MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def
SHA3-384 hash: 826a3a6799e93687f37661a77795a02e891e5695fb8d61834ef9b1ce18cd41a4381ea11bd93425b6394b6fa02a0a938c
SHA1 hash: a0d923b5707854481257ca420c1c1cbff07c1809
MD5 hash: f523ad35a76a1c97f7b3f66dee004076
humanhash: tango-berlin-six-finch
File name:KanKan_kk360Setup.exe
Download: download sample
File size:4'469'264 bytes
First seen:2025-11-10 08:17:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 98304:sZxwHNdH51tcX/jP12be2LcMCw0bkhqcHmTBmsVo1X:dgjEbe2d0bAqcHsBTVo1X
TLSH T1152612C9A440052ED00E0ABA397FDE054A2AEFD453992E1C9DFE934F8A31D513D35B6B
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10522/11/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter juroots
Tags:exe signed

Code Signing Certificate

Organisation:厦门美图之家科技有限公司
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-30T00:00:00Z
Valid to:2026-04-01T23:59:59Z
Serial number: 0a15a772111aec30011be076cefe6e81
Thumbprint Algorithm:SHA256
Thumbprint: f348184311636a2b7f4ea7a262ab2c9326d91c3eff6c3fa21d4f1980767fc839
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KanKan_kk360Setup.exe
Verdict:
Suspicious activity
Analysis date:
2025-10-14 06:23:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ccd4e079-3d0c-49cb-9775-0db689b9b72b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36646/
Detection(s):
Win.Trojan.Tufik-312
Create hunting rule

Win.Trojan.Agent-1384301
Create hunting rule

Win.Trojan.Agent-1384302
Create hunting rule

SecuriteInfo.com.Generic.PUA.HB.9789.7073.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68edec6504e22ce9acd9c820
Tags:
injection obfusc crypt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Creating a window
DNS request
Connection attempt
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def
Verdict:
Clean
File Type:
PE
First seen:
2023-04-04T07:42:00Z UTC
Last seen:
2025-11-12T00:12:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def/results?tab=lookup
Malware family:
HttpDownLoad Application
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/810bdd39-7690-4762-b31b-ca4602646a25
Score:
55%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/f523ad35a76a1c97f7b3f66dee004076
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfjql4l5zqjbyrqhojw7vinxuzfaugbtfonot6yq4tnzhs7qfxxq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit discovery installer persistence
Link:
https://tria.ge/reports/251110-j61a1stnbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Verdict:
Malicious
Tags:
Win.Trojan.Tufik-312
YARA:
n/a
Link:
https://app.threat.zone/submission/6702ef5c-0712-4e20-9b20-3c8fda5e7285
Unpacked files
SH256 hash:
c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def
MD5 hash:
f523ad35a76a1c97f7b3f66dee004076
SHA1 hash:
a0d923b5707854481257ca420c1c1cbff07c1809
Link:
https://www.unpac.me/results/2ecddf08-868c-464d-b487-35fc5a92fd9a/
SH256 hash:
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
MD5 hash:
c17103ae9072a06da581dec998343fc1
SHA1 hash:
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
Link:
https://www.unpac.me/results/2ecddf08-868c-464d-b487-35fc5a92fd9a/
SH256 hash:
86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
MD5 hash:
2cfba79d485cf441c646dd40d82490fc
SHA1 hash:
83e51ac1115a50986ed456bd18729653018b9619
Link:
https://www.unpac.me/results/2ecddf08-868c-464d-b487-35fc5a92fd9a/
SH256 hash:
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
MD5 hash:
325b008aec81e5aaa57096f05d4212b5
SHA1 hash:
27a2d89747a20305b6518438eff5b9f57f7df5c3
Link:
https://www.unpac.me/results/2ecddf08-868c-464d-b487-35fc5a92fd9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c15305f17dcc121c4607726dfaa1b7a64a0a18332b9ae9fb10e4db93cbf02def

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/36646/
  
URLhaus
https://urlhaus.abuse.ch/url/3702222/
  
Delivery method
Distributed via web download

Comments