MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Koceg

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09
SHA3-384 hash:	f2d41d15d69d0b8613e142d05664ca3a7044694e3cd6b1035b34ba488dfe7883d02d0c2dcbf39f135371101e7a0d8540
SHA1 hash:	baa06df7561a3a0bb707056737ec3d5ee39826a9
MD5 hash:	8109f24fed6d6aec77b5dcdd065e4f72
humanhash:	nineteen-kansas-fourteen-november
File name:	769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09.exe
Download:	download sample
Signature	Koceg Create hunting rule
File size:	447'417 bytes
First seen:	2025-12-20 12:33:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	08b656407b8d307979dc72c3fcc683a8 (15 x Koceg)
ssdeep	3072:3qPPXx0RbMIH7CNZ2sBrfDU9Mv2b7CzMV+k/7tErHZX0cvYcD+lQLMwsRVXk21cx:AZaMUjYOOzpkTQZult9RN9lOJZ
Threatray	11 similar samples on MalwareBazaar
TLSH	T15894224FD0888786D66F58B457E27271B634656AD20F83F74F1AACAC33E0141CCB9A4B
TrID	34.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 34.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 8.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Anonymous
Tags:	exe Koceg trojan

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker

Details

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/45d490af-f102-478a-b115-a22e249220c8/

Malware family:

n/a

ID:

File name:

769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09.exe

Verdict:

Malicious activity

Analysis date:

2025-12-20 12:28:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4510f206-43d9-444a-a888-3415a49d59e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45578/

Detection(s):

SecuriteInfo.com.Trojan.Swizzor.Gen.2.15188.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6946978cee899ae4567f19d0

Tags:

vmdetect socks

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm autorun base64 evasive explorer lolbin microsoft_visual_cc obfuscated overlay overlay packed packed packed ransomware unsafe upx xor-pe zero

Link:

https://www.filescan.io/uploads/6946978be126b9ff4389e69e/reports/c70b3718-d9b4-48b4-8f19-c2b682b1cc8b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-18T18:01:00Z UTC

Last seen:

2025-12-20T22:50:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.sb HEUR:Worm.Win32.AutoRun.gen HEUR:Trojan-Dropper.Win32.Dinwod.sbb HEUR:Trojan.Win32.Nosok.gen HEUR:Trojan.Win32.Generic Trojan-Dropper.Win32.Daws.sbbs

Link:

https://opentip.kaspersky.com/769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09/results?tab=lookup

Malware family:

socks

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/013a3102-5875-4f84-b3c8-4cbb9bcf8f3d

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/8109f24fed6d6aec77b5dcdd065e4f72

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09/

Verdict:

Malicious

Threat:

Family.Koceg

Link:

https://tip.neiki.dev/file/769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09

Threat name:

Win32.Worm.Mandaph

Status:

Malicious

First seen:

2025-12-19 00:22:59 UTC

File Type:

PE (Exe)

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o2ndkygccia7jdatmnr74wlih67q3t6lxubuud3fsdbvhnfm5meq._file

Verdict:

malicious

Label(s):

obscene

Result

Malware family:

n/a

Score:

10/10

Tags:

adware discovery persistence stealer upx

Link:

https://tria.ge/reports/251223-nwfabawldx/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

UPX packed file

Adds Run key to start application

Enumerates connected drives

Installs/modifies Browser Helper Object

Modifies WinLogon

Executes dropped EXE

Modifies system executable filetype association

Drops file in Drivers directory

Sets service image path in registry

Modifies WinLogon for persistence

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/26cb500c-6e02-4741-87ae-9a6c58692370

Unpacked files

SH256 hash:

769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09

MD5 hash:

8109f24fed6d6aec77b5dcdd065e4f72

SHA1 hash:

baa06df7561a3a0bb707056737ec3d5ee39826a9

Link:

https://www.unpac.me/results/8d5ac488-1178-4ba3-9be8-fc57d70e948c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45578/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample