MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955
SHA3-384 hash: 8e18adc996aa5ac23e8525d6edf1a7ad8a73c0371f67bace6ecf9b5ac72c5c26030a26d11e96b9c284d971d77bb0bae9
SHA1 hash: ceec6c507d1a9afdc33caab64092942ca4aaeecc
MD5 hash: daac22f8b9e01e77e67a2de8f3a7d6a6
humanhash: happy-october-potato-idaho
File name:Agent_Uninstall.exe
Download: download sample
File size:506'416 bytes
First seen:2025-12-02 08:24:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 12288:cCQjgAtAHM+vetZxF5EWry8AJGy0y4O27nsJpk:c5ZWs+OZVEWry8AFBx27nsPk
TLSH T1B4B47D05E7A408F8E0B7EE7989524902E7777C490F618A8F93A567661F733D09E3A331
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter juroots
Tags:exe signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-06-10T00:00:00Z
Valid to:2028-06-09T23:59:59Z
Serial number: 04d91ee032dd1a1a4b20e48e75eb2987
Thumbprint Algorithm:SHA256
Thumbprint: ee68aee2fbda27c6d66b9e0546c23a3b31c6588d4861d4ad0f695343f3d53309
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
SFX commands and extracted archive contents
Malware family:
n/a
ID:
1
File name:
Agent_Install (1).zip
Verdict:
Malicious activity
Analysis date:
2025-10-07 22:36:35 UTC
Tags:
arch-exec arch-doc screenconnect rmm-tool
Link:
https://app.any.run/tasks/993c293c-359d-4db4-80a7-b09c74f13748

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42109/
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine.2790.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692ea277264b106bd645e6c0
Tags:
dropper virus sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-vm cmd expired-cert explorer fingerprint fingerprint installer installer installutil lolbin microsoft_visual_cc netsh obfuscated overlay overlay reconnaissance regsvr32 sfx signed
Link:
https://www.filescan.io/uploads/692ea2723cf0944cdda8e439/reports/61777781-78be-47be-b0ec-6a2eb9453574/overview
Verdict:
Suspicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955
Result
Gathering data
Verdict:
Clean
File Type:
PE
First seen:
2025-06-26T04:05:00Z UTC
Last seen:
2025-11-20T22:04:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/162ee578-a679-4d9b-a3b8-5ba0895489d6
Score:
24%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/daac22f8b9e01e77e67a2de8f3a7d6a6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955/
Verdict:
Malicious
Threat:
AuxiliaryAnalysis.Malware.Generic
Link:
https://tip.neiki.dev/file/5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljvgdi5iwcnsrkofvklhh5ea6zutqpzqvcwvxmwlpqypch5u5fkq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence privilege_escalation trojan
Link:
https://tria.ge/reports/251202-kbgqvsspel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Checks installed software on the system
Executes dropped EXE
Launches sc.exe
Checks computer location settings
Modifies Windows Firewall
Windows security modification
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7e756db4-0e38-4098-a78c-6d004161dd52
Unpacked files
SH256 hash:
5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955
MD5 hash:
daac22f8b9e01e77e67a2de8f3a7d6a6
SHA1 hash:
ceec6c507d1a9afdc33caab64092942ca4aaeecc
Link:
https://www.unpac.me/results/7645f265-a306-4e52-9151-4d305845b01b/
SH256 hash:
35a67f8f3c26622e29571a7108d162a6083da7ed248754a66add77f0b3f6bc87
MD5 hash:
f9fbf9395a6dec8f3c06eb12dd865173
SHA1 hash:
692c59d6699c834de1380d03453003a96266e7c0
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect_CERT
Create hunting rule
Link:
https://www.unpac.me/results/7645f265-a306-4e52-9151-4d305845b01b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/5a6a61a3a8b09b28a9c5aa9673f480f669383f30a8ad5bb2cb7c30f11fb4e955

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42109/

Comments