MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db
SHA3-384 hash: d8795e3c633d31f928448162c63c67d0689ba83a78b3510c2dcd38722193844aafa951628ecb2dd2fd898f24c315ffda
SHA1 hash: f79ae4ff316d212c248697a6cde61afe5ab3ef13
MD5 hash: d778010caf740fe9d00e9e9bca6869b0
humanhash: wolfram-lithium-red-dakota
File name:file
Download: download sample
File size:14'363'811 bytes
First seen:2026-05-24 07:15:29 UTC
Last seen:2026-05-24 13:43:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (8 x OffLoader, 8 x ValleyRAT, 3 x Gh0stRAT)
ssdeep 98304:E5/cWtBbvUT3AlpQ98YSO8EKkPkdOfGBAwUA2MZGlgcDMplk92:gPvUT3AlkPLfobK392
Threatray 1'462 similar samples on MalwareBazaar
TLSH T146E602FBAE4B753EE06A1A353672923C543B7E6164164C4696F2F84CCF360701E3E686
TrID 61.4% (.EXE) Inno Setup installer (107240/4/30)
23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.7% (.EXE) Win64 Executable (generic) (6522/11/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 34f6c6dc58d8d063 (1 x Vidar, 1 x OffLoader)
Reporter Bitsight
Tags:a dropped-by-gcleaner exe MIX10.file


Avatar
Bitsight
url: http://158.94.209.95/service

Intelligence

File Origin
# of uploads :
5
# of downloads :
152
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/21e383be-f2fd-4815-be44-345d8c81e949/
Malware family:
n/a
ID:
1
File name:
_46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db.exe
Verdict:
Malicious activity
Analysis date:
2026-05-24 07:18:39 UTC
Tags:
delphi inno installer telegram upx stealer maskgram
Link:
https://app.any.run/tasks/f3e617ca-27bf-41ff-be82-c1a022d14425

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67742/
Detection(s):
SecuriteInfo.com.Variant.Application.Cerbu.78423-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a12a59a98070a72bb9d7837
Tags:
dropper delphi virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi expand fingerprint inno installer installer installer-heuristic lolbin packed reconnaissance
Link:
https://www.filescan.io/uploads/6a12a5c9c9d535126e0397a6/reports/25acdd0e-bf98-470d-bbd6-eed96dc49a21/overview
Verdict:
Suspicious
Labled as:
TrojanDldr.OffLoader.gen
Link:
https://www.hybrid-analysis.com/sample/46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db
Verdict:
Unknown
File Type:
exe x32
Link:
https://opentip.kaspersky.com/46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2a560be0-d54f-47f1-85b6-4b3ffc4b14f6
Score:
67%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/d778010caf740fe9d00e9e9bca6869b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i34aeardt4v5bc2are5vx4c36jm2l45562tawui3c7g3iumjlhnq._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
084c4628027cd8896bc9144f36388739f98577f38f0bace678dc03a6d3db75b1
562cfdeae9adc7a27558e5e0a2b1e2a3d8cecf55e1e07ae1224634c2fea86fdd
932620b4b6f1d2336b6bbb6e11ad85391cce459db49552dfeef86fb5504acf03
b7a4969bc7371a7092120861e6c1b6c165dfccb1d8297548a239c4a847842062
e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd
error
+ 1'452 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/260524-h32t1acv51/
Behaviour
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db
MD5 hash:
d778010caf740fe9d00e9e9bca6869b0
SHA1 hash:
f79ae4ff316d212c248697a6cde61afe5ab3ef13
Link:
https://www.unpac.me/results/f16c1cc2-eb0b-40a1-adc2-c75ad954f8d8/
SH256 hash:
131285d9d4b001fd9bfcb8af216419dfdaf894a4cae05882abd3bc684575d224
MD5 hash:
55a0ac485064eae24e0188e0c8d17205
SHA1 hash:
27b9c3a0fb7a4b7cbbb237abff19a17523d3bd27
Link:
https://www.unpac.me/results/f16c1cc2-eb0b-40a1-adc2-c75ad954f8d8/
SH256 hash:
cde64d869079eae74b397fc23144d9f2ec5819fe34494ab3dd11835a690d3957
MD5 hash:
99e45f67135ac0ba260fe1e151da338f
SHA1 hash:
fae5e4fe1a9c632ab70bcf45ac0c4e5658783439
Link:
https://www.unpac.me/results/f16c1cc2-eb0b-40a1-adc2-c75ad954f8d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 46f80202239f2bd08b40893b5bf05bf259a5f3bdf6a60b511b17cdb4518959db

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/67742/
  
URLhaus
https://urlhaus.abuse.ch/url/3852365/

Comments