MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453
SHA3-384 hash: fcfe5d3812222c6ed417c15dc9c04a8f1eaaca2da19c7d0bb3184d4f36df1975c4ab306f2c8f88d3964d5091782bf897
SHA1 hash: 33f837ca76f5e1ecb66252def6192e6088c8b5c3
MD5 hash: 1d2b87324c65ca9dc6a6ff77836f4358
humanhash: william-music-xray-jersey
File name:xa24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453.exe
Download: download sample
File size:1'775'616 bytes
First seen:2026-02-04 08:54:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 638af1c562ad8f76992023c9692ec222 (1 x ConnectWise)
ssdeep 49152:N1H4jR2TYrQbDTrcAy2d/ecOghr/QwEsAJ4:QU/yk2WhbQwEsA
TLSH T10285CF0973E441EDFEABE1768A13C50BC7B178450777862F0660AA766F337716A2E321
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Link:
https://research.acce.ciphertechsolutions.com/results/b6c6aff9-c27a-4ce2-93f9-46f0ba6b7b67/
Malware family:
n/a
ID:
1
File name:
DESKTOP-N7M3E7U.exe
Verdict:
Malicious activity
Analysis date:
2026-02-02 01:41:30 UTC
Tags:
vipersoftx stealer susp-powershell wmi-base64 autoit
Link:
https://app.any.run/tasks/233735b4-fa02-4e16-a961-2663dff1fee4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51627/
Detection(s):
SecuriteInfo.com.Variant.Application.Mikey.108266.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69809e11a9ffec4a9609499b
Tags:
autoit emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint installer-heuristic keylogger microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69830939930564ff3c890ca3/reports/b2c7e53b-20db-4480-9738-81152aaaa96a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453
Verdict:
Clean
File Type:
exe x64
First seen:
2026-02-02T00:02:00Z UTC
Last seen:
2026-02-02T10:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c57e3997-ea27-4cdc-93f8-23d0889b15ea
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863105
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to access browser extension known for cryptocurrency wallets
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 64 Exe x64
Link:
https://app.malva.re/file/1d2b87324c65ca9dc6a6ff77836f4358
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujgmypcsbyglx3qkw6sjf7qoank7iybkevci77tz33h3jvdgkrjq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/260204-ktzz6abv9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Obfuscated Files or Information: Command Obfuscation
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453
MD5 hash:
1d2b87324c65ca9dc6a6ff77836f4358
SHA1 hash:
33f837ca76f5e1ecb66252def6192e6088c8b5c3
Link:
https://www.unpac.me/results/dad66a69-5eaf-43f5-b619-5b2893561a71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a24ccc3c520e0cbbee0ab7a492fe0e0355f4602a25448ffe79decfb4d4665453

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51627/

Comments