MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Koceg


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864
SHA3-384 hash: 54f05f720ae33410e239703115b8107d1ed7928fe0689e38ede97106d0ea62847128b1c709df0b6f8369ca8e1e4a3259
SHA1 hash: 32b60d67b2f6cd88300330c6ff22f8933663e1a9
MD5 hash: 2dc93c9f7f07aac6b9ad9edea51e49bc
humanhash: lemon-early-wolfram-white
File name:autorun.exe
Download: download sample
Signature Koceg
Create hunting rule
File size:525'334 bytes
First seen:2026-06-05 17:38:12 UTC
Last seen:2026-06-05 17:38:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 08b656407b8d307979dc72c3fcc683a8 (15 x Koceg)
ssdeep 6144:ACZlWG0GN7xOz2x23dNs4U1JOhtpWhkPTu88geJ:ACCs5xOKx2Nhfpnbu88J
Threatray 3 similar samples on MalwareBazaar
TLSH T106B42304178BCFC9E51272B11FC32BF46C36167A84798B9A03EAAFD25B738D94891497
TrID 34.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
34.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter qemped
Tags:exe Koceg

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
ID ID
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5f667cd6-adc5-40a5-b757-ab38bcb572f6/
Malware family:
n/a
ID:
1
File name:
_ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864.exe
Verdict:
Malicious activity
Analysis date:
2026-06-05 17:39:27 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/ebb358a1-61da-457d-b63c-44fa249df8ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69208/
Detection(s):
Win.Worm.Socks-10058896-0
Create hunting rule

Win.Worm.Socks-10059078-0
Create hunting rule

SecuriteInfo.com.Trojan.Swizzor.Gen.2.15188.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a230992f8676ad4d3617548
Tags:
vmdetect trojware agent sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Enabling the 'hidden' option for recently created files
Launching a process
Creating a file in the Windows subdirectories
Creating a file
Restart of the analyzed sample
Setting a global event handler
DNS request
Connection attempt
Moving a file to the Windows subdirectory
Moving a recently created file
Deleting a recently created file
Creating a window
Replacing files
Creating a file in the mass storage device
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc overlay packed packed upx
Link:
https://www.filescan.io/uploads/6a23098f099ef368af2280a5/reports/78374852-f79d-463b-b7ae-1140782d623b/overview
Verdict:
Malicious
Labled as:
Worm.Socks
Link:
https://www.hybrid-analysis.com/sample/ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-05T08:13:00Z UTC
Last seen:
2026-06-05T08:26:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864/results?tab=lookup
Malware family:
socks
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d785f23-1a47-4945-99f0-f2c0978beef3
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864/
Verdict:
Malicious
Threat:
Trojan-Dropper.Win32.Dinwod
Link:
https://tip.neiki.dev/file/ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864
Threat name:
Win32.Worm.Mandaph
Create hunting rule
Status:
Malicious
First seen:
2026-06-05 12:40:00 UTC
File Type:
PE (Exe)
AV detection:
34 of 36 (94.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2oiwx556f4kkyuox6ntcdyv2uvu5a7ppujzgdn7gthclsusvbsa._file
Verdict:
malicious
Label(s):
obscene
Create hunting rule
Similar samples:
769a3560c21201f48c136363fe59683fbf0dcfcbbd034a0f6590c353b4aceb09
Koceg
error
Koceg
Result
Malware family:
n/a
Score:
  10/10
Tags:
adware discovery persistence stealer upx
Link:
https://tria.ge/reports/260605-v7xr3abw9v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
UPX packed file
Adds Run key to start application
Enumerates connected drives
Installs/modifies Browser Helper Object
Modifies WinLogon
Executes dropped EXE
Modifies system executable filetype association
Drops file in Drivers directory
Sets service image path in registry
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864
MD5 hash:
2dc93c9f7f07aac6b9ad9edea51e49bc
SHA1 hash:
32b60d67b2f6cd88300330c6ff22f8933663e1a9
Link:
https://www.unpac.me/results/bb7cf34d-8d04-4d9a-aa51-651d064a56aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae9c8b5fbdf178a5628ebf9b310f15d52b4e83ef7d13930dbf34ce25ca92a864

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69208/

Comments