MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952
SHA3-384 hash: a04f30c9d68acea5bf4716f393bcc81b5ac97b31a2529e1058f12ad09ab0b3f932218e6ae12fcb3404f3625e336725c6
SHA1 hash: 91801ee16acddbba389b0f33643e91795ea1e214
MD5 hash: 7e6a10cad7d7cb6b6148e497f4fd6848
humanhash: cola-salami-hot-michigan
File name:SystemUpdate.bat
Download: download sample
File size:20'920 bytes
First seen:2026-02-06 21:32:50 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 384:UFdcdM97p6fI5IcGhTUvtklIwY/w6WV1398uO5YwePcKJpUBkzNaSaRkvy9ThtKp:G9J5IcUT/lIwY/w6WP398n5YwePcqUBq
TLSH T17A921ADD2F9C8EBAC79B447D50EE35C992AE63564FD8210CB1ED2FF002670AA51ED841
Magika batch
Reporter smica83
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
SystemUpdate.bat
Verdict:
Malicious activity
Analysis date:
2026-02-06 21:35:52 UTC
Tags:
arch-exec arch-doc python
Link:
https://app.any.run/tasks/c8cf2a49-f890-430c-b550-0c05d0c10bd0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52538/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69865e1c3cadc639ed841559
Tags:
vmdetect dropper extens shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cscript evasive lolbin
Link:
https://www.filescan.io/uploads/69865e19981ff1d38a4bd1e9/reports/9c88a023-855e-4761-a1f8-e5415cccd275/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952
Verdict:
Clean
File Type:
unix shell
First seen:
2026-02-06T19:51:00Z UTC
Last seen:
2026-02-07T10:14:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1865030
Signature
Command shell drops VBS files
Maps a DLL or memory area into another process
Potentially malicious time measurement code found
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses attrib.exe to hide files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1865030 Sample: SystemUpdate.bat Startdate: 06/02/2026 Architecture: WINDOWS Score: 68 55 www.python.org 2->55 57 dualstack.python.map.fastly.net 2->57 59 0.tcp.in.ngrok.io 2->59 71 Sigma detected: WScript or CScript Dropper 2->71 73 Sigma detected: Suspicious Script Execution From Temp Folder 2->73 75 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->75 10 cmd.exe 3 5 2->10         started        signatures3 process4 signatures5 79 Command shell drops VBS files 10->79 81 Maps a DLL or memory area into another process 10->81 83 Uses attrib.exe to hide files 10->83 13 tar.exe 35 10->13         started        16 cscript.exe 2 10->16         started        18 Acrobat.exe 61 10->18         started        20 3 other processes 10->20 process6 dnsIp7 47 C:\Users\user\AppData\Local\...\pythonw.exe, PE32+ 13->47 dropped 49 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 13->49 dropped 51 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 13->51 dropped 53 27 other files (none is malicious) 13->53 dropped 23 pythonw.exe 1 16->23         started        28 AcroCEF.exe 104 18->28         started        63 dualstack.python.map.fastly.net 151.101.0.223, 443, 49693 FASTLYUS United States 20->63 65 127.0.0.1 unknown unknown 20->65 file8 process9 dnsIp10 67 0.tcp.in.ngrok.io 13.232.253.105, 13550, 49694, 49703 AMAZON-02US United States 23->67 69 3.6.231.193, 13550, 49709, 49710 AMAZON-02US United States 23->69 45 C:\Users\user\AppData\...\SystemConfig.py, ASCII 23->45 dropped 77 Potentially malicious time measurement code found 23->77 30 cmd.exe 1 23->30         started        32 cmd.exe 1 23->32         started        34 AcroCEF.exe 3 28->34         started        file11 signatures12 process13 dnsIp14 37 conhost.exe 30->37         started        39 reg.exe 1 30->39         started        41 conhost.exe 32->41         started        43 attrib.exe 1 32->43         started        61 23.222.124.189, 443, 49702 AKAMAI-ASUS United States 34->61 process15
Score:
70%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-06 18:02:53 UTC
File Type:
Text (Batch)
AV detection:
4 of 24 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3pe4endyhxsvi3avg2ozg3bo6xawjht7rbfpri37garuspsdfja._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/260206-1d9sesdy7f/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Hide Artifacts: Hidden Files and Directories
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Batch (bat) bat 0ede4e11a3c1ef2aa360a9b4ec9b6177ae0b24f3fc4257c51bf9811a49f21952

(this sample)

36c1732f328c1d3b4f98adb7109c41421274d298fad5862fd94d6fbb6fc698d9

Cape
Cape
https://www.capesandbox.com/analysis/52538/
  
Dropping
SHA256 36c1732f328c1d3b4f98adb7109c41421274d298fad5862fd94d6fbb6fc698d9
  
Dropping
MD5 ac3e5d89fbc43617c9b216ea660007f4

Comments