MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632
SHA3-384 hash: a3542dc16d3644f120fc7fe594215019e01126da1154d21c98fed32d261aead80e70ea02d998a716a86730d57a48dc01
SHA1 hash: c53e4095a71adea58664c1ae0c45968d505e4a39
MD5 hash: 94538b4fd6edc01124f3ceaea159a897
humanhash: london-early-solar-golf
File name:baghdad.exe
Download: download sample
File size:50'006 bytes
First seen:2026-01-29 20:53:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 1536:7iZU91Rzv4f/+LHgmpoM4sXJU4Romu/+ncs:7iezvrL9oMXJU45is
TLSH T13B23CF1372C48877EA961A310977D77ACBBBCA1001115AA34BA47F7F6E31243DE1B685
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10522/11/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter aachum
Tags:dropped-by-OffLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/21371def-b4e9-4e16-ae45-658477eee00c/
Malware family:
n/a
ID:
1
File name:
BIGFILMS 8211 INFERNO Pack Create Epic Blockbuster Scenes.exe
Verdict:
Malicious activity
Analysis date:
2026-01-29 20:29:19 UTC
Tags:
auto generic adware loader stealer offloader rust purelogs susp-powershell websocket python arch-exec arch-doc netreactor
Link:
https://app.any.run/tasks/5e571b8b-c90e-459e-9f15-0b429cb510ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.TR.Dldr.Adload.86010.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697bc9086fa3eed165306884
Tags:
injection obfusc sage
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis soft-404
Link:
https://www.filescan.io/uploads/697bc905930564ff3c7d0ce3/reports/d3f34d46-5052-49cb-8cb7-a7398bd7fab3/overview
Verdict:
Malicious
Labled as:
Malware_53.7
Link:
https://www.hybrid-analysis.com/sample/5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632
Verdict:
Clean
File Type:
exe x32
First seen:
2026-01-29T19:01:00Z UTC
Last seen:
2026-01-29T22:41:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632/results?tab=lookup
Malware family:
NSIS
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/58120911-08e2-4397-a433-4cdcaf84df8c
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
25 / 100
Link:
https://www.joesandbox.com/analysis/1860132
Signature
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1860132 Sample: baghdad.exe Startdate: 29/01/2026 Architecture: WINDOWS Score: 25 6 baghdad.exe 11 2->6         started        file3 14 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 6->14 dropped 16 Uses schtasks.exe or at.exe to add and modify task schedules 6->16 10 schtasks.exe 1 6->10         started        signatures4 process5 process6 12 conhost.exe 10->12         started       
Score:
50%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lq4j7uc4kmmucql5xtvlwkja537sga26z22voy7g62dqgka5yyza._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution installer persistence
Link:
https://tria.ge/reports/260129-zp3mtaf13a/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Unpacked files
SH256 hash:
5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632
MD5 hash:
94538b4fd6edc01124f3ceaea159a897
SHA1 hash:
c53e4095a71adea58664c1ae0c45968d505e4a39
Link:
https://www.unpac.me/results/c9b0d089-bb02-4ffc-b4aa-bc9e05b7342b/
SH256 hash:
f8c6e4000975f27b565eecf73cd8a19340d9281c670e7cab75518bced2369544
MD5 hash:
5137ef4f6790d1750919bf86c2be8fa2
SHA1 hash:
9ce5e9c5cc9846ca2ca853126a1a0f912f420806
Link:
https://www.unpac.me/results/c9b0d089-bb02-4ffc-b4aa-bc9e05b7342b/
SH256 hash:
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
MD5 hash:
acc2b699edfea5bf5aae45aba3a41e96
SHA1 hash:
d2accf4d494e43ceb2cff69abe4dd17147d29cc2
Link:
https://www.unpac.me/results/c9b0d089-bb02-4ffc-b4aa-bc9e05b7342b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632

(this sample)

  
Link
https://tria.ge/260129-zff3fsfx3d/behavioral1
  
Dropped by
OffLoader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50748/

Comments