MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1
SHA3-384 hash: aba7d0b56a49af8e2788386ce082d9fe72d699446e87344c8f179481f8e12db7b1fa2d505e0d34b5a30679bb014fbfb1
SHA1 hash: a697bfd115c2155887580abb39ff4763aff07c67
MD5 hash: 5b6d432a44ebe07628c7390c91ffc7da
humanhash: fanta-golf-arkansas-december
File name:c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1
Download: download sample
File size:5'042'976 bytes
First seen:2025-03-20 06:38:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 48aa5c8931746a9655524f67b25a47ef (4 x Adware.Generic, 3 x AsyncRAT, 3 x Vidar)
ssdeep 98304:iIY+m6ffi1aFdG05Jx8Q1Ju4VSN+M061Gmp2EMpOS2K6nTubywubIn:iItvffkaFtJxf0ozMZ1lppMpO7K6TYRn
TLSH T1B9363351D2E688F2FC6ECDB18875C1049C6BB8E816E1605E1EBDC60F5DF650AC87326B
TrID 70.9% (.EXE) Inno Setup installer (107240/4/30)
9.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter JAMESWT_WT
Tags:172-86-72-81 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1
Verdict:
Malicious activity
Analysis date:
2025-03-20 06:42:20 UTC
Tags:
delphi
Link:
https://app.any.run/tasks/81d57a8f-4e50-40eb-b2a9-4a927156ac1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dbb828115e7b48b48ef7e8
Tags:
vmdetect
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer invalid-signature overlay signed
Link:
https://www.filescan.io/uploads/67dbb8201dd35ee4a0e90936/reports/b9109f92-4b8a-4536-b1c9-4ee9da6bddd5/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1f293d85-66ed-4c44-99f6-78a99dcc992b
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
26 / 100
Link:
https://www.joesandbox.com/analysis/1643837
Signature
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Score:
52%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yopngk2byluizjlqnhhnef27xxf3cahbdzo7mjyxx67rthjilliq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250320-hewcbawsfz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/149714c2-37de-4472-b31a-d0fac17309d7
Unpacked files
SH256 hash:
c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1
MD5 hash:
5b6d432a44ebe07628c7390c91ffc7da
SHA1 hash:
a697bfd115c2155887580abb39ff4763aff07c67
Link:
https://www.unpac.me/results/d236a8bf-0abf-4639-86bc-a95a00da7559/
SH256 hash:
6780d4f9279c4bb50d24ddfedec54bd149f67770c8f50dbe2f65e0f5b1b92344
MD5 hash:
95343fe655761f106e1025ba4e582475
SHA1 hash:
0a61e39fc2c75791c282c36c2504c186edafca72
Detections:
INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Link:
https://www.unpac.me/results/d236a8bf-0abf-4639-86bc-a95a00da7559/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/d236a8bf-0abf-4639-86bc-a95a00da7559/
SH256 hash:
e11389939ddc4f90c95c14df6a9fe3ca3a77246d2b1fe462b2fc2f349284cda1
MD5 hash:
2d277e06d17eeade373358151dc130b2
SHA1 hash:
fe11082458a92f7e2277ecf8ad0a9218c9806d3f
Link:
https://www.unpac.me/results/d236a8bf-0abf-4639-86bc-a95a00da7559/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c39ed32b41c2e88ca57069ced2175fbdcbb100e11e5df62717bfbf199d285ad1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceW
kernel32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments