MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73a216cc4a3694b52383f74a99ae75a7909c605317c8d6771ad3fbcf28c9249b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	73a216cc4a3694b52383f74a99ae75a7909c605317c8d6771ad3fbcf28c9249b
SHA3-384 hash:	c8801d45043c088d723e4bb51a9569082cbe7946100dfbf788951576463b652b9a6388c2fb4b2f6779d98b365712e2fb
SHA1 hash:	a9849eeafbbc919afd7102820607e9c15d98a162
MD5 hash:	2768ce17cce0540aaa47616e7c41f8e9
humanhash:	green-wisconsin-failed-oklahoma
File name:	Setup_win64.exe
Download:	download sample
File size:	69'535'072 bytes
First seen:	2025-08-18 22:45:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	1572864:0n5kJoRseQcTe/FEd67As/phgX4dYdDt9QxFqz3yfYHldqO:0BRseQcTeOd60sh89QxFqzQYHeO
TLSH	T1ECE733E24A28E435CEA29DF4626DDA012EF42E007817297F4D5CBBDE593B97C460F14E
TrID	37.3% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SquiblydooBlog
Tags:	DEAL-STANDART-SP-Z-O-O exe signed

Code Signing Certificate

Organisation:	DEAL STANDART SP Z O O
Issuer:	SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-07-30T13:53:06Z
Valid to:	2026-07-30T13:53:06Z
Serial number:	43f983bdca260c253fb332394352c5f6
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	d71266594e72e119ff3958f760b91dbfdd20acadb2ff872fdd388f604e4d0024
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Setup_win64.exe

Verdict:

Malicious activity

Analysis date:

2025-08-18 22:46:12 UTC

Tags:

python evasion stealer arch-exec arch-doc nodejs

Link:

https://app.any.run/tasks/82284a73-c450-44a2-bc33-0144ab63c8cf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a3ad8f8fd55a79c5291b3b

Tags:

sage blic remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a window

Searching for the window

Searching for the Windows task manager window

Running batch commands

Creating a process with a hidden window

Launching a process

Using the Windows Management Instrumentation requests

Creating a file

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending a custom TCP request

Searching for synchronization primitives

Unauthorized injection to a recently created process

Loading a suspicious library

Moving a file to the %AppData% subdirectory

DNS request

Connection attempt

Deleting a recently created file

Sending a UDP request

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole installer microsoft_visual_cc overlay signed threat

Link:

https://www.filescan.io/uploads/68a3ad76419c816a6e8b13c2/reports/1d012c99-bc07-414d-965c-d50c63c2dfdd/overview

Verdict:

Suspicious

Labled as:

Malware_49.4

Link:

https://www.hybrid-analysis.com/sample/73a216cc4a3694b52383f74a99ae75a7909c605317c8d6771ad3fbcf28c9249b

Score:

63%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/73a216cc4a3694b52383f74a99ae75a7909c605317c8d6771ad3fbcf28c9249b

Gathering data

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/73a216cc4a3694b52383f74a99ae75a7909c605317c8d6771ad3fbcf28c9249b

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oorbntckg2klki4d65fjtltvu6ijyyctc7enm5y22p546kgjesnq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery

Link:

https://tria.ge/reports/250818-2qlf2adp8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates processes with tasklist

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies trusted root certificate store through registry

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/65176deb-c51d-4acf-8c00-63451c7f9bec

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AlternativesExample1 Create hunting rule

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample