MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b03a064f1ff98daecdebf387464a06565549a057949a13e1fd23330514874d2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mydoom

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	b03a064f1ff98daecdebf387464a06565549a057949a13e1fd23330514874d2e
SHA3-384 hash:	cb2c47a045c83fffca2726e4f4f5b54b7f6d4083a9345851023ea42e372c0572e83b79c62ec5770c8587fa090436cde0
SHA1 hash:	efc6510c0a587f30a054648ae2675d2fa4ee847b
MD5 hash:	68f9bebd6cb2b84cad556be235fd38b3
humanhash:	apart-autumn-blossom-blue
File name:	svchost.exe
Download:	download sample
Signature	Mydoom Create hunting rule
File size:	290'288 bytes
First seen:	2025-11-23 09:28:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	6144:RDKW1Lgbdl0TBBvjc/WTl51Rr8g7eG/flj:hh1Lk70TnvjcuT/1RgyNN
TLSH	T16954D02471C1C1B3C4B7453044E6CB7A9A6A70714B7AD6D7B6DD1BBA2F203E1A3362C9
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Hexastrike
Tags:	exe Mydoom

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/40755/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

Running batch commands

Using the Windows Management Instrumentation requests

Launching the process to change the firewall settings

Launching a service

Creating a window

Creating a file in the %temp% directory

Launching a process

Changing a file

Modifies multiple files

Modifying an executable file

Creating a file in the Program Files subdirectories

Creating a file in the Program Files directory

Moving a file to the Program Files directory

Moving a file to the Program Files subdirectory

Query of malicious DNS domain

Deleting volume shadow copies

Enabling autorun for a service

Blocking the Windows Defender launch

Creating a file in the mass storage device

Enabling autorun by creating a file

Encrypting user's files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug fingerprint microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/6922de8aeecb08e4aa45a3f4/reports/043bd843-9136-4c08-9e63-ac684f1428eb/overview

Verdict:

Malicious

Labled as:

MSIL.Krypt..Generic

Link:

https://www.hybrid-analysis.com/sample/b03a064f1ff98daecdebf387464a06565549a057949a13e1fd23330514874d2e

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-23T05:22:00Z UTC

Last seen:

2025-11-23T13:39:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/b03a064f1ff98daecdebf387464a06565549a057949a13e1fd23330514874d2e/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b03a064f1ff98daecdebf387464a06565549a057949a13e1fd23330514874d2e

Verdict:

Malware

YARA:

5 match(es)

Tags:

.Net Obfuscator .Net Reactor Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/68f9bebd6cb2b84cad556be235fd38b3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b03a064f1ff98daecdebf387464a06565549a057949a13e1fd23330514874d2e/

Threat name:

Win32.Infostealer.ClipBanker

Status:

Malicious

First seen:

2025-11-23 10:12:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wa5amty77gg25tpl6odumsqgkzkuticxssnbhyp5emzqkfehjuxa._file

Result

Malware family:

lockbit

Score:

10/10

Tags:

family:lockbit credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan

Link:

https://tria.ge/reports/251123-l9xemsep6x/

Behaviour

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Volume Shadow Copy service COM API

Browser Information Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Sets desktop wallpaper using registry

Drops desktop.ini file(s)

Enumerates connected drives

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Reads user/profile data of web browsers

Modifies Windows Firewall

Deletes shadow copies

Lockbit

Lockbit family

Modifies Windows Defender DisableAntiSpyware settings

Modifies Windows Defender Real-time Protection settings

Verdict:

Malicious

Tags:

trojan stealer redline Ransomware

YARA:

MAL_Malware_Imphash_Mar23_1 MALWARE_Win_RedLine

Link:

https://app.threat.zone/submission/62d701e8-2562-445d-8acb-9f0abddaaf3a

Unpacked files

SH256 hash:

7916c7ad1a33531f941d9ada771ade2f5825ef4fc9f8473f8a988ecb16525dd8

MD5 hash:

2da8ab1192187d1f9cf02aed04b0d0b7

SHA1 hash:

326db513af5a9f898c4870ebbc62e7cd5fd71690

Link:

https://www.unpac.me/results/944ed571-05cf-4d5c-9ba0-f2c8d46955b0/

SH256 hash:

38f803929f3400537abce3adb27fb360a562bb58ef6fef5670d8eda1af042cb9

MD5 hash:

901ae11d5e7648350343469a92fad606

SHA1 hash:

29ba6d7d33c1b73033258f5c353e6f3077c45109

Link:

https://www.unpac.me/results/944ed571-05cf-4d5c-9ba0-f2c8d46955b0/

SH256 hash:

3ecc851f78b3b15e55286ea9a5c65768fb76926cbb0f3ba2d2e25428161a5636

MD5 hash:

1749756ce0d5aa3bc1c1c438e9073304

SHA1 hash:

2b7efaff47e88529ac3e2a06a12c3fe247c21e08

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/944ed571-05cf-4d5c-9ba0-f2c8d46955b0/

SH256 hash:

aa8fa2b43642ca1afae15729681dc278d6fd76598b4ad1683b47e6b7380c6300

MD5 hash:

1274ec9459376110ed7d299788f25c2d

SHA1 hash:

3eb6da2c2bd78f511b2e966485efeaf40e22f505

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/944ed571-05cf-4d5c-9ba0-f2c8d46955b0/

SH256 hash:

b03a064f1ff98daecdebf387464a06565549a057949a13e1fd23330514874d2e

MD5 hash:

68f9bebd6cb2b84cad556be235fd38b3

SHA1 hash:

efc6510c0a587f30a054648ae2675d2fa4ee847b

Detections:

win_samsam_auto

Link:

https://www.unpac.me/results/944ed571-05cf-4d5c-9ba0-f2c8d46955b0/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b03a064f1ff9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b03a064f1ff98daecdebf387464a06565549a057949a13e1fd23330514874d2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40755/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample