MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f
SHA3-384 hash:	f3071060f83006d7f8207f1cb9f1963c579e9aef4a5a87e96618e983b5a0d6d75f002f96e4660a96ba5ec3b12f2f1238
SHA1 hash:	e7a92f676ac878daf47b38db099d47060d61821d
MD5 hash:	00a38efd746bb33dd6c3709983832d61
humanhash:	wisconsin-indigo-jupiter-four
File name:	点击安装简体中文语言包.exe
Download:	download sample
File size:	1'738'888 bytes
First seen:	2025-12-06 12:04:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12f3b7f462c8a9197db6e4cf38c1556e
ssdeep	24576:QgkkecO2EcBrBsTih3oeWBmlEJxXkStLZkcs6wa8PIRtj468:Hk0OXcBrB6ihUvzXZt1k36wxgRtEf
TLSH	T110858C1AAA5C40E1C16AC138C992D94BF6B17C144F75DBEF0A60571E2F37AE14E3EB21
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	kafan_shengui
Tags:	exe

kafan_shengui

Distributed via Telegram Phishing.

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

点击安装简体中文语言包.exe

Verdict:

Malicious activity

Analysis date:

2025-12-06 11:58:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a2f96acc-cb74-4d2d-bfd0-ce94b138ccb2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42730/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69341bc4c61465c74cbbffe4

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug disk expired-cert fingerprint installer-heuristic invalid-signature microsoft_visual_cc packed signed

Link:

https://www.filescan.io/uploads/69341bc0bba50eaf04244446/reports/4b5d7034-9131-445f-8fa5-f36299037521/overview

Verdict:

Suspicious

Labled as:

Malware_56.3

Link:

https://www.hybrid-analysis.com/sample/c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-22T00:47:00Z UTC

Last seen:

2025-12-08T02:24:00Z UTC

Hits:

~100

Detections:

BSS:Exploit.Win32.Generic.nblk BSS:Exploit.Win32.Generic Trojan.Win64.Agent.smfape BSS:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d1568391-6af6-4727-b820-5ae131b517f1

Score:

16%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/00a38efd746bb33dd6c3709983832d61

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f

Threat name:

Win64.Trojan.Malgent

Status:

Malicious

First seen:

2025-12-02 12:23:20 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 37 (37.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zgwkbt43d3okwsat5zcnkiux6xksknb272ahxfiodpmzrbyktihq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/251206-n8qa2sgr9t/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/27691069-1c81-462a-a773-27f3268c275e

Unpacked files

SH256 hash:

c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f

MD5 hash:

00a38efd746bb33dd6c3709983832d61

SHA1 hash:

e7a92f676ac878daf47b38db099d47060d61821d

Link:

https://www.unpac.me/results/1c82d081-5704-4d06-811c-0442f3e276d9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.44

Link:

https://yomi.yoroi.company/submissions/c9aca0cf9b1edcab4813ee44d52297f5d525343afe807b950e1bd998870a9a0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/42730/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample