MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d
SHA3-384 hash: 4d24a4dd995144d46a817835c32c65511b83bb98de247200725b713ca6f7d3e30598baeecfdf64460c8bc5a8988ba951
SHA1 hash: ab3871f4aa818f11a388e0f599c7e83ec92b9309
MD5 hash: b89072e77d01cbf6a80bf878da64ddea
humanhash: winter-fish-mexico-eighteen
File name:ldplayer9_ld.exe
Download: download sample
File size:8'570'901 bytes
First seen:2025-12-27 22:12:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 311d1e93d89e02a2908fe4b6d6a25ef7
ssdeep 196608:c5CXPYfc+hc6qWZA3HepcpEHNBL/d/zKbhdyhZcf:c5A8cec6tZA3HVpEHnR62cf
TLSH T1408633503AC56DFEE3832C3ABBE5C541AF59DDE7079277B7B3C8730A50908A2794121A
TrID 61.4% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65)
14.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.7% (.EXE) Win64 Executable (generic) (10522/11/4)
3.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 f1a69a7e4493c308beb6b041368f1ad58ae49884789249e684c37672417f8cc5
File size (compressed) :8'454'677 bytes
File size (de-compressed) :8'570'901 bytes
Format:win32/pe
Packed file: f1a69a7e4493c308beb6b041368f1ad58ae49884789249e684c37672417f8cc5

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
an extracted 7-zip archive from the overlay data and SFX commands
Archives
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/e6958d73-5a9e-49b5-802e-25e48b43480a/
Malware family:
n/a
ID:
1
File name:
_cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d.exe
Verdict:
Malicious activity
Analysis date:
2025-12-27 22:14:08 UTC
Tags:
auto generic arch-exec auto-startup donutloader loader
Link:
https://app.any.run/tasks/ae67c80a-111a-43e8-907a-0739d864ac39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46248/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695059fb4503237b77fbd11a
Tags:
autorun madi
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer installer installer-heuristic overlay overlay packed
Link:
https://www.filescan.io/uploads/695059f83f8fdbf8e95387fc/reports/bfc650c6-ee02-4314-90b4-346fc236b2c4/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-27T19:40:00Z UTC
Last seen:
2025-12-27T19:55:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.VBSMeter.sb Trojan.MSIL.Donut.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.keh Exploit.Win32.BypassUAC.sb Backdoor.Win32.Lotok.sbc
Link:
https://opentip.kaspersky.com/cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7bce87d6-0248-448b-8ed3-d614e82e415d
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1840551
Signature
.NET source code contains potential unpacker
Creates HTA files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/b89072e77d01cbf6a80bf878da64ddea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d/
Verdict:
Malicious
Threat:
Trojan.Win32.Shellcode
Link:
https://tip.neiki.dev/file/cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-12-27 20:17:46 UTC
File Type:
PE (Exe)
Extracted files:
475
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxzcdhj3xi64qtwf4mw6j4pp7htabn2fu6kdtfrlqfeacmypp2oq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery upx
Link:
https://tria.ge/reports/251227-16ykvszrhp/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Enumerates connected drives
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
Win.Malware.Generic-9867923-0
YARA:
n/a
Link:
https://app.threat.zone/submission/fac8ba00-9a6c-48d3-bbe2-fd56680e0f9d
Unpacked files
SH256 hash:
cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d
MD5 hash:
b89072e77d01cbf6a80bf878da64ddea
SHA1 hash:
ab3871f4aa818f11a388e0f599c7e83ec92b9309
Link:
https://www.unpac.me/results/db764fc5-e5ac-4274-991e-3490fa27e521/
SH256 hash:
e53d2cd62efdfd0e54caf52e292c733a23e6a2d335709ac3ac70471b431be852
MD5 hash:
6e3e476a1f51dd3076f151157a0cba53
SHA1 hash:
b4c56e9194f99088995ea7fadc1c711709bf64d5
Link:
https://www.unpac.me/results/db764fc5-e5ac-4274-991e-3490fa27e521/
SH256 hash:
df7714a68cc0784c9060ac86d2f3f3c30c7a0a8bfa5893e16c1a60be2e6a2a86
MD5 hash:
a63361fae9b0fffaa42c8f9535afa74b
SHA1 hash:
437f47945a787c262ed026014cbff5d1f865f100
Link:
https://www.unpac.me/results/db764fc5-e5ac-4274-991e-3490fa27e521/
SH256 hash:
cc7392756bfbec4c07ba95d6c0f5d89f0e4b81a7b3ca92eba336d9a1bb9c9169
MD5 hash:
2bb28d361fd08163271dab85a5525835
SHA1 hash:
b45b0583322e0ee2bafa67b8419627330ec2d547
Link:
https://www.unpac.me/results/db764fc5-e5ac-4274-991e-3490fa27e521/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdf2219d3bba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f1a69a7e4493c308beb6b041368f1ad58ae49884789249e684c37672417f8cc5

Executable exe cdf2219d3bba3dc84ec5e32de4f1eff9e600b745a79439962b814801330f7e9d

(this sample)

  
Dropped by
SHA256 f1a69a7e4493c308beb6b041368f1ad58ae49884789249e684c37672417f8cc5
Cape
Cape
https://www.capesandbox.com/analysis/46248/
  
Dropped by
MD5 3a817d3ae87794423d712b9e88dcc65d

Comments