MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8782afedef45fceb815a6a7ff1eccf7efa49847ea0bb86dedff4a88c6a7a8c97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Adware.Generic

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	8782afedef45fceb815a6a7ff1eccf7efa49847ea0bb86dedff4a88c6a7a8c97
SHA3-384 hash:	8e62ec7334e9a8d78f1aecbc4994a8fd23a208d70c889ac104e235e212ab4e1a297b0a5ff2b656437d40b3b6da41ec20
SHA1 hash:	410dcb81797316e7756dd4778770015c0eb15cb2
MD5 hash:	3cda96605373ba4f9f473b8e3c3d0b9b
humanhash:	wyoming-illinois-artist-alpha
File name:	Spinach Entertainment Aggregation Plan.exe
Download:	download sample
Signature	Adware.Generic Create hunting rule
File size:	3'046'117 bytes
First seen:	2025-08-08 07:16:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eb5bc6ff6263b364dfbfb78bdb48ed59 (55 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep	49152:EcW4faaAFSpeWrRfr3Ghsjk/FBsXFohh+lWzPq40p8IUUDG+cFrOGKKq:EX4eS1Ff7rI9S1Ih+c240itQGxq
TLSH	T1C1E5D0977B46BC3AF09D6B354222A23844F7AB6CA7D36D1121EEDC88CB391880DF5715
TrID	62.3% (.EXE) Inno Setup installer (107240/4/30) 24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	7cf0e4caeac4c0dc (2 x Adware.Generic, 1 x Glupteba)
Reporter	JAMESWT_WT
Tags:	Adware.Generic exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_355a63caca9cd0890d843d83eb78ab8827abc60478bee8f7be64f75a11973bc9.zip

Verdict:

Malicious activity

Analysis date:

2025-08-04 11:27:18 UTC

Tags:

arch-exec rust stealer purehvnc netreactor

Link:

https://app.any.run/tasks/e1656079-1758-4fe6-b82c-ce7a89954ca4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/19614/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689098a3af3050dc8d34290b

Tags:

asyncrat dropper extens obfusc

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Restart of the analyzed sample

Creating a process with a hidden window

Creating a file

Moving a recently created file

Launching a process

Loading a suspicious library

Creating a service

Launching a service

Creating a file in the Windows subdirectories

Enabling autorun for a service

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug embarcadero_delphi expand fingerprint installer lolbin masquerade obfuscated overlay overlay packed zero

Link:

https://www.filescan.io/uploads/6895a44e397fd3ce6fa1e430/reports/b3c6d3c7-f179-45d0-af83-39e3b2fe5120/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/8782afedef45fceb815a6a7ff1eccf7efa49847ea0bb86dedff4a88c6a7a8c97

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a7e1079-6d3e-431d-87f2-1acf9e857e56

Score:

35%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/8782afedef45fceb815a6a7ff1eccf7efa49847ea0bb86dedff4a88c6a7a8c97

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8782afedef45fceb815a6a7ff1eccf7efa49847ea0bb86dedff4a88c6a7a8c97/

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-08-04 14:08:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 36 (58.33%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q6bk73ppix6oxak2nj77d3gpp35etbd6uc5ynxw76suiy2t2rslq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution

Link:

https://tria.ge/reports/250808-h34ctszzbx/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Hide Artifacts: Ignore Process Interrupts

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/948019f2-83e6-4d7d-9ab2-398fd3dac316

Unpacked files

SH256 hash:

8782afedef45fceb815a6a7ff1eccf7efa49847ea0bb86dedff4a88c6a7a8c97

MD5 hash:

3cda96605373ba4f9f473b8e3c3d0b9b

SHA1 hash:

410dcb81797316e7756dd4778770015c0eb15cb2

Link:

https://www.unpac.me/results/1a69a196-5889-4f86-80b2-7d7f3982e4b7/

SH256 hash:

fe4194229ab8635a1544e938976acb85d2cc34ec645b7a190e9ad347519bd76b

MD5 hash:

4449657e77d7bfbee80f0cc7e001eb1c

SHA1 hash:

634a84a4bac111db58db3f26c3d376adee153f90

Link:

https://www.unpac.me/results/1a69a196-5889-4f86-80b2-7d7f3982e4b7/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/1a69a196-5889-4f86-80b2-7d7f3982e4b7/

SH256 hash:

0ea82da611d90c3d489ed1e33ee14470e5813604428865efe1ffbd22c6f81af9

MD5 hash:

0dc12deb265aa6864b9578c4489af1ba

SHA1 hash:

197172aaf63f0a254b3aaa256041c269c01c413e

Link:

https://www.unpac.me/results/1a69a196-5889-4f86-80b2-7d7f3982e4b7/

SH256 hash:

a705a03aa308c3d497045563ce5c55505ab0994de93acb11a05f2541fb5fe659

MD5 hash:

0c128d14e3dfd3c8698a4bdcd9abd894

SHA1 hash:

3c4700715b023d0ea7dfacc4aaee2380de1cacbc

Detections:

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Link:

https://www.unpac.me/results/1a69a196-5889-4f86-80b2-7d7f3982e4b7/

SH256 hash:

e84e342ccf6bdc4baaaa31c16bd2b03aed509aebc9ee5e68a2f3680c2049128d

MD5 hash:

55d01773f36562261530dcd949a362a5

SHA1 hash:

c7acdecd77fca732182e4bec9de40a50440cae83

Link:

https://www.unpac.me/results/1a69a196-5889-4f86-80b2-7d7f3982e4b7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8782afedef45fceb815a6a7ff1eccf7efa49847ea0bb86dedff4a88c6a7a8c97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Trojan_Donutloader_f40e3759 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/19614/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoW kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample