MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd1e7fd35306a22f511197716c7e9fe2c1ba149ffd275a5221c4452165a4b29d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd1e7fd35306a22f511197716c7e9fe2c1ba149ffd275a5221c4452165a4b29d
SHA3-384 hash: 504a83d7f8716d795a31d9889b6e0ce43dd84e35b8f2d2d94ce9f5c3932374a899283b94cafe4e10d50a4ad0f26301a1
SHA1 hash: 746d354c83ba5ee7ad558ac9669d40c31be37831
MD5 hash: 05d8c7d4bc49a2da4587535abae9b06d
humanhash: quiet-sixteen-carpet-kansas
File name:Certificado_PCAP.exe
Download: download sample
File size:71'691'016 bytes
First seen:2026-02-20 13:55:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (6 x OffLoader, 4 x ValleyRAT, 3 x Gh0stRAT)
ssdeep 1572864:Wibp32FzeZjKmqyQvJOhcnU3LODgOlheW6QEaryQnew:KFCWm4hG4U3L3On3Earyu
TLSH T13EF7333FF18F6139D0AA127A31B3D421897B2961A4529C226AECF8CCCB250755D3F6D7
TrID 50.8% (.EXE) Inno Setup installer (107240/4/30)
20.4% (.EXE) InstallShield setup (43053/19/16)
19.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.0% (.EXE) Win64 Executable (generic) (6522/11/2)
2.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (112 x Adware.Generic, 71 x OffLoader, 43 x LummaStealer)
Reporter johnk3r
Tags:cmdca-go-gov-br exe kapa-is signed

Code Signing Certificate

Organisation:MAYDA PETROL OTOMOTIV INSAAT LIMITED SIRKETI
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2026-02-02T00:00:00Z
Valid to:2027-02-02T23:59:59Z
Serial number: 011e9b8ccd60d504b4130d90d14a4ba7
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 92da4c3f9aa9564df7d41cafe89433d188c938ab37614c20f3467e6b9f0abe0b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
johnk3r
Trojan/backdoor embedded in an Electron application.

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
CH CH
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/19dd86cb-49a5-4e7e-ab0d-6670acfb7053/
Malware family:
n/a
ID:
1
File name:
dd1e7fd35306a22f511197716c7e9fe2c1ba149ffd275a5221c4452165a4b29d.bin
Verdict:
Malicious activity
Analysis date:
2026-02-20 12:27:10 UTC
Tags:
delphi inno installer api-base64 golang nodejs
Link:
https://app.any.run/tasks/a15b8995-ea56-4f45-885e-bad2eda0fd33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6998680bc950ab5d9aafbec6
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a file in the %AppData% directory
DNS request
Unauthorized injection to a recently created process
Connection attempt
Sending a custom TCP request
Loading a suspicious library
Running batch commands
Creating a process with a hidden window
Connecting to a non-recommended domain
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed signed soft-404
Link:
https://www.filescan.io/uploads/6998680497feb4afd64ecaa0/reports/d12b6888-11e5-4e41-a081-6a662e3440fa/overview
Verdict:
Malicious
Labled as:
TrojanDldr.OffLoader.gen
Link:
https://www.hybrid-analysis.com/sample/dd1e7fd35306a22f511197716c7e9fe2c1ba149ffd275a5221c4452165a4b29d
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-Dropper.Win32.Injector.vevq Trojan-Dropper.Win32.Injector.sb
Link:
https://opentip.kaspersky.com/dd1e7fd35306a22f511197716c7e9fe2c1ba149ffd275a5221c4452165a4b29d/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1872496
Signature
Creates autostart registry keys with suspicious names
Sigma detected: Suspicious Program Names
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1872496 Sample: Certificado_PCAP.exe Startdate: 20/02/2026 Architecture: WINDOWS Score: 48 56 webhook.site 2->56 58 kapa.is 2->58 64 Sigma detected: Suspicious Program Names 2->64 10 Certificado_PCAP.exe 2 2->10         started        13 boost.exe 2->13         started        15 boost.exe 2->15         started        signatures3 process4 file5 52 C:\Users\user\...\Certificado_PCAP.tmp, PE32 10->52 dropped 17 Certificado_PCAP.tmp 1001 10->17         started        20 boost.exe 13->20         started        22 boost.exe 13->22         started        24 boost.exe 15->24         started        26 boost.exe 15->26         started        process6 file7 44 C:\Users\user\AppData\Local\...\boost.exe, PE32+ 17->44 dropped 46 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 17->46 dropped 48 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 17->48 dropped 50 26 other files (none is malicious) 17->50 dropped 28 boost.exe 1 6 17->28         started        process8 dnsIp9 62 kapa.is 104.21.28.177, 443, 49701, 49704 CLOUDFLARENETUS United States 28->62 54 C:\Users\user\AppData\Local\...\artifact.exe, PE32+ 28->54 dropped 66 Creates autostart registry keys with suspicious names 28->66 33 cmd.exe 1 28->33         started        35 boost.exe 1 28->35         started        37 boost.exe 1 28->37         started        file10 signatures11 process12 process13 39 artifact.exe 33->39         started        42 conhost.exe 33->42         started        dnsIp14 60 webhook.site 178.63.67.153, 443, 49702 HETZNER-ASDE Germany 39->60
Score:
54%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/dd1e7fd35306a22f511197716c7e9fe2c1ba149ffd275a5221c4452165a4b29d
Gathering data
Verdict:
Malicious
Threat:
Trojan-Dropper.Win32.Injector
Link:
https://tip.neiki.dev/file/dd1e7fd35306a22f511197716c7e9fe2c1ba149ffd275a5221c4452165a4b29d
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-19 00:33:45 UTC
File Type:
PE (Exe)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3uph7u2ta2rc6uirs5ywy7u74la3ufe77utvuurbyrcscznewkoq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery installer persistence spyware trojan
Link:
https://tria.ge/reports/260220-q8s32scs4g/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Modifies trusted root certificate store through registry
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe dd1e7fd35306a22f511197716c7e9fe2c1ba149ffd275a5221c4452165a4b29d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments