MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1
SHA3-384 hash:	fbf7cde61806c73c906f83aee366be653be8f13e17ae872e06d622db0e974aec18142ba8e22e4c727b0bf4d84c637a59
SHA1 hash:	64e92ed1129642fe06eda70faebda7b6e64228dc
MD5 hash:	5b53cbb17b2c8a64971c7fc786ca51b6
humanhash:	red-skylark-maryland-mango
File name:	November bill.exe
Download:	download sample
File size:	13'128'808 bytes
First seen:	2025-12-08 12:07:55 UTC
Last seen:	2025-12-13 06:39:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e8ac1646024d52d1534a88da2e8037cd (9 x OffLoader, 9 x HijackLoader, 7 x ValleyRAT)
ssdeep	393216:0D3LETiahjlT+z6m1NbiQNWkTTmZSi+3AegJCt8Gm5:3lj5+Wm1NbiIBGo3JgJC2P5
TLSH	T15CD63313B24E673EF06E453959739900457FBA60681E8CB79BF4494CCE2E0A41E6EF46
TrID	60.0% (.EXE) Inno Setup installer (107240/4/30) 23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	SquiblydooBlog
Tags:	exe signed Wenzhou-Feixun-Internet-Technology-Co-Ltd

Code Signing Certificate

Organisation:	Wenzhou Feixun Internet Technology Co., Ltd.
Issuer:	Sectigo Public Code Signing CA EV R36
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-11-25T00:00:00Z
Valid to:	2026-11-25T23:59:59Z
Serial number:	d5ac27bd4f6fdf41bd91c2162eb343e1
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	dbfe27179b70a85c063975612322d1890c151f918fb5c46033c9fcac844dabe1
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/7c5b7b66-fac2-4034-b184-fc395ceb239f/

Malware family:

n/a

ID:

File name:

November bill.exe

Verdict:

No threats detected

Analysis date:

2025-12-08 12:09:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7193b169-4f95-49d5-8e9b-bc6e84ccbd2b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42993/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6936bfb5881313558a2b7e68

Tags:

dropper overt crypt

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context crypt embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed signed

Link:

https://www.filescan.io/uploads/6936bfb1bba50eaf0426d0e9/reports/f2b4bc2d-f67b-4a63-805e-d7ad8798f1cf/overview

Verdict:

Suspicious

Labled as:

Backdoor.MSIL.XWorm.gen

Link:

https://www.hybrid-analysis.com/sample/01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-08T06:06:00Z UTC

Last seen:

2025-12-10T04:32:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agentb.tnzg

Link:

https://opentip.kaspersky.com/01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/7f418603-9d3a-4d90-a72f-0076f7a0a1d5

Score:

69%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/5b53cbb17b2c8a64971c7fc786ca51b6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-12-08 09:53:36 UTC

File Type:

PE (Exe)

AV detection:

13 of 38 (34.21%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ah4ejsupknoe7y3s2ttpevvnmdii46kzhhhcclkrtyrz4simotaq._file

Result

Malware family:

n/a

Score:

4/10

Tags:

discovery installer

Link:

https://tria.ge/reports/251208-pa1vkaxkek/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8c760c0f-3c31-43f4-b031-d75bb480720e

Unpacked files

SH256 hash:

01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1

MD5 hash:

5b53cbb17b2c8a64971c7fc786ca51b6

SHA1 hash:

64e92ed1129642fe06eda70faebda7b6e64228dc

Link:

https://www.unpac.me/results/46a21979-937b-44d7-8e09-9f64ce1b34a3/

SH256 hash:

9c49e12b8efbec85aaa5d59e90929154b7a5c50c5e9303c421af3c38f59c48a0

MD5 hash:

1a9243ee38a79e9b8549a08a5104c12d

SHA1 hash:

887d84388e2b4c9e7bf1a83ddea31f910589f8d2

Link:

https://www.unpac.me/results/46a21979-937b-44d7-8e09-9f64ce1b34a3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/01f844ca8f535c4fe372d4e6f256ad60d08e795939ce212d519e239e490c74c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/42993/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample