MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MuddyWater


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f
SHA3-384 hash: 729a0b4ccce5fc79a020801e7e7879ed95c09c3b80e93befc98c0d2c8eb62ea57086b33302c87889835e505db1dc29ba
SHA1 hash: f87af555b38949553782281ffc9251c093f0c089
MD5 hash: 3895302964bcb46729c61f82a798ef96
humanhash: friend-delta-gee-table
File name:dbconfig.dll
Download: download sample
Signature MuddyWater
Create hunting rule
File size:606'720 bytes
First seen:2026-03-18 12:48:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cc17bcc7fe575a59b90e88841fe76dbc (1 x MuddyWater)
ssdeep 6144:l7RyhwDsJo2xj8niAhoDsAiv5pTGBNN9hR5wKHqj6f3rdJhnt/eGWv4r4BMqjexv:NR6JoBiUXTsN9hMjsLeJMqj4zWYh
TLSH T118D45B5239D5149AC13782F2CF93E1749713FC781DA4852BA2CD2E165F0AEA12D23EF6
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter smica83
Tags:46-30-188-99 exe muddywater

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
dbconfig.dll
Verdict:
Malicious activity
Analysis date:
2026-03-18 12:50:15 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/0fba3d6f-ead0-4838-8069-ec4ff8b2fbe8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57982/
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba9f1693b644ca466b4c85
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f
Verdict:
Malicious
File Type:
dll x64
Detections:
Trojan.Win32.Agent.xcdbho Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f/results?tab=lookup
Malware family:
MuddyWater
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c0363ee-70d1-4f52-a5a6-920ab23d4d94
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1885646
Signature
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1885646 Sample: dbconfig.dll.exe Startdate: 18/03/2026 Architecture: WINDOWS Score: 52 42 Uses known network protocols on non-standard ports 2->42 44 Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations 2->44 7 loaddll64.exe 1 2->7         started        9 svcmon.exe 14 2->9         started        12 svcmon.exe 13 2->12         started        process3 signatures4 14 regsvr32.exe 2 2 7->14         started        17 cmd.exe 1 7->17         started        19 rundll32.exe 7->19         started        25 3 other processes 7->25 46 Unusual module load detection (module proxying) 9->46 21 conhost.exe 9->21         started        23 conhost.exe 12->23         started        process5 file6 38 C:\Users\user\AppData\Local\...\wuaupdt.exe, PE32+ 14->38 dropped 27 wuaupdt.exe 1 17 14->27         started        32 rundll32.exe 17->32         started        34 WerFault.exe 20 16 19->34         started        process7 dnsIp8 40 46.30.188.99, 49693, 49694, 49697 ASN-QUADRANET-GLOBALUS United Kingdom 27->40 36 C:\Users\user\AppData\Roaming\...\svcmon.exe, PE32+ 27->36 dropped 48 Unusual module load detection (module proxying) 27->48 file9 signatures10
Score:
6%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6s5qghwsc2mbmlhsoa64sh7v64nhnfnmjdxs7bsngf5ngjkejhq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence privilege_escalation
Link:
https://tria.ge/reports/260318-p1wnjafz8r/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Unpacked files
SH256 hash:
27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f
MD5 hash:
3895302964bcb46729c61f82a798ef96
SHA1 hash:
f87af555b38949553782281ffc9251c093f0c089
Link:
https://www.unpac.me/results/d688f5ac-ead0-4866-ada8-bf18a7d600be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27a5d818f690b4c0b1679381ee48ffafb8d3b4ad6247797c32698bd6992a224f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57982/

Comments