MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fafbc54f006ccefc3c561a8b85799cea15bfa6a6b754c4f41e7202bd06f93a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fafbc54f006ccefc3c561a8b85799cea15bfa6a6b754c4f41e7202bd06f93a4
SHA3-384 hash: ca87bf90a9b5ae9446bd202b12eadf0bb0f8296f0ed80a140b3e0aa4c028668de3e6cc1cd0739b2b430e3065da3fb492
SHA1 hash: 9d19a7b6535362575ca506006df84734e8dc88fb
MD5 hash: d55ce9b3905b3f365f91809b1ba6b410
humanhash: august-lemon-lemon-charlie
File name:_1_9_f_9fafbc54f006ccefc3c561a8b85799cea15bfa6a6b754c4f41e7202bd06f93a4.file
Download: download sample
File size:79'832'928 bytes
First seen:2026-05-25 10:27:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 22 x HijackLoader, 5 x Adware.IObit)
ssdeep 1572864:U4o47w+niahMkREH8C5SHB1Jmz1wiPafa91unp4fRMGJyFEtGzjl:5o4BfhMxcCoHBXy1wZESp4toFE4zB
TLSH T1870833A4BBC15D73E8C023380915A7328E26DC7C67CA8599DC72F53C65BA5C2CF39A52
TrID 84.8% (.EXE) Inno Setup installer (107240/4/30)
5.1% (.EXE) Win64 Executable (generic) (6522/11/2)
3.5% (.EXE) Win32 Executable (generic) (4504/4/1)
1.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 92e0b496a6caca72 (4 x NetSupport, 1 x GuLoader, 1 x LummaStealer)
Reporter SquiblydooBlog
Tags:Chat-GPT exe signed

Code Signing Certificate

Organisation:BEYOND TECHNOLOGIES SRL
Issuer:Microsoft ID Verified CS AOC CA 04
Algorithm:sha384WithRSAEncryption
Valid from:2026-05-20T06:39:00Z
Valid to:2026-05-23T06:39:00Z
Serial number: 33000130cf5049cb9b7ff882ba0000000130cf
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 5f995f6e867a7c52a670c44fbdbd0a64d6c3d0f1b90e8df419ab67e58333d9b3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/bf36a6f8-4c2a-45a6-9c8c-0ddae725e266/
Malware family:
n/a
ID:
1
File name:
_9fafbc54f006ccefc3c561a8b85799cea15bfa6a6b754c4f41e7202bd06f93a4.exe
Verdict:
No threats detected
Analysis date:
2026-05-25 10:40:15 UTC
Tags:
inno installer delphi nodejs
Link:
https://app.any.run/tasks/46964759-f8ce-4120-b35b-741a2c498364

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a1424585b1db29f5a47987f
Tags:
ransomware vmdetect dropper remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for synchronization primitives
Moving a file to the %temp% subdirectory
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Loading a suspicious library
Using the Windows Management Instrumentation requests
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9fafbc54f006ccefc3c561a8b85799cea15bfa6a6b754c4f41e7202bd06f93a4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-25T07:45:00Z UTC
Last seen:
2026-05-27T01:42:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Agent.smghrh
Link:
https://opentip.kaspersky.com/9fafbc54f006ccefc3c561a8b85799cea15bfa6a6b754c4f41e7202bd06f93a4/results?tab=lookup
Score:
13%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/9fafbc54f006ccefc3c561a8b85799cea15bfa6a6b754c4f41e7202bd06f93a4
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win64.Agent
Link:
https://tip.neiki.dev/file/9fafbc54f006ccefc3c561a8b85799cea15bfa6a6b754c4f41e7202bd06f93a4
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-05-21 22:05:06 UTC
File Type:
PE (Exe)
Extracted files:
298
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6x3yvhqa3go7q6fmgulqv4zz2qvx6tknn2uyt2b44qcxudpsosa._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery execution installer
Link:
https://tria.ge/reports/260525-mhx3jagx6w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments