MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560
SHA3-384 hash: 25f92315be83169fcfec4647d9f7c8a961238d0aef78ad04ff348467c7af234ea2179ccb1fdab373aeeae531cc87b717
SHA1 hash: efddcaf39f7d594fec890fa16ac1bdad861a20ed
MD5 hash: 537aa066a497005e6a0b116a58b91097
humanhash: single-moon-batman-mars
File name:537aa066a497005e6a0b116a58b91097.exe
Download: download sample
File size:13'094'664 bytes
First seen:2025-12-09 20:15:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (9 x OffLoader, 9 x HijackLoader, 7 x ValleyRAT)
ssdeep 196608:EDbhYeaCneKyk6caXYbca6oV0wsEp+Ra/4Ky3ylp1h9DCrtwW84PdjOPCrNn:EDm3sBkcpHLmws3IBX1hVC9FOarNn
TLSH T118D62327B24D773EE4BE16354972AA44543FBE60A41A8CB396F41D8CDE3E4601D3EE06
TrID 60.0% (.EXE) Inno Setup installer (107240/4/30)
23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter smica83
Tags:exe signed Wenzhou-Feixun-Internet-Technology-Co-Ltd

Code Signing Certificate

Organisation:Wenzhou Feixun Internet Technology Co., Ltd.
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2025-11-25T00:00:00Z
Valid to:2026-11-25T23:59:59Z
Serial number: d5ac27bd4f6fdf41bd91c2162eb343e1
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: dbfe27179b70a85c063975612322d1890c151f918fb5c46033c9fcac844dabe1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/3caad9f1-9076-46b2-818c-4d675eed14da/
Malware family:
n/a
ID:
1
File name:
537aa066a497005e6a0b116a58b91097.exe
Verdict:
Malicious activity
Analysis date:
2025-12-09 20:16:57 UTC
Tags:
rat zgrat netreactor purehvnc stealer
Link:
https://app.any.run/tasks/09b963ad-c153-4374-a85d-3f51a0c512ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44032/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69388393bde6a3e5970f7ae2
Tags:
shellcode asyncrat dropper spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Moving a file to the %temp% subdirectory
Launching a process
Creating a process with a hidden window
Loading a suspicious library
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed signed
Link:
https://www.filescan.io/uploads/6938838d900ee247e8408208/reports/23f1d69f-c87f-4bc9-9271-08d419b8f06e/overview
Verdict:
Malicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-09T12:22:00Z UTC
Last seen:
2025-12-11T01:41:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Shellcode.jhs Trojan.MSIL.Donut.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen Trojan.Win32.Shellcode.sb
Link:
https://opentip.kaspersky.com/5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c1fba584-ac8a-41d9-bc63-fc25c5eba9ee
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/1829838
Signature
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1829838 Sample: mKn4gkovQi.exe Startdate: 09/12/2025 Architecture: WINDOWS Score: 46 41 Suricata IDS alerts for network traffic 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Joe Sandbox ML detected suspicious sample 2->45 7 mKn4gkovQi.exe 2 2->7         started        10 regsvr32.exe 2->10         started        12 regsvr32.exe 2->12         started        14 3 other processes 2->14 process3 file4 37 C:\Users\user\AppData\...\mKn4gkovQi.tmp, PE32 7->37 dropped 16 mKn4gkovQi.tmp 5 7 7->16         started        19 regsvr32.exe 10->19         started        21 regsvr32.exe 12->21         started        23 regsvr32.exe 14->23         started        25 regsvr32.exe 14->25         started        process5 file6 31 C:\Users\user\AppData\...\is-O82M7.tmp, PE32 16->31 dropped 33 239c4b63_19bc_445e...3626e0bc.dll (copy), PE32 16->33 dropped 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->35 dropped 27 regsvr32.exe 4 16->27         started        process7 dnsIp8 39 118.107.40.167, 49729, 56001 BCPL-SGBGPNETGlobalASNSG Singapore 27->39 47 System process connects to network (likely due to code injection or exploit) 27->47 49 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 27->49 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->51 53 4 other signatures 27->53 signatures9
Score:
53%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/537aa066a497005e6a0b116a58b91097
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560/
Verdict:
Malicious
Threat:
Family.ZGRAT
Link:
https://tip.neiki.dev/file/5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-09 19:28:01 UTC
File Type:
PE (Exe)
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=la2nedh4qd3p4icrjn5b4puxmr3fvi7vjdriorie5hjggrpyavqa._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
discovery installer
Link:
https://tria.ge/reports/251209-y184asay2f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/98801f6a-f408-484c-beed-3685840d1f99
Unpacked files
SH256 hash:
5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560
MD5 hash:
537aa066a497005e6a0b116a58b91097
SHA1 hash:
efddcaf39f7d594fec890fa16ac1bdad861a20ed
Link:
https://www.unpac.me/results/fc1562a2-7b78-4ebe-a462-944b81ddabd9/
SH256 hash:
e16b4c8994fe10eb967ae923d96d71a053f11eebed806dd614bc28021daed290
MD5 hash:
8d841d03ade626c840d1e8c59a9c5d6b
SHA1 hash:
b077d881af1cf45cec3b8c5df96dfbda62556343
Link:
https://www.unpac.me/results/fc1562a2-7b78-4ebe-a462-944b81ddabd9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5834d20cfc80/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_c9003b7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44032/

Comments