MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48
SHA3-384 hash:	20cf47990abcf14e5fb0e0eac481fe15ea274dbf87143f379ed176ac8fc938e616330c09d7525c4844e4cc95f614af7b
SHA1 hash:	3799311fed06dc7bdaf33c21e1315561a9a1a627
MD5 hash:	9ee812ee6dbed67527a1ccb19f357275
humanhash:	mississippi-bakerloo-six-juliet
File name:	RuDNS_Setup.exe
Download:	download sample
File size:	6'470'392 bytes
First seen:	2026-06-06 12:16:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	88016fcdef7f227c62171d0afad9aae4 (10 x ValleyRAT, 8 x OffLoader, 3 x Gh0stRAT)
ssdeep	98304:h5Oz2+5yzTq4AlaEZVvhQecC5dTNgG5mmhuCMW59KwxRa7Pr/TTg64opZSIyf9:bm2+yiRfBQe1AjmheW5xq7Heop49
TLSH	T1F156123FB28B753EE06E5A367A76E210553B7661A8124C56DAE4C48CCF250B02D3F787
TrID	61.4% (.EXE) Inno Setup installer (107240/4/30) 23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.7% (.EXE) Win64 Executable (generic) (6522/11/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	4030e9d8dc6c004a (1 x CoinMiner)
Reporter	Alex_sev
Tags:	CoinMiner exe miner signed

Code Signing Certificate

Organisation:	AntiRKN Software
Issuer:	AntiRKN Software
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-05-16T17:21:27Z
Valid to:	2031-05-16T17:31:27Z
Serial number:	5b339a32452745854f0b5fda156b9dde
Thumbprint Algorithm:	SHA256
Thumbprint:	9d5eb6b9f550909918f8b855e05b31beeabf16ee5404d1718bcb16e36ed89847
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/9c92ec6f-f0da-4095-bee9-13505736096a/

Malware family:

n/a

ID:

File name:

RuDNS_Setup.exe

Verdict:

Malicious activity

Analysis date:

2026-06-06 12:24:35 UTC

Tags:

delphi inno installer

Link:

https://app.any.run/tasks/f397339f-83a7-4fee-91be-fd10e27c0ed9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69366/

Detection(s):

SecuriteInfo.com.W32.ABApplication.ETNE-3221.32491.19739.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a240ff863a4889c1af9ef5a

Tags:

injection dropper delphi virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48

Verdict:

Adware

File Type:

exe x32

First seen:

2026-05-29T17:33:00Z UTC

Last seen:

2026-06-06T15:04:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan.Win64.Reflo.pef HEUR:Trojan.Win32.Generic BSS:Trojan.Win32.Generic Trojan.Win64.Agentb.ljkj Trojan.Win32.Miner.sb Trojan.Win32.Agent.rnd Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Cerna.sb VHO:Trojan.Win64.Agentb.gen RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.TCP.C&C not-a-virus:RiskTool.Win32.Miner.rja

Link:

https://opentip.kaspersky.com/720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/03c32a94-245a-4d7e-92e1-a357d1e9e45e

Score:

77%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48/

Verdict:

Malicious

Threat:

RiskTool.Win32.Miner

Link:

https://tip.neiki.dev/file/720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oifa7xs5hheysxfaci75r5ql4ulos26qjs6v4i3w5l7rvs6mljea._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer

Link:

https://tria.ge/reports/260606-pfybmadx91/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Unpacked files

SH256 hash:

720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48

MD5 hash:

9ee812ee6dbed67527a1ccb19f357275

SHA1 hash:

3799311fed06dc7bdaf33c21e1315561a9a1a627

Link:

https://www.unpac.me/results/3c2f17db-2f88-4f47-83d3-accf7c062eb9/

SH256 hash:

4a182e3eb7dda27a1291a0659c65476847b836928bad8845b666d4fc967ebaa6

MD5 hash:

ce38ccef071685224b7e3eb670bf6d0a

SHA1 hash:

71661b1395d67aa3730728653c1c74e3009a92db

Link:

https://www.unpac.me/results/3c2f17db-2f88-4f47-83d3-accf7c062eb9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/720a0fde5d39/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/720a0fde5d39c9895ca0123fd8f60be516e96bd04cbd5e2376eaff1acbcc5a48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69366/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample