MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c
SHA3-384 hash:	6eff5598f0761239b99fb1e69bca7700a979126ae46bc0260b9d591c237440a193c013fa8dc15f25d8e73f3458abd91b
SHA1 hash:	800562e54eeeb369eb9296d1d59b1d299ee8e845
MD5 hash:	1e4278cbe9a5d51c2e382f37a8cd402b
humanhash:	mockingbird-golf-cola-tennessee
File name:	file
Download:	download sample
File size:	3'859'456 bytes
First seen:	2025-12-10 00:48:42 UTC
Last seen:	2025-12-10 00:53:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7bc8e644e89bb9df12b84ba824e5c5b9
ssdeep	98304:bEl2pk7yy/HqLPipZkSjCnlc9kA0Hr4KBw9EG5J2LR:nayoK+pZxulq0HrTB5eJ2L
TLSH	T1450633977AD021BBC004DE708FC459078E60BE6BD65F47DA3C0366E998E7CD8B929D09
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: http://178.16.55.189/files/7359455182/POrtXtv.exe

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-12-10 00:50:58 UTC

Tags:

evasion stealer themida

Link:

https://app.any.run/tasks/882bf0e8-6180-4522-b040-6ee95542c53e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44044/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6938c38bbde6a3e5970f9959

Tags:

injection packed lien hype

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypto fingerprint hacktool microsoft_visual_cc obfuscated packed packed themidawinlicense zero

Link:

https://www.filescan.io/uploads/6938c38864bd958a520f4c2c/reports/ffc56a92-8f5a-418b-9fd6-b0e5dbf9d60a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c

Verdict:

Clean

File Type:

exe x64

First seen:

2025-12-09T23:01:00Z UTC

Last seen:

2025-12-09T23:18:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/465b0a16-0081-44f7-9e1c-7ddd338b7f3f

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/1e4278cbe9a5d51c2e382f37a8cd402b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c/

Verdict:

Malicious

Threat:

Win64.Malware.Heuristic

Link:

https://tip.neiki.dev/file/7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-12-10 00:49:16 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pxhduzqcbnzai5x7zc3p2w25leswdbwiyvhfn723d6j3eqjqqnga._file

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access defense_evasion discovery persistence privilege_escalation ransomware spyware stealer themida trojan

Link:

https://tria.ge/reports/251210-a6e6eaej4t/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

Checks whether UAC is enabled

Looks up external IP address via web service

Checks BIOS information in registry

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Themida packer

Unsecured Credentials: Credentials In Files

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/55132bfc-80b7-4a3d-ba38-afd42aabeae7

Unpacked files

SH256 hash:

7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c

MD5 hash:

1e4278cbe9a5d51c2e382f37a8cd402b

SHA1 hash:

800562e54eeeb369eb9296d1d59b1d299ee8e845

Link:

https://www.unpac.me/results/17eeb4b5-ac77-45ed-86ed-6fcab1f0dcba/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.66

Link:

https://yomi.yoroi.company/submissions/7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 7dce3a66020b720476ffc8b6fd5b5d59256186c8c54e56ff5b1f93b24130834c

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3730168/

Cape

https://www.capesandbox.com/analysis/44044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample