MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XBinder

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d
SHA3-384 hash:	b5d0fc93776f254fde9f7eebef851a36352dd60fdaa25de0e42b238fcc20e6cad49532b2b4aaf73f078e5ca090443c63
SHA1 hash:	903b62a9a060f87b71ca42e8f3062e34ac03952f
MD5 hash:	f3ac1ae11c989d964761ac6810433e89
humanhash:	two-mountain-zulu-beryllium
File name:	1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d
Download:	download sample
Signature	XBinder Create hunting rule
File size:	398'848 bytes
First seen:	2026-02-04 18:17:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'842 x AgentTesla, 19'774 x Formbook, 12'296 x SnakeKeylogger)
ssdeep	12288:/tiFvjfqd09rowhOLfxhl5gBNSl1jiwtTc9K:/tyridAhc5Gm1Ok
Threatray	127 similar samples on MalwareBazaar
TLSH	T1BB84238922DB8222D171EE7352F3A471733E8E5E62423D6B454677CEBAF700685C127E
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Neiki
Tags:	exe xbinder

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

EvilCoder

Details

EvilCoder

extracted components, their filepaths, and possibly registry installation

Link:

https://research.acce.ciphertechsolutions.com/results/eeaada78-d3aa-4e2d-8ab0-fd0e7fc39f73/

Malware family:

n/a

ID:

File name:

Xeno.exe

Verdict:

Malicious activity

Analysis date:

2026-02-04 18:17:08 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/562754d1-9671-4376-b0ba-be8100d90fdd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51734/

Detection(s):

Win.Packed.Msilzilla-10008147-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69838d239a60ec70d92cd8fc

Tags:

dropper virus micro

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm fingerprint obfuscated packed reconnaissance vbnet

Link:

https://www.filescan.io/uploads/69838d6ad91d37abdd64d7e4/reports/5def4a78-e597-4cf3-9ca4-b424996f7ee1/overview

Verdict:

Malicious

Labled as:

MSIL.Cassiopeia.Generic

Link:

https://www.hybrid-analysis.com/sample/1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-02-03T18:00:00Z UTC

Last seen:

2026-02-04T18:23:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Fsysna.gen HEUR:Backdoor.MSIL.Crysan.gen Trojan.Win32.Vimditator.sb

Link:

https://opentip.kaspersky.com/1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d/results?tab=lookup

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9bf832ca-d208-40d9-a611-03d510ad6b23

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.22 Win 32 Exe x86

Link:

https://app.malva.re/file/f3ac1ae11c989d964761ac6810433e89

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d/

Verdict:

Malicious

Threat:

Family.XBINDER

Link:

https://tip.neiki.dev/file/1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d

Threat name:

ByteCode-MSIL.Trojan.Cassiopeia

Status:

Malicious

First seen:

2026-02-04 02:51:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dsuazce3iassuyieb5el5bjiuuwx7zvkm7wyh2h57y2nbaemwngq._file

Verdict:

malicious

Label(s):

unc_loader_063

XBinder

1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d

XBinder

71e8601241879b7ffd5fd4a5093918cd73e72e160a1ee935ca7d9b98cef9968e

XBinder

7cc9673598993d033f68cf3c19e12078f22ce35d5fcedebe9cd5e8f4d4d6cb8d

XBinder

903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1

XBinder

error

XBinder

+ 117 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/260204-wxq27shy6h/

Behaviour

Suspicious use of AdjustPrivilegeToken

Looks up external IP address via web service

Unpacked files

SH256 hash:

1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d

MD5 hash:

f3ac1ae11c989d964761ac6810433e89

SHA1 hash:

903b62a9a060f87b71ca42e8f3062e34ac03952f

Link:

https://www.unpac.me/results/f08200ae-6619-4e92-85d3-cd897fba5a32/

SH256 hash:

1cea26353f1b17030f6692ed169f049903cd37d307a350e185b7ada7a68ca841

MD5 hash:

28794dae3fdf0c74ce3a649ff4cbafaf

SHA1 hash:

a140e170448d1f14d255e64e07e020a8a114aec6

Link:

https://www.unpac.me/results/f08200ae-6619-4e92-85d3-cd897fba5a32/

SH256 hash:

46c962d8a5f8020b5077e6d91e1330c100af3c25944c890b80bb1699c762846a

MD5 hash:

90059d996813339e1b03f5fdd4f83db2

SHA1 hash:

cca2c80ede2757ad9edb14fd74e93e706d1b8ee8

Link:

https://www.unpac.me/results/f08200ae-6619-4e92-85d3-cd897fba5a32/

Malware family:

Alcatraz

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ca80c889b40/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.threat.rip/file/1ca80c889b40252a61040f48be8528a52d7fe6aa67ed83e8fdfe34d0808cb34d

Cape

https://www.capesandbox.com/analysis/51734/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample