MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments 2

SHA256 hash:	eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f
SHA3-384 hash:	e1da71bfd61179b1dff5d5dd0d3d64527a5fe5ccf8985efcfce68af873777f4636774583f94c998893497521348bb480
SHA1 hash:	02a53d660332c25af623bbb7df57c2aad1b0b91b
MD5 hash:	cdc459a866361463d719bc89622300f3
humanhash:	undress-mango-papa-kentucky
File name:	HWiNFO_Monitor_Setup.exe
Download:	download sample
File size:	4'233'610 bytes
First seen:	2026-04-10 04:42:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	88016fcdef7f227c62171d0afad9aae4 (5 x OffLoader, 3 x Gh0stRAT, 3 x ValleyRAT)
ssdeep	49152:VuI2hj6XF18ahT8kRdwIcwcBQSuBP9HqT9LnTiHejJkT6Dt7ON9Vnc:V5Oj6JR8kRdwIHcBIHqxLnmMBJ+c
Threatray	464 similar samples on MalwareBazaar
TLSH	T14516023FB24B653EE06E5A3539B7E130583B6A62A5124C1696F4C88CCF650B11E3F787
TrID	63.8% (.EXE) Inno Setup installer (107240/4/30) 24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.8% (.EXE) Win64 Executable (generic) (6522/11/2) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	8a256575616d0182
Reporter	KnownSpotter
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/d0e4d065-fdc9-4253-ace9-550fa4de89a9/

Malware family:

n/a

ID:

File name:

https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/HWiNFO_Monitor_Setup.exe

Verdict:

Malicious activity

Analysis date:

2026-04-10 03:23:19 UTC

Tags:

possible-phishing loader delphi inno installer cpuz tool stealer fake-filezilla

Link:

https://app.any.run/tasks/0d31fcf4-ab8e-43ef-b874-0e95e0d06e62

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61018/

Detection(s):

SecuriteInfo.com.FileRepMalware.15326582.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69d87d736a61012f6ad088a6

Tags:

injection dropper delphi virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context alien anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404 unsafe

Link:

https://www.filescan.io/uploads/69d87fb0799d5bf325f5742b/reports/c2f15f31-2299-4e17-b80d-f994a4b4b141/overview

Verdict:

Malicious

Labled as:

Trojan_Win32_Wacatac_C_ml

Link:

https://www.hybrid-analysis.com/sample/eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-09T12:34:00Z UTC

Last seen:

2026-04-12T01:01:00Z UTC

Hits:

~100

Detections:

VHO:Trojan.Win64.Reflo.gen VHO:Backdoor.Win32.Agent.gen Backdoor.Mirai.HTTP.C&C Backdoor.Agent.HTTP.C&C UDS:DangerousObject.Multi.Generic BSS:Trojan.Win32.Generic Backdoor.Win64.Alien.de

Link:

https://opentip.kaspersky.com/eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5e37c19b-050f-4ae9-b8e1-ac751d24fa7a

Score:

73%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f/

Verdict:

Malicious

Threat:

VHO:Trojan.Win64.Reflo

Link:

https://tip.neiki.dev/file/eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2026-04-10 04:33:00 UTC

File Type:

PE (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=536a7gdn2pvdo2skkt4azyg4hzsjcfs257ox2xlaaxndrewoeshq._file

Verdict:

malicious

Label(s):

shellcode_loader_008

18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32

19ba4d2bd5638445fbc8c8c3c57934658f6e094588471ef0d657353e84cb6cde

34c578754cb2f08e5d8a5b02f1aeaa5d90ff3b566b9beae3a76ab77efb878194

52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493

8a5661ae94a67e1e27f4cf155f905d665be74f7ba1ef424eb471a0da215628c8

94620117e0c4878da2fa57362058aadd437f1639d3c6d1337b27b8c3070357cf

c1361e943e723746f92e83c35bafce8a6800249c3253e0ceb75023ece695c1f3

e5bffd1dee2cab5893d916605ae2eb05b69610dfd424acc65fb6055c38ddb41e

e86c74fc39924e5c86d3ede3098f5c0d5c1655e2414f9b19359f32e35608e670

error

+ 454 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer

Link:

https://tria.ge/reports/260410-fbvkhagv2y/

Behaviour

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Unpacked files

SH256 hash:

eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f

MD5 hash:

cdc459a866361463d719bc89622300f3

SHA1 hash:

02a53d660332c25af623bbb7df57c2aad1b0b91b

Link:

https://www.unpac.me/results/36d9a75d-3f23-4398-aeb2-da0197557580/

SH256 hash:

cd0cd2b40bdea39eae382825ee30645b83cbd4164cf7e94b419bc720ea137c19

MD5 hash:

523869b135ed11398458912f3732baf3

SHA1 hash:

c486285d010e5106c8031ce4dceea9efb3e1d746

Link:

https://www.unpac.me/results/36d9a75d-3f23-4398-aeb2-da0197557580/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/