MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Trigona

Vendor detections: 18

Intelligence 18 IOCs YARA 5 File information Comments

SHA256 hash:	648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64
SHA3-384 hash:	7a5780efc5a94708751b284ab49d70b5c2c998e914f33b3eda3065b76f33cb452b5f270bfd94af10c6090a8e6c55e5ce
SHA1 hash:	a70791b434c747809c9e2d84da368f8d7486b6ea
MD5 hash:	23e2169d751379f69e1e438113d6a9cf
humanhash:	spaghetti-helium-delaware-bacon
File name:	1.exe
Download:	download sample
Signature	Trigona Create hunting rule
File size:	206'848 bytes
First seen:	2026-01-15 17:45:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7f25dcbea91ea13add2ab7113a4d6742 (1 x Trigona)
ssdeep	6144:fiwvkNAjYnkxrtUzDG6uIZUFNm30ynOMt6:ftIArtUzVdUFNmEyOB
TLSH	T1181412ADDC915BB6ED425B7F3243E5CC4151BC2796CD89A223487E293F704C8BB01667
TrID	81.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 6.1% (.EXE) OS/2 Executable (generic) (2029/13) 6.0% (.EXE) Generic Win/DOS Executable (2002/3) 6.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Ling
Tags:	exe Trojan:Win32/Wacatac.C!ml UPX wacatac

CNGaoLing

Trojan:Win32/Wacatac.C!ml

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	206'848 bytes
File size (de-compressed) :	532'992 bytes
Format:	win64/pe
Unpacked file:	0c23eff79c5d333e00b45e224656b6bf8f9e659dbd6761d926c09a0f301cdcc4

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker

Details

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/2a536681-c6b5-42d8-9d93-6b57e32ff839/

Malware family:

n/a

ID:

File name:

1.exe

Verdict:

Malicious activity

Analysis date:

2026-01-15 17:32:53 UTC

Tags:

upx blacknevas ransomware arch-scr

Link:

https://app.any.run/tasks/ed744dd6-3dc3-401a-bc49-1cef15fc229b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BasilisqueLocker

Link:

https://www.capesandbox.com/analysis/49027/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696927f1ef906a21abcd8550

Tags:

malware

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

barys borland_delphi filecoder fingerprint packed packed packed packed trigona upx

Link:

https://www.filescan.io/uploads/696927edf3caa3bca0676a27/reports/e6ac70d1-cd58-4428-aa46-97cd1bd147ec/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-01-15T14:35:00Z UTC

Last seen:

2026-01-16T01:46:00Z UTC

Hits:

~100

Detections:

Trojan-Ransom.Win32.Agent.sb Trojan.Win32.Agent.sb HEUR:Trojan-Ransom.Win32.Generic Trojan-Ransom.Win32.Trigona.sb

Link:

https://opentip.kaspersky.com/648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64/results?tab=lookup

Malware family:

Trigona

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1aa13135-4d72-40c6-9fec-ade01b85e25f

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64/

Verdict:

Malicious

Threat:

Family.HUNTERS_INTERNATIONAL

Link:

https://tip.neiki.dev/file/648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-01-15 17:46:24 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=msfcki5kaojagoqahwoz3dqtyzysird3tgxn7myz6zseznm3tvsa._file

Verdict:

malicious

Label(s):

trigona

Similar samples:

error

Trigona

Result

Malware family:

hunters_international

Score:

10/10

Tags:

family:hunters_international credential_access discovery ransomware spyware stealer upx

Link:

https://tria.ge/reports/260115-wcfqqshv4c/

Behaviour

Browser Information Discovery

Drops file in Program Files directory

UPX packed file

Drops desktop.ini file(s)

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Reads user/profile data of web browsers

HuntersInternational, Water Ouroboros

Hunters_international family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/addd8336-3b7b-4f0c-9b38-38d9f81f882a

Unpacked files

SH256 hash:

648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64

MD5 hash:

23e2169d751379f69e1e438113d6a9cf

SHA1 hash:

a70791b434c747809c9e2d84da368f8d7486b6ea

Link:

https://www.unpac.me/results/55298483-d819-47f4-bcc9-f1c4fbe76a6d/

SH256 hash:

0c23eff79c5d333e00b45e224656b6bf8f9e659dbd6761d926c09a0f301cdcc4

MD5 hash:

27d4d26832ef89761c4534edcea2cb39

SHA1 hash:

3ea0b851305df63191d4e401ea03c50ba8c09259

Link:

https://www.unpac.me/results/55298483-d819-47f4-bcc9-f1c4fbe76a6d/

Malware family:

Trigona

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/648a2523aa03/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Trigona

exe 648a2523aa0392033a003d9d9d8e13c67124447b99aedfb319f6644cb59b9d64

(this sample)

Trigona

exe 0c23eff79c5d333e00b45e224656b6bf8f9e659dbd6761d926c09a0f301cdcc4

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/49027/

Dropping

SHA256 0c23eff79c5d333e00b45e224656b6bf8f9e659dbd6761d926c09a0f301cdcc4

Dropping

MD5 27d4d26832ef89761c4534edcea2cb39

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample