MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d
SHA3-384 hash:	22b6a408ce3177c5421271f5a3be71f30996e5d8c69b4f14a6656c3735595e6049155370e953b2d060266a83a582df79
SHA1 hash:	8e205668879d806d5211abdcbeb1370f520af2ab
MD5 hash:	c647a40456f98f1912b75cb0e2e7fd28
humanhash:	spring-two-nine-early
File name:	file
Download:	download sample
File size:	369'664 bytes
First seen:	2025-12-30 15:23:17 UTC
Last seen:	2025-12-31 13:07:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c546646952cb160243a67da7651da44c
ssdeep	6144:1ni0XVm8I9UHdLjlHyAACrXdCdEVvnRS3OngbCpiHCHa7xZ:1ni0vI9UHFPzrXdCdE/SengbCp8k
TLSH	T146746C46BBA518F9E577863CC9534A06D7B2BC660760DBDF03A046960F277E08E3DB21
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	ciopbu crypted dropped-by-Stealc exe vvc

Bitsight

url: http://62.60.226.159/3.exe

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/94d648bd-e5eb-463a-a113-b4adf809d5ad/

Malware family:

n/a

ID:

File name:

_a2218af43cad32ab30859e208456a61dfdbd1c0943a6146d97ce540dc44e214e.exe

Verdict:

Malicious activity

Analysis date:

2025-12-30 14:14:01 UTC

Tags:

stealer stealc loader arch-doc auto-sch auto-reg crypto-regex auto generic svcstealer

Link:

https://app.any.run/tasks/c090ebe1-7d5c-4bbb-95dd-4c9399612b2c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46587/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6953ee9e7468b4bd1c8ee892

Tags:

autorun emotet

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm exploit explorer lolbin microsoft_visual_cc schtasks

Link:

https://www.filescan.io/uploads/6953ee9d2fb7bb52ca8240f6/reports/e9ae0530-1ba7-4a1c-ba1e-f8c81574d2dd/overview

Verdict:

Malicious

Labled as:

Trojan.Loader.Marte.6.Generic

Link:

https://www.hybrid-analysis.com/sample/13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-30T11:32:00Z UTC

Last seen:

2025-12-30T12:10:00Z UTC

Hits:

~10

Detections:

Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.ClipBanker.sb Trojan-Banker.Win32.ClipBanker.agqu PDM:Trojan.Win32.Generic Backdoor.Win32.Androm Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e31e261a-460f-4196-955a-b8de5b7be923

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/c647a40456f98f1912b75cb0e2e7fd28

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d/

Verdict:

Malicious

Threat:

Trojan-Banker.Win32.ClipBanker

Link:

https://tip.neiki.dev/file/13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d

Threat name:

Win64.Infostealer.ClipBanker

Status:

Malicious

First seen:

2025-12-30 15:24:15 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 36 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cphfyemkh67uq65pzk7ngo5panwe2uwptwdkvfxolm75ck2gnvwq._file

Gathering data

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d5c9a688-5a08-4ac4-88b4-836f6060a74c

Unpacked files

SH256 hash:

13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d

MD5 hash:

c647a40456f98f1912b75cb0e2e7fd28

SHA1 hash:

8e205668879d806d5211abdcbeb1370f520af2ab

Detections:

win_sdbbot_auto

Link:

https://www.unpac.me/results/59421b41-124e-4c7e-b29c-1a5747e7ded7/

SH256 hash:

f4bb5c357a626d4ceb939ab31b2768bcdc2b56f73ad90ce1202cb1ac699d5847

MD5 hash:

12bf7b851ac14dbf9f693f280058ded6

SHA1 hash:

5ba33045ab201e90086b30da870d31a482c6f2e7

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/59421b41-124e-4c7e-b29c-1a5747e7ded7/

Parent samples :

13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d
423b1dbb76e3a758ea0af0729c743f37379be98e05e5cc5e79b9fa97b6c84e38

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	win_sdbbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.sdbbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 13ce5c118a3fbf487bafcabed33baf036c4d52cf9d86aa96ee5b3fd12b466d6d

(this sample)

Dropped by

Stealc

Delivery method

Distributed via web download

Dropped by

Stealc

Delivery method

Distributed via web download

Dropped by

Stealc

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/46587/

URLhaus

https://urlhaus.abuse.ch/url/3722401/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample