MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe4bd8ac0fdb86b93778c391e5a801ba14d6353db5020a79aa6ed0666aa70f9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	fe4bd8ac0fdb86b93778c391e5a801ba14d6353db5020a79aa6ed0666aa70f9d
SHA3-384 hash:	4b1539d70f6f4e1ef02b1dbbd1d6bea73d7ec074513abde7b70a190f5ff26645a496c27bd5edd2b21207e6c654537fcb
SHA1 hash:	f01fd9ac3cbb67a0f955a30fd4b0e4f21da3cbf2
MD5 hash:	928cc98083fb8cc6b23745ee700da0e3
humanhash:	colorado-venus-autumn-crazy
File name:	setup (2).exe
Download:	download sample
File size:	72'413'109 bytes
First seen:	2026-03-16 09:15:52 UTC
Last seen:	2026-03-16 10:37:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	46ce5c12b293febbeb513b196aa7f843 (20 x GuLoader, 12 x RemcosRAT, 5 x VIPKeylogger)
ssdeep	1572864:h+SBp/xZQ9gGPs+2wi/6ca5KFJxIaZmu/jIpO+ZxPVxOG/+fiIrB41AXgbLnIi0/:h+SBBQ9gIslp6caQZhvWPlGu1AXKLI7/
TLSH	T130F733393DCEE1C1CB0BB8F47AE6AD156C57C0B950A737EA06723A51B4158290BBC7B4
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe steamcommunity-com-id-wafidsofaoaaiofs

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4b24f142-8a69-421a-b7a7-b2d454676bfe/

Malware family:

n/a

ID:

File name:

setup (2).exe

Verdict:

Malicious activity

Analysis date:

2026-03-16 09:18:03 UTC

Tags:

python doc-url arch-exec arch-doc ransomware

Link:

https://app.any.run/tasks/65dc991c-60ed-4cfa-a94a-3e82b4ca27ca

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b7ca7088c80c01586ab20f

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug expired-cert installer installer installer-heuristic microsoft_visual_cc nsis short-lived-cert soft-404

Link:

https://www.filescan.io/uploads/69b7ca65493cb7d62dffa0ae/reports/4278c028-bb88-4e9a-b418-897e875d8b60/overview

Verdict:

Suspicious

Labled as:

Malware_55.1

Link:

https://www.hybrid-analysis.com/sample/fe4bd8ac0fdb86b93778c391e5a801ba14d6353db5020a79aa6ed0666aa70f9d

Verdict:

Malicious

File Type:

exe x32

Detections:

HEUR:Trojan.Win32.Agentb.gen

Link:

https://opentip.kaspersky.com/fe4bd8ac0fdb86b93778c391e5a801ba14d6353db5020a79aa6ed0666aa70f9d/results?tab=lookup

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fe4bd8ac0fdb86b93778c391e5a801ba14d6353db5020a79aa6ed0666aa70f9d

Gathering data

Verdict:

Malicious

Threat:

Trojan.Win32.Agentb

Link:

https://tip.neiki.dev/file/fe4bd8ac0fdb86b93778c391e5a801ba14d6353db5020a79aa6ed0666aa70f9d

Threat name:

Win32.Dropper.Muddywater

Status:

Malicious

First seen:

2026-03-07 01:04:01 UTC

File Type:

PE (Exe)

Extracted files:

1252

AV detection:

3 of 36 (8.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7zf5rlap3odlsn3yyoi6lkabxiknmnj5wubau6nkn3igm2vhb6oq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/260316-k8mndaas9y/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample