MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 18 File information Comments

SHA256 hash:	8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9
SHA3-384 hash:	eb64c186b11d99db7ca59e5f550d344aa85fa94d8975879e07a3889b6955696f74a9ec570a4f998a40069f7045ba03b8
SHA1 hash:	4a221926b18e7070609861e709931e8f0c5f813f
MD5 hash:	0fc818c4d3150852451a60fef477b057
humanhash:	crazy-sierra-maine-lactose
File name:	37cIqAG.exe
Download:	download sample
File size:	96'768 bytes
First seen:	2025-08-26 08:02:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	838daa497c64fed9e2aec62c82ef841d
ssdeep	1536:cNDHjbjphycIy9MUUOkl0Y5HKWLCb3BeRHJtg60PH5OWXHlebjHn52bux6K0XHMJ:0DXph7fUfl0EHPqgRHwdPZYHH52bV3MJ
TLSH	T18493D04B62A411FCF016C07C43465B72AFB3F4355501AF6D2B74D730AE50AB69F2E92A
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

37cIqAG.exe

Verdict:

Suspicious activity

Analysis date:

2025-08-26 08:09:11 UTC

Tags:

auto-reg

Link:

https://app.any.run/tasks/452ec4e3-0669-4cff-a7cf-87c94b36a363

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23604/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ad6a633e988eb6ab82bc52

Tags:

dropper

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Labled as:

Win64/CoinMiner_AGeneric.BD potentially unwanted application

Link:

https://www.hybrid-analysis.com/sample/8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-08-25T10:34:00Z UTC

Last seen:

2025-08-25T10:34:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9/results?tab=lookup

Malware family:

Microsoft Corporation

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/dacd0070-36a5-43f2-9d7b-8751c5ac4b7a

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1765206

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Execution from Suspicious Folder

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/0fc818c4d3150852451a60fef477b057

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ra4cpd77tkanaj4vdgm5t56ichwcskfpyojwp5bpjd2echiuc24q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/250826-jyn8sawxbt/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/986ec56b-0fc3-4a85-b48d-837bfa018386

Unpacked files

SH256 hash:

8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9

MD5 hash:

0fc818c4d3150852451a60fef477b057

SHA1 hash:

4a221926b18e7070609861e709931e8f0c5f813f

Link:

https://www.unpac.me/results/5d049990-2a14-4bf1-9436-d1c270df6048/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 8838278fff9a80d027951999d9f7c811ec2928afc39367f42f48f4411d1416b9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3611335/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/23604/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample