MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Techsnab


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983
SHA3-384 hash: 8957517f4b54c5984ad4cc70b79bc667c4d33531a43755f284c1ead1d7e01fdf638538a3a2132ed1f2b2ed7c35d2e115
SHA1 hash: 0d799421725f9fc9d1ec8c324051fa42131b0bb6
MD5 hash: 7074ac1f44a3793ff92b482ebeed6a18
humanhash: alpha-twelve-wolfram-saturn
File name:file
Download: download sample
Signature Adware.Techsnab
Create hunting rule
File size:7'060'134 bytes
First seen:2026-01-21 07:20:29 UTC
Last seen:2026-01-21 09:52:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5939410b96773d14b36f2ddd9c7141f3 (2 x Adware.Techsnab, 1 x LunaStealer)
ssdeep 196608:Gss/Z6qScGDnZXRV6q7mFMxGKE1eI7uSVinsG+P:Gl09EFK7aeI7wn6
TLSH T16666337175D9806AC877AD36A468EF3FCA26E8215711C1DFA3889037C6503D0E1BBA77
TrID 56.8% (.EXE) InstallShield setup (43053/19/16)
13.8% (.EXE) Win64 Executable (generic) (10522/11/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:Adware.Techsnab dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/7717526653/hqAJhdS.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
117
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/191fbf93-2906-4ced-b71c-e379f3a51792/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-21 07:22:02 UTC
Tags:
pyinstaller python
Link:
https://app.any.run/tasks/b1376725-660b-413a-ac69-f5671dd6cbd2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49615/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69707e4cbcad3327ec072207
Tags:
installer injection phishing extens
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt expand expired-cert hupigon installer-heuristic lolbin microsoft_visual_cc overlay packed packed pyinstaller pyinstaller short-lived-cert unsafe
Link:
https://www.filescan.io/uploads/69707e4555805a763fec8bea/reports/8b02cbfc-0f56-42a8-a098-7a9f80a6382a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-21T04:17:00Z UTC
Last seen:
2026-01-21T12:58:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ec9d12da-6b13-470e-8060-d3dbd42e306e
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7074ac1f44a3793ff92b482ebeed6a18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-21 07:21:54 UTC
File Type:
PE (Exe)
Extracted files:
327
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bp2adsb4s7gfkuphq7wndauv7fawcuwoshpjvebrc5wh7nzy7gbq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution pyinstaller
Link:
https://tria.ge/reports/260121-h6d74sbz2b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983
MD5 hash:
7074ac1f44a3793ff92b482ebeed6a18
SHA1 hash:
0d799421725f9fc9d1ec8c324051fa42131b0bb6
Link:
https://www.unpac.me/results/515ebe41-f1aa-432a-b98a-381fb3a420b0/
SH256 hash:
64a65ca297a879839e436269d1f8a257b7411d667c0988a4fbcd56729543d632
MD5 hash:
d8f2f3239154652f8da2427bed77cd00
SHA1 hash:
10af07cfd716c55bb204a495f638d2ebc997bf4a
Link:
https://www.unpac.me/results/515ebe41-f1aa-432a-b98a-381fb3a420b0/
SH256 hash:
8dd682b158496623237d0d2acdd24156b791d91cbf0705a013a52137a7b3ae22
MD5 hash:
a12f68a8210588c4ecea30b5c1a15731
SHA1 hash:
c0716e8646e13bbb8fa778eaa6b5995b3e1c9267
Link:
https://www.unpac.me/results/515ebe41-f1aa-432a-b98a-381fb3a420b0/
SH256 hash:
b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
MD5 hash:
74d2b5e0120a6faae57042a9894c4430
SHA1 hash:
592f115016a964b7eb42860b589ed988e9fff314
Link:
https://www.unpac.me/results/515ebe41-f1aa-432a-b98a-381fb3a420b0/
SH256 hash:
bf33857f46e56ea7930c1eea25c5f7175a6aaa3df36bf8301a785e6ca726a0b9
MD5 hash:
c33386a6e67be415a24d9c431ffd42ac
SHA1 hash:
f2f23860916471bdc332b3bd3e88deef64d4432b
Link:
https://www.unpac.me/results/515ebe41-f1aa-432a-b98a-381fb3a420b0/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Techsnab

Executable exe 0bf401c83c97cc5551e787ecd18295f9416152ce91de9a9031176c7fb738f983

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/49615/
  
URLhaus
https://urlhaus.abuse.ch/url/3761120/

Comments