MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cca26a147c945793b58d4743a0168c8c21ce6cf84e0c6864a3c1f128c826ad29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cca26a147c945793b58d4743a0168c8c21ce6cf84e0c6864a3c1f128c826ad29
SHA3-384 hash: 4370a34bd84879e8410c29a5f7cafaef27288dc7afab2542872950e8f8b36beed40462d0598dc46ff8adac4efc2725c7
SHA1 hash: 5baa754fe5778bb7a9731995b531a52b6d6d1c15
MD5 hash: b90cd471bfd4e9770845a854f947c482
humanhash: eighteen-mike-double-speaker
File name:616.exe
Download: download sample
File size:29'417'472 bytes
First seen:2025-06-16 04:03:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d3753ced62dfefa0c6a6994611c9edd
ssdeep 393216:p4cGdjymVHZGfgbiuo6G32gszX6Uv1tGfvoBOtLoGfhWepJsv6tWKFdu9Cbv0:p4cGdjyaHuSiuoh2gIqUv1wEe
TLSH T1B557AF4BE6B652D1D4BAD0389163622EFC713C99C33467D79285BA0A0B717E4ED3EB40
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon f8d0dcf8c8c4cccc
Reporter dght_432
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
613
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
616.exe
Verdict:
Malicious activity
Analysis date:
2025-06-16 03:56:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac0bc2d2-1fd2-4b01-bd61-3f8492b89adc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9543/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684f97c78bd5d68a12e8be01
Tags:
malware
Result
Verdict:
Clean
Maliciousness:
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cca26a147c945793b58d4743a0168c8c21ce6cf84e0c6864a3c1f128c826ad29
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1715076
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1715076 Sample: 616.exe Startdate: 16/06/2025 Architecture: WINDOWS Score: 96 37 fdsfsffdsf.shop 2->37 43 Multi AV Scanner detection for submitted file 2->43 45 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->45 10 616.exe 2->10         started        13 appidpolicyconverter.exe 1 2->13         started        signatures3 process4 signatures5 55 Found evasive API chain (may stop execution after checking mutex) 10->55 57 Writes to foreign memory regions 10->57 59 Allocates memory in foreign processes 10->59 61 2 other signatures 10->61 15 VSSVC.exe 10->15         started        18 conhost.exe 13->18         started        process6 signatures7 63 Changes memory attributes in foreign processes to executable or writable 15->63 65 Contains functionality to inject threads in other processes 15->65 67 Contains functionality to inject code into remote processes 15->67 69 5 other signatures 15->69 20 svchost.exe 12 1 15->20 injected process8 signatures9 47 Contains functionality to inject threads in other processes 20->47 49 Modifies the context of a thread in another process (thread injection) 20->49 23 svchost.exe 1 20->23         started        27 appidcertstorecheck.exe 1 20->27         started        29 appidcertstorecheck.exe 1 20->29         started        process10 dnsIp11 39 fdsfsffdsf.shop 38.246.248.128, 62099, 80 COGENT-174US United States 23->39 41 54.46.27.143, 49683, 80 AMAZON-AESUS United States 23->41 51 Writes to foreign memory regions 23->51 53 Modifies the context of a thread in another process (thread injection) 23->53 31 winlogon.exe 23->31         started        33 conhost.exe 27->33         started        35 conhost.exe 29->35         started        signatures12 process13
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cca26a147c945793b58d4743a0168c8c21ce6cf84e0c6864a3c1f128c826ad29
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-16 03:56:47 UTC
File Type:
PE+ (Exe)
Extracted files:
54
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsrgufd4srlzhnmni5b2afumrqq443hyjyggqzfdyhysrsbgvuuq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250616-emjrpsw1dy/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4d0b8dab-8c71-48fe-85a7-a215e9fdf609
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cca26a147c945793b58d4743a0168c8c21ce6cf84e0c6864a3c1f128c826ad29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9543/

Comments