MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ApolloShadow


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
SHA3-384 hash: b0b1e3909228b4029e04c7bcd090ba88d23e6fec2121e0116bee3d57b808da8d04fbe5eec60aa591d9b52a9824feeeff
SHA1 hash: 60f2c0932b114e99eb81e1ace478b5f5d0fa4d27
MD5 hash: 1bc5621a4818f2124ac085da21f607ca
humanhash: twenty-mars-butter-jupiter
File name:1bc5621a4818f2124ac085da21f607ca.exe
Download: download sample
Signature ApolloShadow
Create hunting rule
File size:237'568 bytes
First seen:2025-08-01 05:59:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b85b6f1045e6f05aad33e1fed74b176 (1 x ApolloShadow)
ssdeep 3072:7UAhJPJwCZQw5eA8H/Y+rjTMRGX/C32kjWb/nE3LcgZQz35S0pzoY46CQ1gqLMGx:IA5RRqUjWrnEPQzbohq1LM8
Threatray 1 similar samples on MalwareBazaar
TLSH T1D5344A0973D50CF9E837813988525A46EA72B8150771DFAF13A0426ADF776E0ED3AF21
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 1c8ccce47474e4cc (1 x ApolloShadow)
Reporter smica83
Tags:ApolloShadow exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1bc5621a4818f2124ac085da21f607ca.exe
Verdict:
No threats detected
Analysis date:
2025-08-01 06:00:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1a424158-faa5-4e98-aed4-05fea60f300f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18212/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688c57be0b4775fb21346e72
Tags:
virus spawn sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
certutil fingerprint lolbin microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/688c57bc32e610908689ca05/reports/8829cac2-3044-47e5-b021-52a3fc6cb077/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
Malware family:
Unlabeled
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/275b4b37-60ae-47df-9a2b-55c81024287a
Result
Threat name:
n/a
Detection:
malicious
Classification:
bank
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1748203
Signature
Antivirus / Scanner detection for submitted sample
Hides user accounts
Multi AV Scanner detection for submitted file
Registers a new ROOT certificate
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1748203 Sample: 62HRngNnec.exe Startdate: 01/08/2025 Architecture: WINDOWS Score: 64 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 7 62HRngNnec.exe 2 15 2->7         started        process3 file4 19 C:\Users\user\AppData\Local\...\crt16D4.tmp, PEM 7->19 dropped 25 Hides user accounts 7->25 27 Registers a new ROOT certificate 7->27 11 certutil.exe 5 1 7->11         started        13 certutil.exe 1 1 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started        17 conhost.exe 13->17         started       
Score:
72%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/1bc5621a4818f2124ac085da21f607ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20/
Verdict:
Malicious
Threat:
Trojan.Win64.ApolloShadow
Link:
https://tip.neiki.dev/file/13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
Threat name:
Win64.Trojan.ApolloShadow
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 03:48:31 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cp5pwgxc2xpaetti6lrpzaqly6ppa2imidn724benpgdstcs5iqa._file
Verdict:
malicious
Label(s):
apolloshadow
Create hunting rule
Similar samples:
13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
ApolloShadow
error
ApolloShadow
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion persistence
Link:
https://tria.ge/reports/250801-gpxsfsdj3y/
Behaviour
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Hide Artifacts: Hidden Users
Modifies WinLogon
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dafc8c88-bbfc-44c1-8828-83b19c64447f
Unpacked files
SH256 hash:
13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20
MD5 hash:
1bc5621a4818f2124ac085da21f607ca
SHA1 hash:
60f2c0932b114e99eb81e1ace478b5f5d0fa4d27
Link:
https://www.unpac.me/results/9fa44022-00b8-4990-928a-43d6eaacdd58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
Cape
Cape
https://www.capesandbox.com/analysis/18212/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CreateWellKnownSid
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
WININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::GetTempFileNameW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupAccountSidW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegSetKeyValueW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments


Avatar
commented on 2025-08-01 07:07:34 UTC

thanks for the sample