MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 fce5f95d9a8d8a4003af3fd63365d5f3a7746536d054d290534674fa8ef4b844. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Mimic
Vendor detections: 15
| SHA256 hash: | fce5f95d9a8d8a4003af3fd63365d5f3a7746536d054d290534674fa8ef4b844 |
|---|---|
| SHA3-384 hash: | 8f079b505169453debf72bf4a40d4173468f404ed0e771e99319a0f78c6fb38661c52fcb9628d8e760e5d763844289c7 |
| SHA1 hash: | 9a078dd23ea1858dc551544e3204b45c8a7b7896 |
| MD5 hash: | dc5b33705ec2d25b3c96f9075fc88d24 |
| humanhash: | hydrogen-double-fish-butter |
| File name: | SecuriteInfo.com.PowerShell.Dropper.54.2734.21994 |
| Download: | download sample |
| Signature | Mimic |
| File size: | 5'349'799 bytes |
| First seen: | 2025-08-22 13:20:23 UTC |
| Last seen: | 2025-08-22 14:19:11 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f6baa5eaa8231d4fe8e922a2e6d240ea (61 x CoinMiner, 22 x DCRat, 15 x LummaStealer) |
| ssdeep | 98304:1gwR9CnkgpzeHXDmSZwuK5oGUhnCUwQRhNJrZ3tVjRSt/Cgu1i782PKlVQSxRfs:1guCtpzMzmSZwPnAwMj/wtKgMu2ET |
| Threatray | 973 similar samples on MalwareBazaar |
| TLSH | T11446334072A959F5F15E1E7485592B6BDAE51E21073A43CBEB8738849EB13C3933A3C3 |
| TrID | 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 24.6% (.EXE) Win64 Executable (generic) (10522/11/4) 11.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4504/4/1) 4.7% (.EXE) OS/2 Executable (generic) (2029/13) |
| Magika | pebin |
| dhash icon | 68e0c0c4c4c4c4d8 (1 x Mimic) |
| Reporter |  SecuriteInfoCom |
| Tags: | exe Mimic |
Intelligence
File Origin
# of uploads :
2
# of downloads :
46
Origin country :
FRVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.PowerShell.Dropper.54.2734.21994
Verdict:
Malicious activity
Analysis date:
2025-08-22 13:21:47 UTC
Tags:
auto-reg mimic ransomware everything tool auto generic themida
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
96.5%
Tags:
virus shell sage
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Creating a service
Launching a service
Сreating synchronization primitives
Creating a file
Moving a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger masquerade microsoft_visual_cc obfuscated overlay overlay
Verdict:
Malicious
Labled as:
Strictor.Generic
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-22T10:33:00Z UTC
Last seen:
2025-08-22T10:33:00Z UTC
Hits:
~10
Verdict:
Malicious
Score:
55%
Verdict:
Susipicious
File Type:
PE
Verdict:
Malware
YARA:
5 match(es)
Tags:
DeObfuscated Executable PE (Portable Executable) PE File Layout PowerShell SFX 7z Win 32 Exe x86
Threat name:
Win32.Trojan.Egairtigado
Status:
Malicious
First seen:
2025-08-22 13:22:44 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
17 of 24 (70.83%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
elpaco-team
Similar samples:
+ 963 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
defense_evasion discovery execution upx
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Modifies trusted root certificate store through registry
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
fce5f95d9a8d8a4003af3fd63365d5f3a7746536d054d290534674fa8ef4b844
MD5 hash:
dc5b33705ec2d25b3c96f9075fc88d24
SHA1 hash:
9a078dd23ea1858dc551544e3204b45c8a7b7896
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
SH256 hash:
6418eb297a02afbd26f1879788e5183187c436228549fbfb352dd8e265045ef8
MD5 hash:
14ca2ec50d33ac4fe040fb2a2d2a68e6
SHA1 hash:
b8ce84a3935ebcc5356914e0f7514dbf79ab106a
SH256 hash:
90e4fda3fd011ee222a1a7e45b6c0b19b4ec43641ea531c155571ad6a7506873
MD5 hash:
664bf2b5f4d908ef450c77bf8729f193
SHA1 hash:
d3b9f8b9f72f4593e1962e210cf322c55e4b87e5
SH256 hash:
9ffc9a3660fb1bcca02dd1755eab3e5ac3c246696ca90cd72974169d21a058b1
MD5 hash:
523209491245bf77e8f3343e6486f32a
SHA1 hash:
38126e3b86152e48ea29809ed0857f687b928e9a
SH256 hash:
bc19c1decb78449aaa32d00ec35734906da296d1ea11772656b36a1ad234eeca
MD5 hash:
e795e7332cfef5dfd6f33c36dea20213
SHA1 hash:
8adf7414fdb2690f0055c2f2768796982478a22e
SH256 hash:
7916c7ad1a33531f941d9ada771ade2f5825ef4fc9f8473f8a988ecb16525dd8
MD5 hash:
2da8ab1192187d1f9cf02aed04b0d0b7
SHA1 hash:
326db513af5a9f898c4870ebbc62e7cd5fd71690
SH256 hash:
b6301160d2cceb9df1bb2d0548d65c31ecc38b694fa5efe67899935f19870fce
MD5 hash:
46857dedd8ea45006ec3ebff24739f8b
SHA1 hash:
47bd7d9f2eb13d178327769b964043887258390e
SH256 hash:
f457b1cb1b146ab07117e34dc50881ef787946a0311467d82469fdaa3e54884c
MD5 hash:
52b7073101ce2f83c85ed698f1ee0445
SHA1 hash:
cd2f016c79de7d4bf20d1366cc9483b610b4ffc2
SH256 hash:
9fe32efdb0bbc6ea00ad73415ce0ece86cd56f6d98bb9ced9f290bbc24baf848
MD5 hash:
519dd536e091d412aa575df4e2f054dd
SHA1 hash:
c11700ca56f43fbc2553095b3877a4abbaf47d8a
Malware family:
Mimic
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | observer |
|---|---|
| Author: | Michelle Khalil |
| Description: | This rule detects unpacked observer malware samples. |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
| CHECK_TRUST_INFO | Requires Elevated Execution (level:requireAdministrator) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::CheckTokenMembership |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteW SHELL32.dll::ShellExecuteExW SHELL32.dll::SHGetFileInfoW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetDiskFreeSpaceExW KERNEL32.dll::GetCommandLineW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::AssignProcessToJobObject |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::GetSystemDirectoryW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::CreateWindowExA USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.