MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407
SHA3-384 hash: b1c289829180955697dce637313cbf94df0c701d828f511b448ee63283d417704392dd42392bcacf577ff35530c6d8f7
SHA1 hash: 5a37ebd999498e68c55339d2c0c399a265ee84c1
MD5 hash: 3f267b62350803264160e3cdbb3ab134
humanhash: pasta-finch-colorado-solar
File name:file
Download: download sample
File size:8'192 bytes
First seen:2025-12-09 16:04:00 UTC
Last seen:2025-12-09 16:07:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:wY0sSWwQ3YdLVTLu0cdOkLeLKeOkrwSlCnxj1ha5k:R0ZQIdLxLjcdOkLeLxr9Cnx3
Threatray 6 similar samples on MalwareBazaar
TLSH T136F1D712FBE84676E53B0A32187363408779B366DD13CA1E5485610B9FA33554AA2FF2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://178.16.55.189/files/7149348537/wmOV2d3.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407.exe
Verdict:
Malicious activity
Analysis date:
2025-12-09 16:04:38 UTC
Tags:
auto-startup crypto-regex pulsar rat
Link:
https://app.any.run/tasks/71f30fda-aded-4ea5-8f25-e09074566a1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44015/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69384883bde6a3e5970f66c9
Tags:
vmdetect autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Loading a suspicious library
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69384881900ee247e84051dc/reports/d47c1c9f-1577-4651-ac00-964d1b0bec86/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-09T04:11:00Z UTC
Last seen:
2025-12-10T03:50:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Shellcode.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.Win64.DLLhijack.gen Trojan.MSIL.Agent.sb HEUR:Trojan-Banker.MSIL.ClipBanker.gen Backdoor.MSIL.PulsarRAT.sb Backdoor.MSIL.PulsarRAT.bq Backdoor.MSIL.Agent.sb Trojan-PSW.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8e0ce63e-db44-40e0-a4c8-9ef6021b56da
Score:
78%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.25 Win 32 Exe x86
Link:
https://app.malva.re/file/3f267b62350803264160e3cdbb3ab134
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ayv5timp7bd4qyqx3cp7nflkp2cozvbejor2j7vz4la55uwlsqdq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710
4c11c9bbd2047a1e8dc2fe3ed94c2d74914ff45e79cbd8b48fcd5c3f5eebe39d
9250584a4878cae6188ba7eafa667e4612afbfb89e2698bbc5ceb7fa17cddc08
e27288fcd6c3ccbadf90d37481ff6b407e31eeb33f775e5110be3e75401879b9
error
f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/251209-th25tabk2t/
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/70c32055-2225-4b3b-bd18-75a5e885e7ad
Unpacked files
SH256 hash:
062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407
MD5 hash:
3f267b62350803264160e3cdbb3ab134
SHA1 hash:
5a37ebd999498e68c55339d2c0c399a265ee84c1
Link:
https://www.unpac.me/results/b5089793-ef8e-4217-ba15-c78324a336ec/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/062bd9a18ff8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 062bd9a18ff847c86217d89ff6956a7e84ecd4244ba3a4feb9e2c1ded2cb9407

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3730023/
Cape
Cape
https://www.capesandbox.com/analysis/44015/

Comments