MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42
SHA3-384 hash: b2979c695be616f70d46f0c001d5304edde2c232cdeda21d1a976eb80d7c97cc33b2047c4279b35070031ac9da04d478
SHA1 hash: 2003b8b9cfaea4e3021132d40689146d72351770
MD5 hash: 921a931e8fffbc9bce31fcf4182b69ce
humanhash: gee-utah-arkansas-video
File name:ChromeSetup.exe
Download: download sample
File size:11'173'062 bytes
First seen:2025-12-28 17:10:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (32 x GuLoader, 17 x RemcosRAT, 16 x VIPKeylogger)
ssdeep 196608:b6UF6skggF5LXCG9GZjE1lG5R6pF6+Co6MdU37SNM1MMPnd74WmUnkHf7rfw8t0J:bzFYPLLIZjE166pFtMx7K8ffNmwkHf7e
Threatray 8 similar samples on MalwareBazaar
TLSH T1F3B63342A0160B56F2157CF3107CAAB86232DEFB5A40C1F6376997E9A93679FB4DF001
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e862eae6b692c6ee (3 x Azov, 1 x CoinMiner.XMRig, 1 x Worm.m0yv)
Reporter Ling
Tags:exe Trojan:Win32/Wacatac.F!ml wacatac


Avatar
CNGaoLing
Trojan:Win32/Wacatac.F!ml

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/8eb8d015-b654-4b4d-9458-7ad1558cec6d/
Malware family:
n/a
ID:
1
File name:
ChromeSetup.exe
Verdict:
No threats detected
Analysis date:
2025-12-28 17:12:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2884f2ba-707f-4061-a3e0-8406fc9672ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46320/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695164b44503237b77fc13b5
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 blackhole expand explorer fingerprint installer installer installer-heuristic lolbin microsoft_visual_cc nsis obfuscated overlay packed
Link:
https://www.filescan.io/uploads/695164b029529c74a2f579b5/reports/75eb897a-cdb6-4061-9ba8-85ca167e56f1/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-28T07:59:00Z UTC
Last seen:
2025-12-30T14:44:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.kfj Trojan.Win32.Shellcode.kfi
Link:
https://opentip.kaspersky.com/c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5f70e3bb-a3dd-414c-985d-4d28680a89d2
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/921a931e8fffbc9bce31fcf4182b69ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42/
Verdict:
Malicious
Threat:
Trojan.Win32.Shellcode
Link:
https://tip.neiki.dev/file/c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-28 13:45:56 UTC
File Type:
PE (Exe)
Extracted files:
159
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvqg3qvjjaaltzoo4cgihc44hjxkiyqyubdkb75isoop7ih2vzba._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
380bcae2cbe211bfdb5229ef129d3188a3aeca61c2e3e20888b1dc29020b3d1a
49fa3fee27b382e936ea7b98b58fd1c24c71f535cbf042f599541bf16fc9c0c5
53ba47c9dbe3667d6e10f3645ceec4e9b5f5691dc4839078c8ddbf43671a0e2c
880748db45b75bc9d567a0ea826655869a4cb989485766b7c97ecd6cb5ef1c0d
96aacc8331bc06e88c7b696aa8f2da19162400204ac86abf7e32d2b0142f2baf
d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74
eaac61070792b52ba78aa14430ade163893e33d225f73d2bdab795552dc700cd
error
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/251228-vqa7qsxrfk/
Behaviour
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b71b5f7-0e01-468d-949a-c8f82d07fb14
Unpacked files
SH256 hash:
c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42
MD5 hash:
921a931e8fffbc9bce31fcf4182b69ce
SHA1 hash:
2003b8b9cfaea4e3021132d40689146d72351770
Link:
https://www.unpac.me/results/0ea0199d-f640-46d1-8b8c-973f3515ec85/
SH256 hash:
810e9879fdb18d0a5d68cd455b7187c62eb44fe585346a34f17b8802ad065482
MD5 hash:
66359e7e445803478383f3d2d35e9c6b
SHA1 hash:
39fadda30aa9ccca73314db31fc8aaceef126393
Link:
https://www.unpac.me/results/0ea0199d-f640-46d1-8b8c-973f3515ec85/
SH256 hash:
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
MD5 hash:
9b38a1b07a0ebc5c7e59e63346ecc2db
SHA1 hash:
97332a2ffcf12a3e3f27e7c05213b5d7faa13735
Link:
https://www.unpac.me/results/0ea0199d-f640-46d1-8b8c-973f3515ec85/
SH256 hash:
998a45f00f2cc361795c13e127f1bd31bbcd5f34ae93c1afe18d2fcd9ef51854
MD5 hash:
584e9b8e6007197c8dcd2f46745ae8e9
SHA1 hash:
49eeb7f62bfee787acbb88b02a75f3fc50396c64
Link:
https://www.unpac.me/results/0ea0199d-f640-46d1-8b8c-973f3515ec85/
SH256 hash:
b1350f487692057c8ffde75dcc55287a52a3272240d4d4912f24464b27551fc0
MD5 hash:
8f0e7415f33843431df308bb8e06af81
SHA1 hash:
1314272e6ad3be1985d4a1607b890a34b0bde8b5
Link:
https://www.unpac.me/results/0ea0199d-f640-46d1-8b8c-973f3515ec85/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5606dc2a948/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c5606dc2a94800b9e5cee08c838b9c3a6ea46218a046a0ffa8939cffa0faae42

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/46320/

Comments