MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6d0a7812291ecc34bdf6e9a8b04f3a3d1b64199b177f818e098bb68f316ad5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Miniduke


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6d0a7812291ecc34bdf6e9a8b04f3a3d1b64199b177f818e098bb68f316ad5a
SHA3-384 hash: b737e8517a2a0be67f39a93067095b3d7c160edb49b377a9b192b41c790bf2da5a5487480124fbd0259031f7dfb171ea
SHA1 hash: f0014c47fef5ac9b3109d9805d283cfb7148f090
MD5 hash: 63c3d3c4bc50398a1207e6ba57da7bdd
humanhash: romeo-salami-network-river
File name:svchost.exe
Download: download sample
Signature Miniduke
Create hunting rule
File size:178'688 bytes
First seen:2025-11-23 09:30:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash edf0659abd5188c18e493cb2537cb8d9 (38 x Miniduke)
ssdeep 3072:KZ/LhS0rKgHq+rFLIwgoovufDUbZeYIWJkWh5Se:+/LhS0rKE/FLITo9mTIWWW3
Threatray 26 similar samples on MalwareBazaar
TLSH T180048E3533F580B1E53316B46DF1AB72967EBC384A71858B9BA41B5F2E34A918339307
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Hexastrike
Tags:exe miniduke

Intelligence

File Origin
# of uploads :
1
# of downloads :
16
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40890/
Gathering data
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 cmd crypto evasive explorer fingerprint keylogger lolbin microsoft_visual_cc
Link:
https://www.filescan.io/uploads/6922e119eecb08e4aa45a61b/reports/05cc5ea2-acf9-4db0-9933-31ac3e02131d/overview
Verdict:
Malicious
Labled as:
Backdoor.CosmicDuke
Link:
https://www.hybrid-analysis.com/sample/d6d0a7812291ecc34bdf6e9a8b04f3a3d1b64199b177f818e098bb68f316ad5a
Result
Gathering data
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d6d0a7812291ecc34bdf6e9a8b04f3a3d1b64199b177f818e098bb68f316ad5a
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/63c3d3c4bc50398a1207e6ba57da7bdd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6d0a7812291ecc34bdf6e9a8b04f3a3d1b64199b177f818e098bb68f316ad5a/
Threat name:
Win32.Backdoor.MiniDuke
Create hunting rule
Status:
Malicious
First seen:
2025-11-22 15:03:53 UTC
File Type:
PE (Exe)
AV detection:
30 of 36 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23ikpajcshwmgs67n2niwbhtupi3mqmzwf37qghatc5wr4ywvvna._file
Verdict:
malicious
Label(s):
cosmicduke
Create hunting rule
Similar samples:
5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1
Miniduke
77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
Miniduke
b271c9dd501c979a89da93d128f80d76602e6f048245d33986c8cb26518c5458
Miniduke
b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
Miniduke
b62402660d896c3c694e494a638c80b46d93c5b126ffc2f59c7023d8c5455339
Miniduke
c8f977ded6caa261174a6b6c4bc7ce2db2fc5913ffb37086b6a2d0c13c9e682d
Miniduke
ca173bac741566c19ba62d3002a3044b064ebcf21a0c2ce4c31e068a3b048c33
Miniduke
error
Miniduke
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/251123-mf6xnatpb1/
Behaviour
Program crash
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
apt Win.Trojan.Zusy-9876296-0
YARA:
detect_apt_APT29
Link:
https://app.threat.zone/submission/aee984d4-c887-4450-80dd-090c3c0936bd
Unpacked files
SH256 hash:
d6d0a7812291ecc34bdf6e9a8b04f3a3d1b64199b177f818e098bb68f316ad5a
MD5 hash:
63c3d3c4bc50398a1207e6ba57da7bdd
SHA1 hash:
f0014c47fef5ac9b3109d9805d283cfb7148f090
Detections:
win_cosmicduke_w0
Create hunting rule
win_cosmicduke_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0d0060b-2caf-4a6d-81a8-2087383856a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6d0a7812291ecc34bdf6e9a8b04f3a3d1b64199b177f818e098bb68f316ad5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_apt_APT29
Create hunting rule
Author:@malgamy12
Description:detect_APT32_malware
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:win_cosmicduke_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cosmicduke.
Rule name:win_cosmicduke_w0
Create hunting rule
Author:@malgamy12
Description:detect cosmicduke

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/40890/

Comments