MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Apollo


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6
SHA3-384 hash: 5896125631d621a96d3e58caabfdf9aac217c96feb07e1f93200ef498ba4806d1dc427056df92883417866b626dc0595
SHA1 hash: e5dc572b9cdba19c7b6865a74ffa41bbb9744fdc
MD5 hash: c2723b6fd8c7db2cc6a975d909294096
humanhash: autumn-romeo-florida-diet
File name:a.exe
Download: download sample
Signature Apollo
Create hunting rule
File size:2'104'832 bytes
First seen:2025-08-22 18:07:45 UTC
Last seen:2025-08-22 19:41:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 49152:OkqXfd+/9AqbXHeWD/2D+y9WH3UZ9ydvAPMdGKlshwJsaf5HIEDZ:OkqXf0FfbXHRXy5XAvAPMdGsshwJHpIK
TLSH T12AA53318571E028ADE7B067A387533422F79DA2949ADE3DE074CBD5D039EF420386B9D
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Anonymous
Tags:Apollo exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
61
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a.exe
Verdict:
Malicious activity
Analysis date:
2025-08-22 18:10:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dfa647e7-e972-40b8-971a-74296801e6e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23069/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a8b2286eed937d746d1ff0
Tags:
packed micro virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated packed reconnaissance
Link:
https://www.filescan.io/uploads/68a8b22f28a89d9dd4f260a3/reports/2e858337-0284-4b8a-9bb4-bd6fdc6b56d0/overview
Verdict:
Malicious
Labled as:
Trojan.Apollo.Marte.A.Generic
Link:
https://www.hybrid-analysis.com/sample/20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-22T16:09:00Z UTC
Last seen:
2025-08-22T16:09:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6/results?tab=lookup
Malware family:
Mythic
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12c6003c-734e-4598-a6af-6caee811a4d5
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Fody/Costura Packer Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.15 SOS: 0.17 SOS: 0.18 SOS: 0.19 SOS: 0.20 SOS: 0.22 SOS: 0.23 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.28 SOS: 0.30 SOS: 0.32 SOS: 0.33 SOS: 0.35 SOS: 0.54 Win 32 Exe x86
Link:
https://app.malva.re/file/c2723b6fd8c7db2cc6a975d909294096
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6/
Threat name:
Win32.Trojan.ApolloMarte
Create hunting rule
Status:
Malicious
First seen:
2025-08-22 18:05:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ednghsbrdsgp5ney57larp5gxamc7pv7hrc6ny76mvoegkur5lta._file
Verdict:
malicious
Label(s):
apollo
Create hunting rule
Similar samples:
error
Apollo
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250822-wq6t3sxpv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7e953d32-494d-4afb-b35c-0f17d600c839
Unpacked files
SH256 hash:
20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6
MD5 hash:
c2723b6fd8c7db2cc6a975d909294096
SHA1 hash:
e5dc572b9cdba19c7b6865a74ffa41bbb9744fdc
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
c98267cc40f75e1fb4f4550f4bee6c4ade2e46e49da025c9076ba578a8e282ae
MD5 hash:
60d473bac66849e7b1ff4bbb1af7531c
SHA1 hash:
05b9155d82575223585d64350f8956bece22cf93
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
Parent samples :
20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6
d683196074738752029de9e8024f68d24c83dc785f0707eca2a6f5f94bd7cf9f
SH256 hash:
733929248cdd87d1c2f93643fea4608cd87e395d1c9c2afbc4449eca44649aa8
MD5 hash:
6e3be9b3e406221021a93f7ae01dab1f
SHA1 hash:
212297a1b0dbfbe87d72814d29fa44f448e7c34e
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
28f65a2544276e457137f23682e3348885de165acca2b18ede16004abf114ef5
MD5 hash:
f406b9ffbb96bfcd91efa3d19f6becf9
SHA1 hash:
287dcfb278973301ccba36b696a00ec14d11d913
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
1e023e8fc4000e07a4f67112bf58fbdce66047449656c9cef3c4b435eed271f8
MD5 hash:
9e3ee51df16783d5029512995f1275fd
SHA1 hash:
5080c3a67650ec63c1f376dea826b45aa966d54b
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
ad8d726452969a7a81061b5700c851a86fc4c868ad9727e91942870ad3ddcce2
MD5 hash:
62f71f26814b44c24122b0c3c92c9dac
SHA1 hash:
78b1735d10f43f6472c6a71da192d31d0ebc4996
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
b2e4b7dbd09b3ed8d2169cfb6d3dc0dd263c23ae3cf5d46975e92960300a41ad
MD5 hash:
dcde29dcb9cc7882d5f0bbd9716afdb3
SHA1 hash:
9441162d4a196e4bbc387e795e07a48a9e4865b3
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
d50603d461a352ee9a23f2c339a7eded7c818ab928b2adf65f61a116750b9d7e
MD5 hash:
bcebbcbbdc43633b1f689a3d215bfd16
SHA1 hash:
9b208931d58ee50c54658cb98e32132468c00c0b
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
19bad5c9a3d6762472534c198bef4aa877db1cf220a50f95c198c8e648abce3f
MD5 hash:
ed016d39fd6fe24463caf39d56379aa1
SHA1 hash:
b6d55c99c7adb2bcee2a2bdd375ec9cb95e1f507
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
7062ad9d9a4f934c23321e2d321ddd20d5f525d5fa63684067cd4b7e9fa6eddc
MD5 hash:
cb2fda6481c0641a932a8427160e120a
SHA1 hash:
bf711716b193e942178f0a4c63d843f77d33a5eb
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
SH256 hash:
52244c9c13e9cb223be1a87a7e358d2fee7ae401b9fe023adcaa4ce31f6a48c3
MD5 hash:
aee8042bb9db491a42d7f754e071c544
SHA1 hash:
c5f1a786dbeee3c3ef83fa9d99f976eb61df1770
Link:
https://www.unpac.me/results/5d2c09f1-8bde-40f1-9a6f-fe306b8634ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Apollo

Executable exe 20da63c8311c8cfeb498efd608bfa6b8182fbebf3c45e6e3fe655c432a91eae6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3609354/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23069/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments