MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0f2c02b866a9990dcf667998226ae2c56c7d018da0f2c654a1c1e2f12c16cb14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Spambot.Kelihos
Vendor detections: 13
| SHA256 hash: | 0f2c02b866a9990dcf667998226ae2c56c7d018da0f2c654a1c1e2f12c16cb14 |
|---|---|
| SHA3-384 hash: | 60a3da8a44227edb9704e34bc65c2240fce545f5c8d1d34c32ed78937d068dc70f90e7bdbd9096f90bacb75005b40994 |
| SHA1 hash: | 8e585f49b3aeeda0a175b323db363f006f66eedc |
| MD5 hash: | 171b586fda5c68c3b6b66692ffef8fb1 |
| humanhash: | seven-coffee-high-music |
| File name: | Internet.Download.Manager.v6.42.33.exe |
| Download: | download sample |
| Signature | Spambot.Kelihos |
| File size: | 9'844'986 bytes |
| First seen: | 2025-04-23 10:09:07 UTC |
| Last seen: | 2025-04-25 08:59:09 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 46ce5c12b293febbeb513b196aa7f843 (14 x GuLoader, 6 x RemcosRAT, 5 x VIPKeylogger) |
| ssdeep | 196608:/Uzfe5bSzsvTTzlb9tSNEsT4IO5MT6BgHk48+cmLa1zFK:/UyBSz+Zb9tET4JO2t4ba94 |
| TLSH | T131A63340326CCD8EF8135A3456A7FC037249B26B3750DB6BA2153B4771BE98224DB77A |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| dhash icon | e1e0e2f3e6ec3823 (4 x XWorm, 2 x njrat, 2 x Spambot.Kelihos) |
| Reporter |  Gasr |
| Tags: | exe Spambot.Kelihos |
Intelligence
File Origin
# of uploads :
2
# of downloads :
474
Origin country :
RUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Internet.Download.Manager.v6.42.33.exe
Verdict:
Malicious activity
Analysis date:
2025-04-23 09:41:46 UTC
Tags:
pastebin idm tool loader auto generic auto-reg stealer arch-scr arch-html
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Verdict:
Malicious
Score:
99.9%
Tags:
shell virus remo
Result
Verdict:
Clean
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc overlay overlay packed packer_detected redcap
Verdict:
Malicious
Labled as:
GrayWare[AdWare]/NSIS.AdPack
Malware family:
WinEdt Team
Verdict:
Unknown
Result
Threat name:
n/a
Detection:
malicious
Classification:
bank.troj.adwa.evad
Score:
81 / 100
Signature
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Found suspicious ZIP file
Installs a browser helper object (BHO)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
PE file has a writeable .text section
Possible COM Object hijacking
Sample is not signed and drops a device driver
Behaviour
Behavior Graph:
Score:
67%
Verdict:
Susipicious
File Type:
PE
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2025-04-23 09:41:48 UTC
File Type:
PE (Exe)
Extracted files:
1710
AV detection:
15 of 24 (62.50%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
adware discovery execution persistence phishing privilege_escalation spyware stealer
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Installs/modifies Browser Helper Object
Legitimate hosting services abused for malware hosting/C2
A potential corporate email address has been identified in the URL: mozillacc3@internetdownloadmanager.com
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
0f2c02b866a9990dcf667998226ae2c56c7d018da0f2c654a1c1e2f12c16cb14
MD5 hash:
171b586fda5c68c3b6b66692ffef8fb1
SHA1 hash:
8e585f49b3aeeda0a175b323db363f006f66eedc
SH256 hash:
986db3fc7426d1475b2048be9554fc6f4e4114050b3a43e1e980b5daeb6ec005
MD5 hash:
d9407a70b1727c420820cffbdc6e6082
SHA1 hash:
ba8ce5aef380edc29780ca2226193df26e6bfac4
SH256 hash:
917ff576998f4ec99f58f8a1df14b219adadd227d51ca0ff9e38e50b767c09d9
MD5 hash:
3e1364d5849de78d65c37fe3ccf411ca
SHA1 hash:
5e48e4a9248690d6e1764a84ce3cf546d815c8ab
SH256 hash:
caffd6fedeb8c5720725171f2f72b977dd22e98db1ceb053ba14c130323e4465
MD5 hash:
41066cce37e0d22bc96e6393dd492d80
SHA1 hash:
abd0ef829a5fe3a0d7059567a3e58b7e73c1f67c
SH256 hash:
b91ee87ec45b648453b4001d51512da936acbbcd6b9e09cb4edd02697094fb3a
MD5 hash:
e25e6dfdd1bae389d76d97aac3b6e961
SHA1 hash:
0e12224c405934e27e657858af7ca8a375a424e3
SH256 hash:
b76e5d4d0eb93f7e9f4b8c4a068c88b06150fc065cf150b962681b1825dced7c
MD5 hash:
9646fce84dc3be67def77da427e69a4d
SHA1 hash:
1182a2171be326cf99948c5088422d802d80a1dc
SH256 hash:
b1350f487692057c8ffde75dcc55287a52a3272240d4d4912f24464b27551fc0
MD5 hash:
8f0e7415f33843431df308bb8e06af81
SHA1 hash:
1314272e6ad3be1985d4a1607b890a34b0bde8b5
SH256 hash:
ec40e745386fbe4775c9785dafe9033a5e2eda8504aa08aa8c195ba0020eb314
MD5 hash:
24398e5878ed29401af934624fc58f2c
SHA1 hash:
2aeea97f61833b2ab86cbdef30267f9d55749e9a
SH256 hash:
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
MD5 hash:
2b7007ed0262ca02ef69d8990815cbeb
SHA1 hash:
2eabe4f755213666dbbbde024a5235ddde02b47f
SH256 hash:
92769e02b7fd474a1df145ab0b46de98de4bd0c1af4a9f0dcd8d7d672f16310d
MD5 hash:
38e848b6d64289f3b20ef2b705eb2578
SHA1 hash:
3025f9de240014699cb527dc68bde0672e7c84ea
SH256 hash:
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
MD5 hash:
80e44ce4895304c6a3a831310fbf8cd0
SHA1 hash:
36bd49ae21c460be5753a904b4501f1abca53508
SH256 hash:
daa7852854f20a5fc85eb14490de0845a9899eff73086a97dc6d791a59e6ef43
MD5 hash:
941bc7482a95cfbd7bd2a75d5eeda2d1
SHA1 hash:
3a325ba441f035aae7329389a9ee938e4f16efc5
Detections:
win_oski_g0
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
SH256 hash:
1fb43ab748bb3925ac70b45039d4d623a2862b91a0c75a4ec828378bf4d9c464
MD5 hash:
3000ad01f7b0da36ce26f909e69a115a
SHA1 hash:
515756aa2bdf29cbf118d12178ee080d9a05d876
SH256 hash:
0afe45ece6603ad7fa6d6524131de8a0b186d7a021cd55105985ee634b8fde87
MD5 hash:
4d363bd753249694d7f517f233232894
SHA1 hash:
5d390b0b7cbd2ec4bf063bd4581eb4c7e8cab947
SH256 hash:
4cf25411f28f639f72156c24b0f66ea42f5aee5973f6c137d901da6ae42d5b7e
MD5 hash:
4b8a750993567ac9a350ba9768fabfa0
SHA1 hash:
7ee7a8c313b292d62561b085c9d490c0f8065624
SH256 hash:
fdc69180a674aa386442c581c4ffe9b2e1f268d9829384e083bf08e8b1b2b987
MD5 hash:
77bdf74fe579db6702e234cd4eef59a9
SHA1 hash:
853fe64d3e409b2106f99ebc8a30fd76af0552ea
SH256 hash:
8fcca62c1d53a0c331768cf309bf7bf9df2ffc356fa254c85bd77a3582240578
MD5 hash:
0e3c060bbf1e4bf1dabd2bc15ce1f05b
SHA1 hash:
8d5900aff0feb85cd9d9ad620a2fcfa0c9e28d0e
SH256 hash:
86b6cb434a0491ea16bf480e6ad16c935d0668535da17aa7df0dc4392e10d74e
MD5 hash:
6d57b2cc33721890cd11cc604805362e
SHA1 hash:
900c5fb5b7cd1194a25a80468076324dc6c03ac8
SH256 hash:
a052db86c0bd9d001a5de6e07a89dfce83275361161036456fbf220bbaa490cf
MD5 hash:
bbafc2c08002f71ccad3f5e587994ef2
SHA1 hash:
90b3150c599d0bc33d84677fc9901095be1ff0dc
SH256 hash:
e51906dccf4ffe52ebcc4c12de748bdc968b475e6447d9e40a75d50067c2f9b3
MD5 hash:
a8ba80f2dcea6e3aff7d78ad60d1bdd1
SHA1 hash:
924d44707d2fd1a5b2a8147f6187244c2343e15c
SH256 hash:
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
MD5 hash:
9b38a1b07a0ebc5c7e59e63346ecc2db
SHA1 hash:
97332a2ffcf12a3e3f27e7c05213b5d7faa13735
SH256 hash:
1672d02debd395abb88acde3a5194aa1e4cf6260f304887a806a481b1da6def6
MD5 hash:
daaefad1b8c9b2c6788385a9d49ff43a
SHA1 hash:
a2efb27f4ebb81a5a0680c4e2d65fbae2859c2d3
SH256 hash:
67249ec47f513a31d09ae52f767448fe47f996c605ac2eea7e3b93cbe87034f8
MD5 hash:
c34add7343e27b5218057434a5fcc612
SHA1 hash:
ac7b435473870233ab56fb64d4844f2e5d18227a
Detections:
win_samsam_auto
SH256 hash:
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
MD5 hash:
f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 hash:
b058e3fcfb7b550041da16bf10d8837024c38bf6
SH256 hash:
b121689861b506dbc9c3797b49bc8a90d555cb7db58cb959165cc758391c00bb
MD5 hash:
8fe362ffdfa66269b8a64e3a87f68e52
SHA1 hash:
b5daaa60a6b8591a670da9fc3a2d6f896d55f568
SH256 hash:
5b9b67c2a3197f7adc73cd2c18f231f1bf58b482e8da8c0231cfed94b4cba9dc
MD5 hash:
3e50fdabe9f4e30cfe510d6abcacb13a
SHA1 hash:
bae373d445defaf7f9a86c9d3726f686ba8b0b23
SH256 hash:
f23cb55591027469ca4a1f220fcea82d1fa634dd681b802d1c1fb63a1a3fdf02
MD5 hash:
024b1252cdfb738f3269b8d0caa36a38
SHA1 hash:
be668109b1674db77526d87383d7419ba78fadd3
SH256 hash:
4c9a420ae7503431821d590c71d4fd6378f6a92b2c7388a2a08cabe55af0c9f6
MD5 hash:
3dbe77d67cb6e7380e0c036074e5e4d0
SHA1 hash:
c48ca52f2b5f9dac314d56ca8605c7510be102c6
SH256 hash:
6cd3bef9727809624feed99a839db9489b5bcb6c22f65985d371558ca31b72e4
MD5 hash:
51d0b79bb9cbf765ed882999c3251888
SHA1 hash:
dfe8c78cf8aba822a5b93ae5f52c21227d4dc13e
SH256 hash:
4192ba66cbc5f20c7b80fba5b8783b3951d0df66974f1feb8111fd2444f7456f
MD5 hash:
d80093adbec6af3e50e6b3e3c53dada6
SHA1 hash:
e245840e814f0127a37e1642046ef145519e566a
SH256 hash:
83005624a3c515e8e4454a416693ba0fbf384ff5ea0e1471f520dfae790d4ab7
MD5 hash:
38f2b22967573a872426d05bdc1a1a70
SHA1 hash:
ecae471eb4e515e1006fce645a82b70c8acda451
SH256 hash:
a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587
MD5 hash:
b7d0d765c151d235165823b48554e442
SHA1 hash:
fe530e6c6fd60392d4ce611b21ec9daad3f1bc84
SH256 hash:
d2ed65a6d7573ee85683c79b990d95af3a1c1334faebb45d862d46fcf8be4635
MD5 hash:
ea137eae73bec074e2e758271d4ebe54
SHA1 hash:
9d58cf8c2f6e6a92d51f9e4b6850dcf005e2a1f9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | win_rat_generic |
|---|---|
| Author: | Reedus0 |
| Description: | Rule for detecting generic RAT malware |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_TRUST_INFO | Requires Elevated Execution (level:requireAdministrator) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.