MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6
SHA3-384 hash: a3b507f558e0087ca210af2dd08f720c6e3a42ad7bbc8e8b2e674c3759af5f201175bb8b48cb88cb7cb44aa46ffebb49
SHA1 hash: 676a710824d2b5bfc07864cab8bba08dc4c8ce47
MD5 hash: dc6833c9a5817e213e0fafd58523a3ee
humanhash: arkansas-kitten-rugby-fish
File name:SecuriteInfo.com.Trojan.MulDrop33.28141.5690.20756
Download: download sample
File size:1'252'864 bytes
First seen:2026-03-02 17:21:12 UTC
Last seen:2026-03-02 18:36:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash aaccd3027895e88f71ee1337a879e66c
ssdeep 24576:eMXJjhJGc8w2UNiXTtniFuuNvGgjjsrdcAONdA22xVK8LRPo4WDD9/wr9W:eM5lOAiXTQn
TLSH T188454A5AE7A114E4EC77D1BC88815206FBB0B8684720D7DB73AC851A1F336E89E3DB54
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
FR FR
Vendor Threat Intelligence
Malware configuration found for:
PECrypter
Details
PECrypter
extracted PE file component(s) (plaintext) from the .data section
Link:
https://research.acce.ciphertechsolutions.com/results/1ae97514-0c18-41c7-949c-42b29d03031a/
Malware family:
n/a
ID:
1
File name:
BrokerLib.exe
Verdict:
Malicious activity
Analysis date:
2025-08-19 11:07:12 UTC
Tags:
amifldrv-sys vuln-driver amifldrv64-sys
Link:
https://app.any.run/tasks/ed56f7d1-d840-4d6e-9503-1318664191b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55290/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop33.28141.5690.20756.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a5c721e1f958bf6682ca52
Tags:
ransomware delshad virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Сreating synchronization primitives
Creating a service
Launching a service
Loading a system driver
DNS request
Enabling autorun for a service
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6
Verdict:
Malicious
File Type:
exe x64
First seen:
2024-07-26T09:51:00Z UTC
Last seen:
2026-01-31T02:28:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2b18e909-ac96-4eaa-8558-8fef2e7b8be8
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/dc6833c9a5817e213e0fafd58523a3ee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6/
Verdict:
Malicious
Threat:
Trojan.Win32.DelShad
Link:
https://tip.neiki.dev/file/beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-07-09 17:28:02 UTC
File Type:
PE+ (Exe)
Extracted files:
14
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3vcyni7gf3r2ltpykcfbeqsut3j45hqnxg4soc676ctoln7og3a._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution impact ransomware
Link:
https://tria.ge/reports/260302-vw5zasay9c/
Behaviour
Interacts with shadow copies
Runs net.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Drops file in System32 directory
Executes dropped EXE
Deletes shadow copies
Unpacked files
SH256 hash:
beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6
MD5 hash:
dc6833c9a5817e213e0fafd58523a3ee
SHA1 hash:
676a710824d2b5bfc07864cab8bba08dc4c8ce47
Link:
https://www.unpac.me/results/d5d1a91c-9063-4bf9-ba65-6ee3acc8540b/
SH256 hash:
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
MD5 hash:
785045f8b25cd2e937ddc6b09debe01a
SHA1 hash:
029c678674f482ababe8bbfdb93152392457109d
Link:
https://www.unpac.me/results/d5d1a91c-9063-4bf9-ba65-6ee3acc8540b/
SH256 hash:
2df953b5a7859d620658e0e2cdf7f6180645d8fa1c8c661a1b066a89809f81fc
MD5 hash:
bb3a32c31308e830d0e2cc737960b541
SHA1 hash:
012925200a71117d376318da9cdee0d09950fdf0
Link:
https://www.unpac.me/results/d5d1a91c-9063-4bf9-ba65-6ee3acc8540b/
SH256 hash:
395de87304bc51b187095812afa5cff8e6b88c38d5a2848eb8b2291fa5375a58
MD5 hash:
f0e5ac5caa885e6fb22ea0b68ef94c39
SHA1 hash:
7916702421a52a9841c6d0ca9f3ab6ffbbfcc92f
Link:
https://www.unpac.me/results/d5d1a91c-9063-4bf9-ba65-6ee3acc8540b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe beea2c351f31771d2e6fc284509212a4f69e74f06dcdc9385eff85372dbf71b6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3788629/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55290/

Comments