MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e
SHA3-384 hash: 44f29e276b099ff9bf8f71954145925fba8e9b813cacb40b68923ddf0f5e503d8bd66c25e012322c7da35291225a0faa
SHA1 hash: 84c3607059ae07aa235e024a64d29b7a1917ac1f
MD5 hash: df3d98afcbcaeac9be2f432baab7a01b
humanhash: spaghetti-pip-connecticut-freddie
File name:vbox.exe
Download: download sample
File size:78'984'864 bytes
First seen:2025-10-14 20:44:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (536 x GuLoader, 115 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:h+lI1JXiwRj/GueJgV2ycBOmY0+pu/8Rzwn8b/NgJ6VFWjCO:Elg9ia/MzTY0QPzOjCO
TLSH T11A0833FA688D0303F597C3790C35A647C5DA3AFB7925116FB9A20A3CDD8950CEF12866
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter smica83
Tags:exe RIMMA LLC signed

Code Signing Certificate

Organisation:RIMMA LLC
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-22T08:37:15Z
Valid to:2025-12-05T06:54:26Z
Serial number: 509cc777a842a8edc4f7e28f
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: dbc6007e7f737752bf0da0c070e194f82d8a1f5a4211747870690997667fc62e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e
Verdict:
Suspicious activity
Analysis date:
2025-10-14 21:02:31 UTC
Tags:
nodejs
Link:
https://app.any.run/tasks/04fbb743-95d6-4e6b-9358-a664f3b33701

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68eeb6c304e22ce9acda26d8
Tags:
n/a
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Launching a process
Loading a suspicious library
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
DNS request
Connection attempt
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc obfuscated overlay packed packed packer_detected signed threat
Link:
https://www.filescan.io/uploads/68eeb6b04f3013c55e4de088/reports/5d355a82-ce6e-4329-8aef-73323aadf89e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e
Verdict:
Adware
File Type:
exe x32
First seen:
2025-10-14T09:38:00Z UTC
Last seen:
2025-10-14T12:03:00Z UTC
Hits:
~10
Detections:
RemoteAdmin.NetSup.HTTP.C&C not-a-virus:RemoteAdmin.Win32.NetSup.ce RemoteAdmin.NetSup.UDP.C&C
Link:
https://opentip.kaspersky.com/ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e/results?tab=lookup
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
20 / 100
Link:
https://www.joesandbox.com/analysis/1795296
Signature
Drops large PE files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1795296 Sample: vbox.exe Startdate: 14/10/2025 Architecture: WINDOWS Score: 20 36 x1.i.lencr.org 2->36 38 e8652.dscx.akamaiedge.net 2->38 40 3 other IPs or domains 2->40 9 vbox.exe 181 2->9         started        process3 file4 28 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->28 dropped 30 C:\Users\user\AppData\Local\...\System.dll, PE32 9->30 dropped 32 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->32 dropped 34 12 other files (none is malicious) 9->34 dropped 48 Drops large PE files 9->48 13 Office.exe 3 4 9->13         started        signatures5 process6 dnsIp7 46 api.github.com 140.82.113.6, 443, 49704 GITHUBUS United States 13->46 16 Acrobat.exe 59 13->16         started        18 Office.exe 1 13->18         started        20 Office.exe 1 13->20         started        process8 process9 22 AcroCEF.exe 104 16->22         started        dnsIp10 42 e8652.dscx.akamaiedge.net 23.201.89.42, 49699, 80 AKAMAI-ASUS United States 22->42 25 AcroCEF.exe 22->25         started        process11 dnsIp12 44 23.197.208.205, 443, 49702 AKAMAI-ASUS United States 25->44
Score:
62%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e
Gathering data
Verdict:
Malicious
Threat:
RemoteAdmin.NetSup.UDP
Link:
https://tip.neiki.dev/file/ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77wyzuzmndjqvhqphvciiccjqlfjezt2tgw6hpzs2waslxgrl5pa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
adware discovery link pdf spyware
Link:
https://tria.ge/reports/251014-zkfbqavpz6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6b7402ef-46cf-4421-871a-5dd3d6130410
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3626036/
  
Delivery method
Distributed via web download

Comments