MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297
SHA3-384 hash:	04accf0f3bcf6e03dee2ed7ec1dd71adb32921267c6c216457ff6334e2489428dbabc54336f7af2ff72a76c97149cd30
SHA1 hash:	745ca75bb5151561f7abbb90a82e9b69eca6aeba
MD5 hash:	66f4c23a7070daf36cb28959e167d6f7
humanhash:	twenty-failed-burger-west
File name:	file
Download:	download sample
File size:	14'054'328 bytes
First seen:	2026-06-05 22:28:29 UTC
Last seen:	2026-06-06 20:46:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	88016fcdef7f227c62171d0afad9aae4 (10 x ValleyRAT, 8 x OffLoader, 3 x Gh0stRAT)
ssdeep	196608:wvXHKZPdm0Y7Gj6hpDkjpTC7KaY6QAED1kTG:wvXqZ1mBNpDipTa0AEBkq
TLSH	T1A0E6123BB18BA53DE46A1A35B972A170487BAE6194024C1396E0FC8DFF35070DD3E697
TrID	61.4% (.EXE) Inno Setup installer (107240/4/30) 23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.7% (.EXE) Win64 Executable (generic) (6522/11/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	2b232b3b33231b17 (1 x Amadey)
Reporter	Bitsight
Tags:	d52f85 dropped-by-amadey exe

Bitsight

url: http://62.60.226.140/files/5279938618/oCNUppJ.exe

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/05500445-a520-45a8-96be-51b03545033f/

Malware family:

n/a

ID:

File name:

_9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297.exe

Verdict:

Malicious activity

Analysis date:

2026-06-05 22:31:58 UTC

Tags:

delphi inno installer sainbox rat auto-reg golang upx

Link:

https://app.any.run/tasks/4ce12f5b-c3a7-4e3d-bbe2-4342781a3dd4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69282/

Detection(s):

SecuriteInfo.com.Variant.Application.Cerbu.78423-1.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a234dcdf8676ad4d3618c92

Tags:

dropper delphi virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug crypto embarcadero_delphi evasive expand fingerprint inno installer installer installer-heuristic lolbin packed reconnaissance

Link:

https://www.filescan.io/uploads/6a234dc612da0d249c6698a2/reports/ef2f709e-5e13-4f96-b2cc-898abf130763/overview

Verdict:

Malicious

Labled as:

TrojanDldr.OffLoader.gen

Link:

https://www.hybrid-analysis.com/sample/9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-06-05T19:48:00Z UTC

Last seen:

2026-06-05T21:58:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.xcehen Trojan.Agent.UDP.ServerRequest

Link:

https://opentip.kaspersky.com/9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fb26fdd9-c027-416c-aaab-12a7000dad55

Score:

63%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2026-06-05 22:29:33 UTC

File Type:

PE (Exe)

AV detection:

9 of 23 (39.13%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=trjlengc7b56vsicylbl5qg3f46ahj677k4zvasr365eb7joyklq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer

Link:

https://tria.ge/reports/260605-2effmsfx8r/

Behaviour

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297

MD5 hash:

66f4c23a7070daf36cb28959e167d6f7

SHA1 hash:

745ca75bb5151561f7abbb90a82e9b69eca6aeba

Link:

https://www.unpac.me/results/e10b903c-c82f-484f-8c66-8af330bcc02b/

SH256 hash:

890f7b59248025833cef0ad629f6d1538c0968c2c9b71c892fe3d978d15ba0f5

MD5 hash:

ad1f316d5aa17089decebaad70853310

SHA1 hash:

302247f5c3bfb1709511cd7037d72e1f98462e11

Link:

https://www.unpac.me/results/e10b903c-c82f-484f-8c66-8af330bcc02b/

SH256 hash:

6cdd09f218d1816803fd160790cfaa564dcfde5842d660128064c779f559b858

MD5 hash:

28e2f2ee5fe1d875e63e55437c743595

SHA1 hash:

c53e03dd727b1d9f6de430e0f18c41ed0454d0a1

Link:

https://www.unpac.me/results/e10b903c-c82f-484f-8c66-8af330bcc02b/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/e10b903c-c82f-484f-8c66-8af330bcc02b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 9c52b234c2f87beac902c2c2bec0db2f3c03a7dffab99a8251dfba40fd2ec297

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/69282/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample