MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a
SHA3-384 hash: a92a8fe8cc920e362492af50ddc57d876e01289bdd12c974168ef17bea5c221be762501e9ce044e260412112c9507cc3
SHA1 hash: 9e277005ee94f1a9a8a415e5c4c1a49bef2d0901
MD5 hash: 48e88faab27bd4099864b48d84edd8f6
humanhash: island-yankee-island-network
File name:Installers_setup.exe
Download: download sample
File size:4'856'664 bytes
First seen:2025-12-17 11:50:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (9 x OffLoader, 8 x HijackLoader, 7 x Tofsee)
ssdeep 98304:4DbtKBthcSSCqNqwwGTNcS56dpKJ0JNf4faxO:4DbtYt7TCDwGTNcS4dpKScac
Threatray 524 similar samples on MalwareBazaar
TLSH T14D260223F24E633EE46A553609729A54543FBE60641B8CB396EC3E4CCE3A5601D3EE47
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SquiblydooBlog
Tags:exe signed

Code Signing Certificate

Organisation:Taiyuan Tataomi Technology Co., Ltd.
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2025-08-22T00:00:00Z
Valid to:2026-08-22T23:59:59Z
Serial number: 5886e0f4baa836e9231ba6f8f965e51d
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: d8196aea50466b06dbbef3012f050c2e59ab1d4c5c83414d1d1cd06196a1a3c4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/0723a2d1-4f9d-48a9-8a23-806e3c061b05/
Malware family:
n/a
ID:
1
File name:
Installers_setup.exe
Verdict:
Malicious activity
Analysis date:
2025-12-17 11:55:52 UTC
Tags:
inno installer delphi ims-api generic screenconnect rmm-tool remote tool telegram exfiltration stealer rat
Link:
https://app.any.run/tasks/8b9f35bb-761f-4a4d-9cde-80c2af04eead

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45316/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69429934c97f4a807a3b8e8e
Tags:
phishing dropper virus sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed signed xworm
Link:
https://www.filescan.io/uploads/6942993129529c74a2f4c659/reports/5bf0913b-14ee-4165-8d96-720d35a42d0f/overview
Verdict:
Suspicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-03T22:15:00Z UTC
Last seen:
2025-12-18T10:56:00Z UTC
Hits:
~100
Detections:
BSS:Trojan.Win32.Generic.nblk BSS:Trojan.Win32.Generic VHO:Trojan.Win32.Agent.xcaqwv Trojan.Win32.Agent.xcaqwv Trojan.Win32.Agent.sb not-a-virus:RemoteAdmin.MSIL.ConnectWise.d not-a-virus:RemoteAdmin.MSIL.ConnectWise.c not-a-virus:RemoteAdmin.MSIL.ConnectWise.b not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen not-a-virus:RemoteAdmin.MSIL.ConnectWise.a
Link:
https://opentip.kaspersky.com/fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/61b4965e-0209-4eff-b3aa-b98168d568b9
Score:
68%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/48e88faab27bd4099864b48d84edd8f6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a/
Verdict:
Malicious
Threat:
RemoteAdmin.MSIL.ConnectWise
Link:
https://tip.neiki.dev/file/fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 03:06:30 UTC
File Type:
PE (Exe)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7k3acgr4xcxbujwwwuthkegght6t6nxosewv3hbwpgi3go3bwqna._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7
1c7af2a207fb45a7c54613e5f7d185ea20afe2d36fcff25f09e2163025eba216
88bcc4eacf3c0dd26c57dfdd42da085eeff0bcc4c1106eceeba466c0a05fc1e5
99e7b628ee17aca20a951378ea88373f0208e48b80fc85b8936099ae570b5a77
acaa6d40c3adbd7079e1411de4e33782ebd5c118baca2ab01562e7f2220e8eab
b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f
cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066
error
f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc
fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a
fc7ee0a9cffabfd03e1b972bcbfd4504289482f86c83c391165ebe5253995ef9
+ 514 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery execution installer persistence privilege_escalation rat revoked_codesign
Link:
https://tria.ge/reports/251217-nz8q2aex8a/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Badlisted process makes network request
Binary is signed using a ConnectWise certificate revoked for key compromise.
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f0d28914-5183-4522-93d7-8a8b39e312f0
Unpacked files
SH256 hash:
fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a
MD5 hash:
48e88faab27bd4099864b48d84edd8f6
SHA1 hash:
9e277005ee94f1a9a8a415e5c4c1a49bef2d0901
Link:
https://www.unpac.me/results/2d4ed3b9-1652-4eda-84e2-08643a63b18e/
SH256 hash:
86dcd6f5f2dbd1be1d34b2f900b9d5398847806a8d36c91dd9160c5cfde7e4bb
MD5 hash:
fbd94012e4c9a2b56e81011d77cd0c89
SHA1 hash:
44a0277b6d602eff3b702b23494a6d269484c23c
Link:
https://www.unpac.me/results/2d4ed3b9-1652-4eda-84e2-08643a63b18e/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/2d4ed3b9-1652-4eda-84e2-08643a63b18e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45316/

Comments