MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3c18c41e7aacc9595b25a989db8538aaf3bb02f73e43706f802f3a62e56757b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3c18c41e7aacc9595b25a989db8538aaf3bb02f73e43706f802f3a62e56757b
SHA3-384 hash: 468ddebf04c2121338b6ca93a40b4dd11ac1c0fffe65b21a087893c9089708f6697325f95ba7d5d0caab9aa1ee6dcac3
SHA1 hash: 80a7c1664dedcb7bd9b479f3091aaaffc570b11c
MD5 hash: 9e4ff0070305560c2f454f500d211ee1
humanhash: snake-bluebird-pasta-tango
File name:electrum-doge-setup-1.4.2.exe
Download: download sample
File size:103'968'776 bytes
First seen:2025-03-29 12:01:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:eCJ39Kk9MocynxQz2oBlm1UvwB8ceyIS7nqYdd6hIExel52Jb/csJsa:eBk9MGQaoBlvvw/vP7nMxel5Gb//ia
Threatray 676 similar samples on MalwareBazaar
TLSH T118383300AA417429D530E9F4BFB781E5ABF08C9F2ED0B97F8F60765299F45D7A84C242
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon a2a249054261a2aa
Reporter ninjacatcher
Tags:exe infostealer revoked-cert signed stealer trojan

Code Signing Certificate

Organisation:Hebei Prolink Import & Export Trading Co., Ltd.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-02-05T04:25:13Z
Valid to:2026-02-06T04:25:13Z
Serial number: 57f32049482f3c889c8bf65e
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 01a60e6e8e3c8ac2ed0c0a52b4404e5119dd45b4e811992f5cdb5310d1a9f2bc
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
614
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
electrum-doge-setup-1.4.2.exe
Verdict:
Malicious activity
Analysis date:
2025-03-29 12:03:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d95061cf-b408-4717-ad15-52a6f4ea519f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e7e257855e5ec524099305
Tags:
extens sage blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobalt installer microsoft_visual_cc overlay revoked-cert signed
Link:
https://www.filescan.io/uploads/67e7e147631830704a8aec02/reports/bf1eaee6-dcbf-47df-b253-ab5b723e8a20/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d3c18c41e7aacc9595b25a989db8538aaf3bb02f73e43706f802f3a62e56757b
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
23 / 100
Link:
https://www.joesandbox.com/analysis/1651672
Signature
Drops large PE files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1651672 Sample: electrum-doge-setup-1.4.2.exe Startdate: 29/03/2025 Architecture: WINDOWS Score: 23 6 electrum-doge-setup-1.4.2.exe 11 293 2->6         started        10 Electrum Doge.exe 44 2->10         started        file3 29 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 6->29 dropped 31 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 6->31 dropped 33 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 6->33 dropped 37 13 other files (none is malicious) 6->37 dropped 45 Drops large PE files 6->45 12 cmd.exe 1 6->12         started        35 79450dac-e3b3-43c8...73ef8e78b3.tmp.node, PE32+ 10->35 dropped 14 Electrum Doge.exe 10->14         started        17 Electrum Doge.exe 1 10->17         started        19 explorer.exe 10->19 injected 21 Electrum Doge.exe 10->21         started        signatures4 process5 dnsIp6 23 conhost.exe 12->23         started        25 tasklist.exe 1 12->25         started        27 find.exe 1 12->27         started        39 electrum-doge.online 146.185.233.58, 443, 49732 RN-DATA-LV Russian Federation 14->39 41 api.coingecko.com 104.22.78.164, 443, 49731 CLOUDFLARENETUS United States 14->41 43 chrome.cloudflare-dns.com 172.64.41.3, 443, 49733, 49734 CLOUDFLARENETUS United States 14->43 process7
Score:
10%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/d3c18c41e7aacc9595b25a989db8538aaf3bb02f73e43706f802f3a62e56757b
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2payyqphvlgjlfnslkmj3octrkxtxmbpopsdobxyalz2mlswov5q._file
Verdict:
malicious
Label(s):
hacktool_uac_dll
Create hunting rule
Similar samples:
1d42a976c5c433e8ae6b3ba1fe20bd87384731658797d1d81579e42aad7e0cee
21a68975feeb28b5369222f8e148899ca767228ff5a111a27393f23a57224fbb
23115d7b6f50955145a73ae7e56ab9c2a2c40b7f83e875470a8dba516d4c1e31
2637b4500ce9dd33c2a22d291bb0331bfc457f2f384da1bd51d38cdbbf6e669e
30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966
7897d212eaa82c5fa94da40b66db07ff4432574f9ff816b3821156a54d2b88e0
ee9c745ec13fb4389968431701fecabaa3fd85f607e694e0d8747703a60fe0dc
error
+ 666 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250329-n7jrwatrs6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
red_team_tool
YARA:
Cobalt_functions
Link:
https://app.threat.zone/submission/f45ad17b-17d3-4152-a1fe-ed56355f54e7
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d3c18c41e7aacc9595b25a989db8538aaf3bb02f73e43706f802f3a62e56757b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3494677/
  
URLhaus
https://urlhaus.abuse.ch/url/3494679/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments