MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7de2c31c2cb17d846a3cdb53b1f702d54a17a5af15d4bcef96290138b93542a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 9 File information Comments

SHA256 hash:	7de2c31c2cb17d846a3cdb53b1f702d54a17a5af15d4bcef96290138b93542a0
SHA3-384 hash:	e90859a569495875c6b4f29f2b1765ce256aaf8992c752b8a8dac509fcd18f099dbc5fa849850a08f65bb8e35d85741a
SHA1 hash:	dec708a3ac44f69caf658421faa05f170c955d88
MD5 hash:	dde59a2591289a60f34ed01cc44edd60
humanhash:	ceiling-freddie-sierra-uranus
File name:	10072025_0935_C_Scanner.rar
Download:	download sample
File size:	4'130'557 bytes
First seen:	2025-07-10 11:57:32 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	98304:cWLp02ymMQN6UhNwpibT9jramGIU1V/Jzw5+QCL74K:cap050N6UEif9jrlGISM+QC9
TLSH	T1F116333406C37A861D839A29744FC47EAB8C0F71557C6DF41B2AE9B3957A2724FC1AB0
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	aachum
Tags:	Arechclient2 HIjackLoader IDATLoader rar SectopRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 8 file(s), sorted by their relevance:

File name:	MSVCP140.dll
File size:	436'600 bytes
SHA256 hash:	51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
MD5 hash:	8ff1898897f3f4391803c7253366a87b
MIME type:	application/x-dosexec

File name:	C_Scanner.exe
File size:	561'392 bytes
SHA256 hash:	b7ee370878fb4290097311e652222d8bab91c44a94063ea192100d4fd9dadb14
MD5 hash:	196691384955781b831c331f743443a9
MIME type:	application/x-dosexec

File name:	Staibstogcha.ymsu
File size:	1'877'814 bytes
SHA256 hash:	a25d089683e508fd50737df44680611fe410fc59b255d02fb88fbd1112ea7e63
MD5 hash:	fac270d8a624422289d3ba32e4fe1708
MIME type:	application/octet-stream

File name:	VCRUNTIME140.dll
File size:	76'168 bytes
SHA256 hash:	9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
MD5 hash:	1a84957b6e681fca057160cd04e26b27
MIME type:	application/x-dosexec

File name:	Freeb.ci
File size:	69'431 bytes
SHA256 hash:	30ce24485e0c428c0e2e95020a425dee0cdbf9073687f0809915e98363470165
MD5 hash:	0086c4c6baecc534658c50b4d261e46a
MIME type:	application/octet-stream

File name:	Up.dll
File size:	603'376 bytes
SHA256 hash:	08a7c790e073a1d32397cd00e2c4404fec77f09170b31e0ed38f6b113344ca9f
MD5 hash:	699e055fc19e3a68e0a6bde3a95d4a69
MIME type:	application/x-dosexec

File name:	mfc140u.dll
File size:	5'127'088 bytes
SHA256 hash:	e422c9366a53536a35e307ef301f08661c28c29b7fcda1b454333c6a41c6bb21
MD5 hash:	e76b52d11db435d36453d26c8b446a8f
MIME type:	application/x-dosexec

File name:	ppevnt.ini
File size:	53 bytes
SHA256 hash:	db7f5f0c8a203fde07987ebe10a5b63a26ca31179dfb43519246f71416e42aa3
MD5 hash:	038cf0ab1f30737b385ad75fb4f68d07
MIME type:	text/plain

Vendor Threat Intelligence

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686fac1b900df8e7f8694cca

Tags:

injection obfusc crypt

Verdict:

Unknown

Threat level:

n/a -.1.0/10

Confidence:

100%

Tags:

expired-cert fingerprint microsoft_visual_cc signed

Link:

https://www.filescan.io/uploads/686faaef0abaf8edd6ed91c8/reports/087462a1-b03c-4014-a35f-b6be9427b348/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/7de2c31c2cb17d846a3cdb53b1f702d54a17a5af15d4bcef96290138b93542a0

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Executable PDB Path PE (Portable Executable) Rar Archive

Link:

https://app.malva.re/file/dde59a2591289a60f34ed01cc44edd60

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7de2c31c2cb17d846a3cdb53b1f702d54a17a5af15d4bcef96290138b93542a0/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-07-10 11:58:20 UTC

File Type:

Binary (Archive)

Extracted files:

891

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pxrmghbmwf6yi2r43nj3d5yc2vfbpjnpcxklz34wfeatrojvikqa._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/7de2c31c2cb17d846a3cdb53b1f702d54a17a5af15d4bcef96290138b93542a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)