MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c
SHA3-384 hash: f2ec71424ba803f8c9bf8fea0e77e639502c7b38a2aa9e9a56ab3859c933a04399eb48f0dd0ed274f307df36a24e36b9
SHA1 hash: 6012a4c5b457e42f3e4f0cccdf923a3c19424f51
MD5 hash: 6d6614c0266be35c24fc9cfb657e9d45
humanhash: green-five-hot-hydrogen
File name:Installer.iso
Download: download sample
File size:19'814'400 bytes
First seen:2026-04-01 08:15:42 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 393216:LAyTJ4fhttfpCr4FVU912QFtS0wNrqkauqQWG0uA1U9Vr2RMxcjiCV+:LAJw4FVUHjor/n7WG05tUCV+
TLSH T1F71733E4C389F4D5C51A8F70FF0E5289DCB245957D05C718F90EA3AEA3F3821B469A26
TrID 88.7% (.NULL) null bytes (2048000/1)
11.0% (.HTP) HomeLab/BraiLab Tape image (256000/1)
0.1% (.ISO) ISO 9660 CD image (2545/36/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
0.0% (.SMT) Memo File Apollo Database Engine (88/84)
Magika iso
Reporter aachum
Tags:CNBackdoor iso purecrypter tabbysbakescodes-ws


Avatar
iamaachum
https://dl89sfilesbase.top/downloads/Ls3Hn61E/Packed

C2: https://tabbysbakescodes.ws/CNB/gate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
ES ES
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:Installer_v3931_x64_.exe
File size:19'761'152 bytes
SHA256 hash: 3d006229cbe5f32f036b0f10ee2876a1d2e9434639c8ba934704d31f73688f0c
MD5 hash: a8672b5a73301420360167933bc6c1f1
MIME type:application/x-dosexec
File name:ReadMe.txt
File size:760 bytes
SHA256 hash: a2b18ffd6f199ad4b53b2475af68a64e771dcb1ee24d87abedb762f5980d0c42
MD5 hash: e0f669790e02a7e490d865deb7f62905
MIME type:text/plain
Vendor Threat Intelligence
Gathering data
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ccd4556363ca5d27f06c14
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt obfuscated packed packed soft-404 themidawinlicense unsafe xpack
Link:
https://www.filescan.io/uploads/69ccd4502346b9da57b61549/reports/5e1d58ad-8e1b-4eb3-8853-3b1da3845448/overview
Verdict:
Suspicious
Labled as:
W64/Themida.DH.gen
Link:
https://www.hybrid-analysis.com/sample/c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c
Result
Gathering data
Verdict:
Clean
File Type:
ISO 9660
Link:
https://opentip.kaspersky.com/c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c/results?tab=lookup
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yse77jidmjgw3ys35whkrm2ay344virzaefupo2oim6e3q3awmga._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion execution persistence themida trojan
Link:
https://tria.ge/reports/260401-k8nknsaw7k/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Executes dropped EXE
Themida packer
Command and Scripting Interpreter: PowerShell
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win32_dotnet_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET obfuscated malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

iso c489ffa503624d6de25bed8ea8b340c6f9caa239010b47bb4e433c4dc360b30c

(this sample)

Executable exe 3d006229cbe5f32f036b0f10ee2876a1d2e9434639c8ba934704d31f73688f0c

  
Link
https://tria.ge/260401-js6kwacy5y/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 3d006229cbe5f32f036b0f10ee2876a1d2e9434639c8ba934704d31f73688f0c
  
Dropping
MD5 a8672b5a73301420360167933bc6c1f1

Comments