c

e2d1fa5b50b501c93c023164b6028f2d0d91af22319f3ee1d1774a9542c9d3d8

eec055cd2c0283367e4e536838022313df2694d6b4a3ddebb0ba416ab993845d

error

f7f60297c829073dc411d02d34c5eb89329a12ec90c2b13819071a9ba596f5e0

+ 1'806 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery persistence privilege_escalation rat revoked_codesign upx

Link:

https://tria.ge/reports/260328-mhtp4sbt3n/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Boot or Logon Autostart Execution: Authentication Package

Checks computer location settings

Drops file in System32 directory

Event Triggered Execution: Component Object Model Hijacking

UPX packed file

Enumerates connected drives

ConnectWise ScreenConnect remote access tool

Sets service image path in registry

Signed with revoked ConnectWise certificate

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample