MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec
SHA3-384 hash: bba40a9fdd31636d0df499490a1ab53898583d32fb687240dd5e39d56a437b48f381a587ec0b84d028d3d792a8e327e6
SHA1 hash: ee3d4992483304e37e6b56bd38114ef3982ae92e
MD5 hash: efddc8e031c796bf9aeccb705c458080
humanhash: north-nine-hawaii-moon
File name:01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec.bat
Download: download sample
File size:6'312'892 bytes
First seen:2025-08-17 11:04:05 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:sJVQ+h7XVjWM367JUZjDKTayP8rpEG/e1RCsEpXuSv66YGEs3m/Jpev4nxyBOroE:N
Threatray 34 similar samples on MalwareBazaar
TLSH T1DB563321DBD63E144193D23EB0066D69AFCECF6209ADD4EB722D19C20BEF1AC186F551
Magika txt
Reporter JAMESWT_WT
Tags:23-160-168-165 bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec.bat
Verdict:
No threats detected
Analysis date:
2025-08-17 11:04:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/22b67841-8c2f-4198-b90c-852b6343c77c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21805/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a1b7488fd55a79c5285fa6
Tags:
obfuscate shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla anti-vm anti-vm base64 cmd evasive findstr fingerprint lolbin obfuscated packed powershell reconnaissance stealer
Link:
https://www.filescan.io/uploads/68a1b745a4bdac9f5b9a60df/reports/74eeb06b-3134-4a56-905a-1d0bc9c0abe2/overview
Verdict:
Malicious
Labled as:
Trojan/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec
Score:
90%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec/
Verdict:
Malicious
Threat:
Trojan.Win64.Kryplod
Link:
https://tip.neiki.dev/file/01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-04-03 11:52:00 UTC
File Type:
Text
AV detection:
9 of 38 (23.68%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aguxbvf2x7gfxzm6x35eexsj6hrus5c6il7usl2fyq6etk2uotwa._file
Verdict:
malicious
Label(s):
xwormloader
Create hunting rule
Similar samples:
0bdca06f58b0d24224256f5f7433bcf2ce87d3e08f87e9936290ad2532461406
199dfc21f65c5b4fba080e25c274a0635a715d45edd78ce6b246a1a9ac20a415
33aac84b649e5475245a4f58fd01eba93596780e78a5577ff951de815fee696e
3c6f4afbe94060c22998c090274c83e5163f6c08735cbbb641df0c65a8ae7e37
569abed215074edb9ba9b451f7834c27eb905c04e15941b2dd3a03bcef70e89d
7ccb8da9544544ab4486c43f09eb18dcc474706be496fb1ffe601b8b19f4b868
b41a11026fc14783151c3332d34e599a1fd98198effd097c9910669ca633a5d7
c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845
c45628b9f65c92571bcd7f3b3799ae4215a006b5893d4879a279676007f9f141
d92fd1f359ea6cee13109181468106e381b66479c650dafcce8e3bde4e109e6c
error
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution
Link:
https://tria.ge/reports/250817-m6jvtadm2x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01a970d4babfcc5be59ebefa425e49f1e349745e42ff492f45c43c49ab5474ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21805/

Comments