MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2
SHA3-384 hash: 574bb7db8e19858176b9fe06f6749fc266d6d392133e71694b794bdaef7dfde80c192a8c6a0776e6f98cabfee874e48f
SHA1 hash: cdee404e54cb233dbebf91d2f8d6ffed7b408240
MD5 hash: 3b19b903cf04ced975c3f0af87697aed
humanhash: eight-five-comet-oklahoma
File name:b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2
Download: download sample
File size:18'432 bytes
First seen:2025-08-01 10:15:01 UTC
Last seen:2025-08-01 10:15:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6fe728beb491f222c537e9cfb4483b73
ssdeep 192:OAyCkbYdKJrycNVavGyE01zKxIPzS2EeI58i6j0EllmotntaEs1hzCsz:OQdWryaVo9vz6kvU8i6vLtntaB3zCW
TLSH T1B582F819B79790E9D386E07494F78F30F932BD610630AB3E2254E2391E31E96DD2E617
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:exe vvindowsupdate-org

Intelligence

File Origin
# of uploads :
2
# of downloads :
25
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2
Verdict:
Malicious activity
Analysis date:
2025-08-01 10:15:38 UTC
Tags:
auto-reg advancedinstaller
Link:
https://app.any.run/tasks/39807445-deda-4433-bfd3-57e5d239baa2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18286/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688c93d30b4775fb21348a83
Tags:
dropper shell overt
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a file
Creating a process from a recently created file
Sending a custom TCP request
Creating a file in the %temp% directory
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Connection attempt
Changing a file
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug obfuscated
Link:
https://www.filescan.io/uploads/688c93d63228e5a4037f0d16/reports/e742b709-2814-4213-8fe2-dc3097159a91/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bafe9e29-04c3-4907-8e2a-b2d1bccab19b
Score:
68%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/3b19b903cf04ced975c3f0af87697aed
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3w75oq4uu22rh7lq5i7z5zu3j4htzsdpqdrdzmq3et2jgqakgra._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery persistence ransomware spyware
Link:
https://tria.ge/reports/250801-maldrsymx9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Blocklisted process makes network request
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd76a659-55c5-4aee-9919-e44ef96cdef5
Unpacked files
SH256 hash:
b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2
MD5 hash:
3b19b903cf04ced975c3f0af87697aed
SHA1 hash:
cdee404e54cb233dbebf91d2f8d6ffed7b408240
Link:
https://www.unpac.me/results/6d968e94-9ed6-413b-a2d8-a2b352440855/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6edfeba1ca535a89feb8751fcf734da7879e6437c0711e590d927a49a0051a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18286/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA

Comments