MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e
SHA3-384 hash: 9298d7995599c5b43d89dee98f313ca543dce48c9e5875276662fe13c9ae810708b4317acac5ba639546fb7ac4507563
SHA1 hash: d4c25581f8669ab50b72ed59104129daea067c29
MD5 hash: b507991a642593827fb283d335ac21c9
humanhash: lima-grey-utah-video
File name:Installer.exe
Download: download sample
File size:67'548'712 bytes
First seen:2025-08-12 16:40:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1892ce4fbcfcf064c6f69d693fc6a5 (10 x Rhadamanthys, 4 x AgentTesla, 3 x QuasarRAT)
ssdeep 393216:dGDTTop7NZGZ3dpGRtOIUc9l5lZmYCWDpglb/vE5L5OtsFtYNTa2td44DJONDuUo:UDwx/DtOBc9pDaUV5OtsFitaMo0
TLSH T14FE7AF15B3D80A06E63FC27DC2638112E7F1B4931352D6CF0558EA992F53BC1AB7B266
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:cdn-amazon-us53-com exe putty


Avatar
iamaachum
https://promotion.docusigntools.com/# => https://cdn.logmetrics.online/Installer.application => https://cdn.amazon-us53.com/Application%20Files/Installer_2_1_0_5/Installer.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e.exe
Verdict:
No threats detected
Analysis date:
2025-08-12 21:13:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d2b2559-c124-4a3b-a7bc-81175c54b845

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b6ecdfca70bd90e8f296e
Tags:
shellcode installer extens
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla anti-debug dotnet fingerprint lolbin microsoft_visual_cc net njrat obfuscated overlay packed packer_detected rat remote threat
Link:
https://www.filescan.io/uploads/689b80da9ef4d2ff7cf8eb17/reports/7ccd7bf4-aeb8-4624-af59-1800d0bb6be4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.mine
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1755474
Signature
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Potentially malicious time measurement code found
Behaviour
Behavior Graph:
Download SVG
Score:
20%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e
Gathering data
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.Danabot
Link:
https://tip.neiki.dev/file/cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-12 19:49:50 UTC
File Type:
PE+ (Exe)
Extracted files:
347
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6xnj563lc4qd4um6bno7qznqjgvnvozxy6g2eo6ubjfe6vhenxa._file
Verdict:
malicious
Label(s):
admintool_putty
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/250812-wj2a1stpv2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
red_team_tool
YARA:
INDICATOR_TOOL_WEDGECUT
Link:
https://app.threat.zone/submission/2a175913-ed4d-4e9c-abb2-d0838cf7e4a3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

unknown 22a69c513b089ec1142fd4f3b446be5e94fc6535faadc42cd8b47240bda7365e

Executable exe cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e

(this sample)

  
Link
https://tria.ge/250812-t4c3tasnt5/behavioral1
  
Dropped by
SHA256 22a69c513b089ec1142fd4f3b446be5e94fc6535faadc42cd8b47240bda7365e
  
Delivery method
Distributed via web download
  
Dropped by
MD5 c0b2c799ef02d3162e372f616e1ec479

Comments