MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 13 File information Comments

SHA256 hash:	5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662
SHA3-384 hash:	6160cc54ee6979dafb4dcd4214f81c34263554bc0e0d01eb2f1c10a18dde0d14fb3f0bdf7896d99b4ff05a77f00753cd
SHA1 hash:	f36aa43580222a3373a5bcd4c926869456116ea8
MD5 hash:	1e8958c95d30456b12539ba4ae90f3a2
humanhash:	arkansas-quebec-summer-robert
File name:	D..e.e.p.L_X64.1.3.exe
Download:	download sample
File size:	77'394'071 bytes
First seen:	2026-01-02 16:44:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	46ce5c12b293febbeb513b196aa7f843 (15 x GuLoader, 6 x RemcosRAT, 5 x VIPKeylogger)
ssdeep	1572864:CkcszpioQ6MrZws2K2kC8CjswNQze950nmf/7XPg3F4:C1/oPMiORQNQiLI3F4
Threatray	5 similar samples on MalwareBazaar
TLSH	T17C0833960932D312C59778F8C7AE4BA82B435C373EE9F50F5AC0B41DBB314727A59A06
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Ling
Tags:	exe Malgent Trojan:Win32/Malgent!MSR

CNGaoLing

This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Malgent!MSR)

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/0affa65f-2c89-41c5-a9c7-9ebbaa8835aa/

Malware family:

n/a

ID:

File name:

D..e.e.p.L_X64.1.3.exe

Verdict:

Malicious activity

Analysis date:

2026-01-02 16:45:20 UTC

Tags:

python zeroinstall installer roning loader anti-evasion auto-startup arch-exec arch-doc stealer

Link:

https://app.any.run/tasks/2b1fdcfa-997f-4962-a559-7e26ebe620ec

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6957f640e148d42004de86d4

Tags:

cobalt emotet

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-02T10:27:00Z UTC

Last seen:

2026-01-04T08:49:00Z UTC

Hits:

~100

Detections:

BSS:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.Win64.Loader.dmq Trojan.Win32.PoolInject.sba Trojan.Win32.DLLhijack.acza Trojan.DLLhijack.TCP.ServerRequest

Link:

https://opentip.kaspersky.com/5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662/results?tab=lookup

Score:

57%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662

Gathering data

Verdict:

Malicious

Threat:

Trojan.Win32.TCP

Link:

https://tip.neiki.dev/file/5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662

Threat name:

Win32.Trojan.Malgent

Status:

Malicious

First seen:

2026-01-02 16:45:50 UTC

File Type:

PE (Exe)

Extracted files:

3121

AV detection:

10 of 38 (26.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l2zctfygje7cu2r4gdbckp736d3eiukxiubvw74frznzbuu4kzra._file

Verdict:

malicious

Label(s):

roningloader

c0824599dec4170e272c800eb24f1cadc582d3f3dd6f351afa52b95dd4e81967

error

f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Link:

https://tria.ge/reports/260106-k79rhsfv8h/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Enumerates processes with tasklist

Checks installed software on the system

Network Service Discovery

Checks computer location settings

Drops startup file

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c20b4f08-35f4-4ae8-b547-4806f80b6dba

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5eb229970649/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	EDR_Killer_EDR_Freeze_Tool Create hunting rule
Author:	Valton Tahiri (cybee.ai)
Description:	Detects EDR-Freeze tool in memory - EDR/AV freezing malware
Reference:	https://www.linkedin.com/in/valton-tahiri/

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	GenericGh0st Create hunting rule
Author:	Still

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Gh0st_9e4bb0ce Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 5eb2299706493e2a6a3c30c2253ffbf0f644515745035b7f858e5b90d29c5662

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample