MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2
SHA3-384 hash:	91519d4932def6ed1a611308f54035fb84f18fd51ba064c300d35b957621919ee9eb42b62060723f8c63ca2e7098093c
SHA1 hash:	a817c31aa063854f1d70b48995a7a2424207db72
MD5 hash:	264a2434a41b63bf5daec6315898cd04
humanhash:	july-butter-saturn-single
File name:	file
Download:	download sample
File size:	4'252'814 bytes
First seen:	2026-01-22 00:01:20 UTC
Last seen:	2026-01-24 02:02:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep	49152:1+MRdOHWCcIEb2u4x3j+JNt3dlkx17Ch6lq+xV45Qf7GsMltcxHZslJy0HPwBBEx:1rvCPuqambW6451sMsqtYQMtvJRTamC
TLSH	T16416F113F2CBA03EE3590B37C562B17494FB6E11A523AD5686E4F4A8CE35C601E3E647
TrID	62.3% (.EXE) Inno Setup installer (107240/4/30) 24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	Bitsight
Tags:	dropped dropped-by-Stealc exe

Bitsight

url: http://196.251.107.61/core_90.63.0_INSTALL.exe

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/8b445483-0de8-4c79-870e-9f062a360ef8/

Malware family:

n/a

ID:

File name:

file

Verdict:

Suspicious activity

Analysis date:

2026-01-22 00:02:46 UTC

Tags:

upx

Link:

https://app.any.run/tasks/e1a56879-4795-4a68-ace3-19ee451da0f3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49686/

Detection(s):

SecuriteInfo.com.FileRepMalware.75438224.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697168f1f3cf908ba50726ae

Tags:

dropper obfusc overt

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404

Link:

https://www.filescan.io/uploads/697168e85db9ae47708cb2ff/reports/1c16603a-3e07-4ff8-847d-2424e9c687cd/overview

Verdict:

Malicious

Labled as:

Trojan.DOMG

Link:

https://www.hybrid-analysis.com/sample/f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-21T21:23:00Z UTC

Last seen:

2026-01-23T20:40:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6e79df60-1f91-40a1-b661-55c02b263283

Score:

78%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/264a2434a41b63bf5daec6315898cd04

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2026-01-22 00:02:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6fetfdi2kj7fz2opnkitxnd4gnh2zr6anehxso3efh2j7ajdsdja._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer persistence upx

Link:

https://tria.ge/reports/260122-abb59sez8e/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in System32 directory

UPX packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2

MD5 hash:

264a2434a41b63bf5daec6315898cd04

SHA1 hash:

a817c31aa063854f1d70b48995a7a2424207db72

Link:

https://www.unpac.me/results/bfe0b7b9-74e3-4331-92b7-7f0c4288bc37/

SH256 hash:

723d722a062b8ecb31ab36238c0f38167c5ead21836030fd5200551fcc816331

MD5 hash:

c181203c51f6d2cc1c1b088e57903f6d

SHA1 hash:

466fc07f5336b2bf03bf1544c87e4b57f1ba4d75

Link:

https://www.unpac.me/results/bfe0b7b9-74e3-4331-92b7-7f0c4288bc37/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/bfe0b7b9-74e3-4331-92b7-7f0c4288bc37/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe f149328d1a527e5ce9cf6a913bb47c334facc7c0690f793b6429f49f812390d2

(this sample)

Dropped by

StealC

Delivery method

Distributed via web download

Dropped by

StealC

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3761643/

Cape

https://www.capesandbox.com/analysis/49686/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample