MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a6e3d5088eaf0d39b7497d0497898085a8cc71530b9e6791d8c73f70c9ec020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	0a6e3d5088eaf0d39b7497d0497898085a8cc71530b9e6791d8c73f70c9ec020
SHA3-384 hash:	19c4e76e885d32f64090916fd304aff07866f5ca900ab0fbc195d26bb7b5c0a4e741cb8a1c6eff81293e8c3577c77f73
SHA1 hash:	ace562c2a122ca824c576f8244c015ed4b3ea212
MD5 hash:	64b03de95959f094f93616e73732e8b2
humanhash:	fix-arkansas-batman-island
File name:	PO P72350.exe
Download:	download sample
File size:	894'464 bytes
First seen:	2025-05-20 05:58:45 UTC
Last seen:	2025-06-06 13:33:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	12288:ftb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga6TjgE8v6A:ftb20pkaCqT5TBWgNQ7aK8E8v6A
Threatray	2'222 similar samples on MalwareBazaar
TLSH	T11615AE1373DD8361C3B25273BA25B701AEBF782506A5F96B2FD4093DE820162525EB73
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	lowmal3
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

455

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO P72350.exe

Verdict:

No threats detected

Analysis date:

2025-05-20 06:04:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a79900f6-2943-4ae9-ac68-009ebc591696

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Rogue.0hr.20250520-0334.UNOFFICIAL

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=682c1a34c28c67d666423150

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc

Link:

https://www.filescan.io/uploads/682c1a330de036ed65ac6f6b/reports/4920efb4-356b-438a-9055-2dda55cd98b1/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0a6e3d5088eaf0d39b7497d0497898085a8cc71530b9e6791d8c73f70c9ec020

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5e101efb-fcf1-4b40-bf47-edc42452983e

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1694492

Signature

Antivirus detection for URL or domain

Binary is likely a compiled AutoIt script file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0a6e3d5088eaf0d39b7497d0497898085a8cc71530b9e6791d8c73f70c9ec020

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a6e3d5088eaf0d39b7497d0497898085a8cc71530b9e6791d8c73f70c9ec020/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-05-20 05:59:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bjxd2uei5lynhg3us7ies6eybbnizryvgc46m6i5rrz7ode6yaqa._file

Verdict:

malicious

Label(s):

autoit

unc_loader_036

2e095bc4a328ca7e89e3849ab348da40570b3b25e3decbf58bdcbd8e40a40d05

4b418e5eb7834e7fee32b5acf0b26100b038524c09f1608c8f6e3db582b95e50

5d2614ebe7680070e612547a85691905a88def5e660d1a2ec3a3defc8299c1ec

6584f13ecd514b59ef380f0fa106ef5f6ef53e2bb39e0da02947e83de62f6444

8ddcd9773b5c9cec6e3d0e4d996038faa74cbe9a971665cf596d8786de25ac01

b8af0c741224f1b88f0ce141c967d0212ed41686a32ac3cc461c7f624735c646

d2149ccd022111a63cc36ce70215f8dbf9afacce168c954bfeff9cc98a4592d9

d4fadd4ee8d3864f9a07149decba872260789b39654db894c95ea23e16ede112

error

f6e1f83bb4add24396f8144afb4b36ebc1b6896b67355ec7f2e3a3c82181b182

+ 2'212 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250520-gpvcbscm2w/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Program crash

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c73e4d4c-6a41-4c9e-ac52-ba8cbbb3bb22

Unpacked files

SH256 hash:

0a6e3d5088eaf0d39b7497d0497898085a8cc71530b9e6791d8c73f70c9ec020

MD5 hash:

64b03de95959f094f93616e73732e8b2

SHA1 hash:

ace562c2a122ca824c576f8244c015ed4b3ea212

Link:

https://www.unpac.me/results/4985d945-4d1b-4f2c-836a-d2214708402c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a6e3d5088eaf0d39b7497d0497898085a8cc71530b9e6791d8c73f70c9ec020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	win_rat_generic Create hunting rule
Author:	Reedus0
Description:	Rule for detecting generic RAT malware

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 0a6e3d5088eaf0d39b7497d0497898085a8cc71530b9e6791d8c73f70c9ec020

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample