MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6
SHA3-384 hash:	2cd3686850b7e00faf4ce9cdf9c783130493c8dbb1d3e57548fa68b78831f0feebaf3fca74e9f68b64d2843b03e2a6e0
SHA1 hash:	d0d59fe87656a76cbe75c8a88783d3f2bf671c1c
MD5 hash:	c7b32ad40a1b34c58bdcd3f14d857f03
humanhash:	foxtrot-texas-carolina-oklahoma
File name:	ddttd.exe
Download:	download sample
File size:	577'536 bytes
First seen:	2025-08-02 22:43:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d07ceea26efcabf316b227419fac7b6e
ssdeep	12288:f1LU0ZhUboNAwQkWWPpmw1UEqh/BOLsdtqPaO:tLUghUENAw/WO1jqpBOLVPaO
TLSH	T171C412740BBCDE51D10691FCA02B5B44E43EEE1182BF7C39A4593CAAA9B57D7BE52003
TrID	68.2% (.EXE) UPX compressed Win32 Executable (27066/9/6) 11.3% (.EXE) Win32 Executable (generic) (4504/4/1) 5.2% (.EXE) Win16/32 Executable Delphi generic (2072/23) 5.1% (.EXE) OS/2 Executable (generic) (2029/13) 5.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	e89a6968696992e8 (1 x ValleyRAT)
Reporter	aachum
Tags:	45-145-7-134 exe

iamaachum

http://45.145.7.134/ups/ddttd.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_eba876c8a85b5a91bfc2b0ee690e6969021f3d3f97388d447c901de310a24205.exe

Verdict:

Malicious activity

Analysis date:

2025-08-02 14:35:39 UTC

Tags:

loader wmi-base64 pastebin auto-reg evasion stealer

Link:

https://app.any.run/tasks/5db9c244-c53b-4a69-a681-6a1831f36b20

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18497/

Detection(s):

Win.Malware.Msilperseus-9807948-0

Win.Malware.Ursu-9937395-0

PUA.Win.Virus.Rdpwrap-6793227-0

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688e94c70b4775fb21354d0d

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

borland_delphi fingerprint fingerprint lolbin netsh overlay packed packed packed upx zero

Link:

https://www.filescan.io/uploads/688e94c59dbaf6e4b2211bd4/reports/ac7ca11e-ee61-4622-a4b3-e2b64b42e9c3/overview

Verdict:

Malicious

Labled as:

RDPWrap.A potentially unsafe application

Link:

https://www.hybrid-analysis.com/sample/5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6

Malware family:

RDPWrap

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/615897a3-8c3e-454f-b28f-7ca6148d1eb1

Result

Threat name:

RDPWrap Tool

Detection:

malicious

Classification:

spre

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1749220

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected RDPWrap Tool

Behaviour

Behavior Graph:

Download SVG

Score:

74%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/c7b32ad40a1b34c58bdcd3f14d857f03

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6/

Verdict:

Malicious

Threat:

RemoteAdmin.Win32.RDPWrap

Link:

https://tip.neiki.dev/file/5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-07-07 15:22:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lreppgfwlahnksqni2774nck4npb3y63kuyntzqhfkjo5zd7v7da._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery upx

Link:

https://tria.ge/reports/250802-2nyzcaxpz7/

Behaviour

System Location Discovery: System Language Discovery

UPX packed file

Verdict:

Malicious

Tags:

Win.Malware.Msilperseus-9807948-0

YARA:

n/a

Link:

https://app.threat.zone/submission/2fd427a4-ad60-4629-8d84-f156e9f9739c

Unpacked files

SH256 hash:

5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6

MD5 hash:

c7b32ad40a1b34c58bdcd3f14d857f03

SHA1 hash:

d0d59fe87656a76cbe75c8a88783d3f2bf671c1c

Link:

https://www.unpac.me/results/613adc1c-2e02-4414-8363-10bede8b0298/

SH256 hash:

63fb201040002775e6ef6f836a8f0f4d94324fc299c0f9bc1f17a97c6bb24552

MD5 hash:

5505592313b74f2e2c8727837750f66d

SHA1 hash:

d0394cf350090ba4fc68c7e12fd806881b0c42e0

Link:

https://www.unpac.me/results/613adc1c-2e02-4414-8363-10bede8b0298/

SH256 hash:

798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

MD5 hash:

461ade40b800ae80a40985594e1ac236

SHA1 hash:

b3892eef846c044a2b0785d54a432b3e93a968c8

Detections:

RDPWrap

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/613adc1c-2e02-4414-8363-10bede8b0298/

Parent samples :

ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
663bb8fd085cf61f0204f2f5a9cbed5c5d1eb08aebbb6dbb47702c328b44c3e2
fc16a364530103595b8d36d6c3e7f00a08bf5783c6860bf63bcdbeb90b6c78f8
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6

SH256 hash:

6227f1d55541d09d958f83ed94888abc5cbe49bf25e749ef7492cf4f61145f88

MD5 hash:

781d8302ccaddc79fbb2db69aa8153fd

SHA1 hash:

f99dbd938568d85d97579a78da58bac45283915c

Detections:

RDPWrap

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/613adc1c-2e02-4414-8363-10bede8b0298/

SH256 hash:

4c19d053751a68b30c045119642964268659bf79bd066046c32ddb875ec339eb

MD5 hash:

b52ac2b928342ee016739834af802beb

SHA1 hash:

1d4d62475d6ab667fdbc68a46177b7ae01c2ddeb

Link:

https://www.unpac.me/results/613adc1c-2e02-4414-8363-10bede8b0298/

SH256 hash:

861ad4bbf682b35affda23fab92c8db945f3fa34f78177843c87802d1fd02020

MD5 hash:

9c6a68742ea7abf802940e7f1502e20f

SHA1 hash:

54418c9537830772fc5a7a441867829ec533828f

Detections:

win_infy_auto

RDPWrap

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/613adc1c-2e02-4414-8363-10bede8b0298/

Parent samples :

SH256 hash:

2f33ed67124a2225104726cb59f001e5ff4d78b0d88a650ced997890b515a73b

MD5 hash:

51b15fc8de1a07851f648ffe4362e5ca

SHA1 hash:

b8215e0a97424eff245eaf196ed4fccd154723b6

Link:

https://www.unpac.me/results/613adc1c-2e02-4414-8363-10bede8b0298/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPX20030XMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6

(this sample)

Link

https://tria.ge/250802-2lkzpsxpy2/behavioral1

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/18497/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample