MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5
SHA3-384 hash:	9f2f53002141ee7487f58b6fb03fec8f473aea1a2643360d9e0fd4882bdd47b2a393bd54667fc47342a44fe786a08b03
SHA1 hash:	f9191dd140a2b3816aa77d6e2ab25af157fc58eb
MD5 hash:	3017178715e32e9a49ff1b642496bb22
humanhash:	nitrogen-black-kilo-mars
File name:	Chrome安装.exe
Download:	download sample
File size:	10'910'843 bytes
First seen:	2025-12-15 18:02:47 UTC
Last seen:	2025-12-16 21:26:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d221b1dc8c3a08622f6512e7876527c8 (14 x ValleyRAT, 6 x DonutLoader, 3 x ZhongStealer)
ssdeep	196608:ClY3IqAU9Uzv2k4tuqaq27pL1ytZklYTKd27+VTdcU7Ur+gU:CyhAPzv2k4tuqX0pL1zlYJCTgU
TLSH	T176B6332E80AB933FE7C9AD7175AF5D4E80FA573237B260096EA133E46671B57F140920
TrID	40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 12.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.0% (.EXE) Win32 Executable (generic) (4504/4/1) 5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	e863eae6b696c6ee (2 x AsyncRAT, 2 x SnakeKeylogger, 2 x Neshta)
Reporter	Ling
Tags:	exe Trojan:Win32/Malgent!MSR

CNGaoLing

This sample has been analyzed by Microsoft researchers and determined to be malware.

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5.exe

Verdict:

Malicious activity

Analysis date:

2025-12-15 18:11:18 UTC

Tags:

auto-reg

Link:

https://app.any.run/tasks/2dabae0a-6655-4de1-8fa5-275b1a8a392d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45126/

Detection(s):

SecuriteInfo.com.TR.Dldr.Adload.DM.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69404d6fcacd1005450d832f

Tags:

shellcode dropper madi sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file in the %AppData% directory

Creating a process from a recently created file

Creating a file in the Program Files subdirectories

Deleting a recently created file

Running batch commands

Creating a process with a hidden window

Creating a service

Moving a file to the Program Files subdirectory

Launching a service

Moving a recently created file

Searching for the window

Searching for analyzing tools

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending a custom TCP request

Searching for many windows

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Launching a process

Loading a suspicious library

Launching the default Windows debugger (dwwin.exe)

Enabling autorun for a service

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

installer installer installer-heuristic microsoft_visual_cc overlay overlay packed

Link:

https://www.filescan.io/uploads/69404d66e126b9ff4380f5b4/reports/341f2e8b-b11d-4b39-9d4d-dd5e8822be67/overview

Verdict:

Suspicious

Labled as:

TR/Malware

Link:

https://www.hybrid-analysis.com/sample/49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-15T08:35:00Z UTC

Last seen:

2025-12-16T23:00:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.AntiAV.dczd Trojan.Win32.Agent.sb Backdoor.Win32.Zegost.sb Trojan-Dropper.Win32.Dapato.shjq Trojan.Win32.Shellcode.sb Trojan.Win32.RokRat.sb Trojan.Win32.Mansabo.sb Trojan.Win32.AntiAV.dcze Trojan.MSIL.Donut.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic Trojan.Win32.Gatak.sb Trojan.Win32.AntiAV.sb

Link:

https://opentip.kaspersky.com/49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/88c4b16b-1558-4597-8523-f8a56b156176

Score:

24%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/3017178715e32e9a49ff1b642496bb22

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5/

Verdict:

Malicious

Threat:

Trojan.Win32.AntiAV

Link:

https://tip.neiki.dev/file/49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5

Threat name:

Win32.Trojan.Malgent

Status:

Malicious

First seen:

2025-12-15 16:54:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 38 (23.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jh5d73rhwobosnxkpomlld6ryjghd5jvzpyef5mzkqn7c36jydcq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery installer persistence privilege_escalation spyware stealer trojan

Link:

https://tria.ge/reports/251215-wm6pxayncn/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Checks installed software on the system

Checks whether UAC is enabled

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Boot or Logon Autostart Execution: Active Setup

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b1c54e78-7bd4-4314-8642-537446a51658

Unpacked files

SH256 hash:

49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5

MD5 hash:

3017178715e32e9a49ff1b642496bb22

SHA1 hash:

f9191dd140a2b3816aa77d6e2ab25af157fc58eb

Link:

https://www.unpac.me/results/fabc570a-4df1-429d-b254-a693a85d27eb/

SH256 hash:

c71157feef6a26010012f77f51ffa0a2c06d29683a264b856efbe979e19bee7d

MD5 hash:

ebbd3d4ec3a64e98e7cb701b1bf7b232

SHA1 hash:

c9975e6a5770c5f6e9bae07b55bfa07a324cf116

Link:

https://www.unpac.me/results/fabc570a-4df1-429d-b254-a693a85d27eb/

SH256 hash:

31e5837f81c3969499f8f374ef127b91d592196dab2925a8fd1dee75cba2d900

MD5 hash:

2667c6bdd04454f0c45c3a1bfab17e72

SHA1 hash:

66899c8653150af2904239be51bbf57394103e23

Link:

https://www.unpac.me/results/fabc570a-4df1-429d-b254-a693a85d27eb/

SH256 hash:

8295b85989419cda87c98838969eb260f94ead3f6b767017bcbf2a8c8581ac40

MD5 hash:

8bbc879ec6df1bb521bb661c8d0f4757

SHA1 hash:

0f3bf5fe416a92aaf1176f07d9dfddf554227709

Link:

https://www.unpac.me/results/fabc570a-4df1-429d-b254-a693a85d27eb/

SH256 hash:

005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa

MD5 hash:

d3f8c0334c19198a109e44d074dac5fd

SHA1 hash:

167716989a62b25e9fcf8e20d78e390a52e12077

Link:

https://www.unpac.me/results/fabc570a-4df1-429d-b254-a693a85d27eb/

SH256 hash:

d6f3429b8ffe80e1bc023de22bc23d9b4d384d89a9b22db51aa27c804581642d

MD5 hash:

7b97f7a822f0f4f54c54b8ef92aaf09a

SHA1 hash:

d0916590b36d8e0507b6722449d7ffd2187498a6

Link:

https://www.unpac.me/results/fabc570a-4df1-429d-b254-a693a85d27eb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/45126/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample