MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 10 File information Comments

SHA256 hash:	f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3
SHA3-384 hash:	efc7972fc08b588ce25a60dd1419ef1f6f7c95450bdae3a170f5aba4422f72c8f6ce81e4b70951357d26a0004a78dddc
SHA1 hash:	2462c3da56be1e707d2c82c890d4ad763dc3f111
MD5 hash:	006b71a7c851bcca51e58132d58d7046
humanhash:	cola-timing-lion-quebec
File name:	20260513_150830_federated-runtime-network_wiki_f0cea16aa1.dat
Download:	download sample
File size:	7'231'976 bytes
First seen:	2026-05-13 20:26:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2d1a2a3b2edbe3e08125b43db0ee5897
ssdeep	49152:huk9OJIfruB5cHUJ548erH5WRt76TFeyIorHUZNDv7+gN+P4+hvCQCK20J4r4bcN:huearcGrRmHoBj9P
TLSH	T1C5767D27EDB509EBE46BF2748422B601BC223C408B191BD75AE4B3145E636F45BBFB11
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Anonymous
Tags:	ClearFake exe signed

Code Signing Certificate

Organisation:	waveshare.tech
Issuer:	Entrust Certification Authority - L1K
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-05-12T13:50:57Z
Valid to:	2026-08-11T13:50:57Z
Serial number:	5a4d1479438379eb17c1915559689f77
Thumbprint Algorithm:	SHA256
Thumbprint:	ef2522f12fd05ecc4dfa4c0c3828c962618d78a4c55a5215fe40aedda33bccdb
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

microservice-balancer-node.wiki

Verdict:

Malicious activity

Analysis date:

2026-05-13 16:51:50 UTC

Tags:

webdav loader

Link:

https://app.any.run/tasks/f35f100b-78e2-4000-a1ae-90b8c1e8c64e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/65830/

Verdict:

Clean

Score:

84.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a04deb3953bbcef1c90299b

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug crypto evasive hacktool masquerade packed signed

Link:

https://www.filescan.io/uploads/6a04de9f86e92bda702db6d5/reports/0c6e5d17-3633-40bd-b053-4c0abd5345f2/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3

Verdict:

Malicious

File Type:

dll x64

First seen:

2026-05-13T14:47:00Z UTC

Last seen:

2026-05-15T05:30:00Z UTC

Hits:

~10

Detections:

Trojan.Win64.Agent.smgfzg Trojan.Win64.Agent.sb

Link:

https://opentip.kaspersky.com/f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e5102c08-a447-4f70-a2af-8c7e3d3e1ba8

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/006b71a7c851bcca51e58132d58d7046

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2026-05-13 20:27:34 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6dhkc2vbcdh2hjc344ado7izvmlvccukcsfaijqjzvxansui7crq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260513-y8lyqsas7p/

Unpacked files

SH256 hash:

f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3

MD5 hash:

006b71a7c851bcca51e58132d58d7046

SHA1 hash:

2462c3da56be1e707d2c82c890d4ad763dc3f111

Link:

https://www.unpac.me/results/88402c45-848f-4d50-bc50-9fb877404cae/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.04

Link:

https://yomi.yoroi.company/submissions/f0cea16aa110cfa3a45be700377d19ab17510a8a148a042609cd6e06ca88f8a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/65830/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample