MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SilverFox

Vendor detections: 12

Intelligence 12 IOCs YARA 12 File information Comments

SHA256 hash:	92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53
SHA3-384 hash:	1549b62461a1c91a99a395d16573ded0c0a72b2f1c54c9f8e8b1675d99d4c6149f1d37ecd4624119c5a9d75bb799b045
SHA1 hash:	e0d8e8796bb424ea66907cc38f5705ce88557625
MD5 hash:	7925902fa91e165b67ccb6ab3833c779
humanhash:	cold-london-salami-don
File name:	2025年第二季度违规内职人员名单信息公告.exe
Download:	download sample
Signature	SilverFox Create hunting rule
File size:	912'896 bytes
First seen:	2025-12-27 22:10:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1f6d6b8261119bc96407d03811834fd9 (1 x SilverFox)
ssdeep	12288:p0qR70ulnNodAwxl2YFibRE665AOvXGdCrhObfJgnQydeUQ8jssd3IO:p0ZulnNoCwxEC665NvGqoIPQ8osxIO
TLSH	T17015234BB66ECBD0DD2625B93DB64F0CD3A36AFF8541C05603B6D9CB1E23290AE1255C
TrID	43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 27.6% (.EXE) Win64 Executable (generic) (10522/11/4) 13.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) OS/2 Executable (generic) (2029/13) 5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Ling
Tags:	exe Malgent SilverFox Trojan:Win32/Malgent!MSR

CNGaoLing

This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Malgent!MSR)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53.exe

Verdict:

Suspicious activity

Analysis date:

2025-12-27 22:11:33 UTC

Tags:

anydesk rmm-tool

Link:

https://app.any.run/tasks/3c591b78-f561-4e17-a4a4-b5e5d52512fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46245/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695059526de7591fd8fbd28e

Tags:

emotet shell virus sage

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/6950594d84afa5547b5ee265/reports/406259f1-ca8b-4616-babd-ef2c859f23d6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-27T14:16:00Z UTC

Last seen:

2025-12-29T01:43:00Z UTC

Hits:

~100

Detections:

Backdoor.Androm.HTTP.C&C Trojan.Win64.Zenpak.sb Trojan.Win32.PoolInject.sba BSS:Trojan.Win32.Generic Backdoor.Win32.Androm.vzzk Trojan-Spy.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Waldek.sb Trojan.Win32.Inject.sb

Link:

https://opentip.kaspersky.com/92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/58d5a162-91fe-403e-b85b-726795be5faa

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE Memory-Mapped (Dump)

Link:

https://app.malva.re/file/7925902fa91e165b67ccb6ab3833c779

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53/

Verdict:

Malicious

Threat:

Trojan.Win32.Zenpak

Link:

https://tip.neiki.dev/file/92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53

Threat name:

Win64.Packed.Generic

Status:

Suspicious

First seen:

2025-12-27 20:16:16 UTC

AV detection:

14 of 38 (36.84%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sjkrnaqzpqoqffkusieokp4ephajmjdyi2kscr5uuwljdtbgtnjq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion

Link:

https://tria.ge/reports/251227-13jbrszrap/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/36c75d59-f742-4ef4-bed2-b4cce815a545

Unpacked files

SH256 hash:

92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53

MD5 hash:

7925902fa91e165b67ccb6ab3833c779

SHA1 hash:

e0d8e8796bb424ea66907cc38f5705ce88557625

Link:

https://www.unpac.me/results/dafd6164-cf04-428f-be8d-e39cc4b4aacc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/92551682197c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SilverFox

exe 92551682197c1d0295549208e53f8479c096247846952147b4a59691cc269b53

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/46245/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample