MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bdca06f58b0d24224256f5f7433bcf2ce87d3e08f87e9936290ad2532461406. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bdca06f58b0d24224256f5f7433bcf2ce87d3e08f87e9936290ad2532461406
SHA3-384 hash: 4fd0ab65c4241cbca2b0c5e2fd40f96381646cf2d8187526d9085fdd9d40a2ab392b035810e38d460402c48cbf89d824
SHA1 hash: c30b8fe04a5f05f4409ac22c44d8798027303fe2
MD5 hash: 2755787506957ffca80b83cf0780b0a3
humanhash: hydrogen-east-arizona-burger
File name:0bdca06f58b0d24224256f5f7433bcf2ce87d3e08f87e9936290ad2532461406.bat
Download: download sample
File size:6'265'315 bytes
First seen:2025-04-16 03:59:24 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 49152:qg7/DhmalgJ+kcBFUAd+KqcJhNRU9m56IJyLgbVRVhA8UjeHyQH6am:y
TLSH T118562350E5282C89007D0114789FBA5C3B5EA6C704FAECDA55B128464BFFFEECA18E5D
Magika batch
Reporter JAMESWT_WT
Tags:191-96-166-73 bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
0bdca06f58b0d24224256f5f7433bcf2ce87d3e08f87e9936290ad2532461406.bat
Verdict:
Malicious activity
Analysis date:
2025-04-16 04:09:34 UTC
Tags:
omani rat evasion quasar remote stealer
Link:
https://app.any.run/tasks/3109b1c0-339a-4be8-a035-1abe4f26ebe1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2401/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ff3a74f3fd91e7d60b6e06
Tags:
obfuscate shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0bdca06f58b0d24224256f5f7433bcf2ce87d3e08f87e9936290ad2532461406
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1666021
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1666021 Sample: Q2yGEkDvuP.bat Startdate: 16/04/2025 Architecture: WINDOWS Score: 100 46 pki-goog.l.google.com 2->46 48 ipwho.is 2->48 50 c.pki.goog 2->50 64 Suricata IDS alerts for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Yara detected Powershell decrypt and execute 2->68 70 5 other signatures 2->70 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 84 Suspicious powershell command line found 11->84 14 powershell.exe 12 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->86 19 cmd.exe 1 14->19         started        process8 signatures9 72 Suspicious powershell command line found 19->72 22 powershell.exe 30 30 19->22         started        26 powershell.exe 15 19->26         started        28 more.com 1 19->28         started        30 2 other processes 19->30 process10 dnsIp11 52 191.96.166.73, 49692, 60131 TIER-NETUS Chile 22->52 54 ipwho.is 15.204.213.5, 443, 49694 HP-INTERNET-ASUS United States 22->54 76 Deletes itself after installation 22->76 78 Writes to foreign memory regions 22->78 80 Modifies the context of a thread in another process (thread injection) 22->80 82 4 other signatures 22->82 32 winlogon.exe 22->32 injected 35 findstr.exe 1 26->35         started        signatures12 process13 signatures14 56 Injects code into the Windows Explorer (explorer.exe) 32->56 58 Writes to foreign memory regions 32->58 60 Allocates memory in foreign processes 32->60 62 2 other signatures 32->62 37 lsass.exe 32->37 injected 40 svchost.exe 32->40 injected 42 dwm.exe 32->42 injected 44 26 other processes 32->44 process15 signatures16 74 Writes to foreign memory regions 37->74
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0bdca06f58b0d24224256f5f7433bcf2ce87d3e08f87e9936290ad2532461406
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bdca06f58b0d24224256f5f7433bcf2ce87d3e08f87e9936290ad2532461406/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpoka32ywdjeejbfn5pxim546lhipu7ar6d6te3cscwskmsgcqda._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250416-ekq31ayybt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/2401/

Comments