MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76
SHA3-384 hash:	5ee82b1933dddb1aa6d47bb8e5af82f4dde879a720fd39cc0d9f1b53c9972cd2b5b51224799f3d879c8e06627119b6e4
SHA1 hash:	1831544eb5ccf458bd9812bfc40045be4abffb21
MD5 hash:	d59b642d0f53f0e227969e87ee38a31b
humanhash:	angel-louisiana-wolfram-zebra
File name:	file
Download:	download sample
File size:	3'574'034 bytes
First seen:	2026-01-16 13:08:14 UTC
Last seen:	2026-01-17 13:08:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'522 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	49152:B9x/BgU1f28J/5yDBYUoNi5ZO+ZBYLt9At3tqCWGt9Lsjtsk3Dhj1K2q9ChVF:/x/BgqpJBIjoj+ZMf8sCDetFpLF
TLSH	T1DEF5336370E04432DDD71D740CA2EB7502763A953AD6A10E3BD8AA8FCBB7F534906693
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-Stealc exe gfdhgcxww

Bitsight

url: http://62.60.226.159/grid-enabled_7888.43.58.91_INSTALL.exe

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/a2a9dac2-e52d-4afd-aa28-eb7d776d7584/

Malware family:

asyncrat

ID:

File name:

https://rdmfile.eu/install/FNzpWqmJ6jjn

Verdict:

Malicious activity

Analysis date:

2026-01-15 18:06:00 UTC

Tags:

stealer stealc auto xworm rat loader arch-doc asyncrat remote

Link:

https://app.any.run/tasks/7ea5f462-3f7f-4d7d-bdcf-5ce000931980

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49079/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.26437767.UNOFFICIAL

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696a3852ef906a21abcdb951

Tags:

injection dropper virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm borland_delphi crypto evasive explorer fingerprint fingerprint fingerprint hacktool inno installer installer installer-heuristic keylogger lolbin overlay overlay packed packed packed regedit soft-404

Link:

https://www.filescan.io/uploads/696a384f2ea17ed89951df0d/reports/76d1e9fa-67f1-4ab7-8558-4a5f62e311cb/overview

Verdict:

Malicious

Labled as:

Suspicious:InstallCore.XB.hwzw

Link:

https://www.hybrid-analysis.com/sample/a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-15T15:57:00Z UTC

Last seen:

2026-01-15T18:31:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c4568f20-ce21-4b53-862e-119118f716b0

Score:

21%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76/

Verdict:

Malicious

Threat:

DangerousObject.Multi

Link:

https://tip.neiki.dev/file/a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uus5ugvsv5wdjv5js662m235te4bz7wotkv34yqjqh7pusost53a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer persistence upx

Link:

https://tria.ge/reports/260116-qdft8shy7g/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Drops file in System32 directory

UPX packed file

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/260d46f9-c469-4c2f-a545-2cf420488f2a

Unpacked files

SH256 hash:

a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76

MD5 hash:

d59b642d0f53f0e227969e87ee38a31b

SHA1 hash:

1831544eb5ccf458bd9812bfc40045be4abffb21

Link:

https://www.unpac.me/results/0203e554-8fea-4952-a873-541ce3b0e97f/

SH256 hash:

002516f5a120d8516cd3b0d754c9482d72551309668d3f404d1581dd4b0224c2

MD5 hash:

b81e34e9289fd18e31ceec65156dfc2f

SHA1 hash:

f0d5ed9d51a53831f41ecca3e5048c0145175eee

Link:

https://www.unpac.me/results/0203e554-8fea-4952-a873-541ce3b0e97f/

SH256 hash:

b20a8d88c550981137ed831f2015f5f11517aeb649c29642d9d61dea5ebc37d1

MD5 hash:

526426126ae5d326d0a24706c77d8c5c

SHA1 hash:

68baec323767c122f74a269d3aa6d49eb26903db

Link:

https://www.unpac.me/results/0203e554-8fea-4952-a873-541ce3b0e97f/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/0203e554-8fea-4952-a873-541ce3b0e97f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	ScanStringsInsocks5systemz Create hunting rule
Author:	Byambaa@pubcert.mn
Description:	Scans presence of the found strings using the in-house brute force method

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe a525da1ab2af6c34d7a997bda66b7d99381cfece9aabbe620981fefa49d29f76

(this sample)

Dropped by

StealC

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3758950/

Cape

https://www.capesandbox.com/analysis/49079/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample