MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 293a4c49ea391a5a8b43ba3daf8bca8ae2ebe9b881a0e5cef06926e07fff0fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 293a4c49ea391a5a8b43ba3daf8bca8ae2ebe9b881a0e5cef06926e07fff0fad
SHA3-384 hash: 6a1efb51ca1c2173e9afe3bd1a22abfeace8cdc922f47f7a0581009247241b3fb77255bbda60328521e5ad5813693275
SHA1 hash: ad491764e8365df25a50a5bb8d881685c6e6db5c
MD5 hash: b842e565efe93c6e4d43672eae987899
humanhash: maryland-comet-gee-louisiana
File name:buding.exe
Download: download sample
File size:1'758'644 bytes
First seen:2025-06-16 12:50:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 51a854d285aa12eb82e76e6e1be01573
ssdeep 49152:c380DFDrFYPChSdpe4Xg7aqV5L94Tem785FXrimJRb:c33FDrkCh+bQuqVKqHDRb
TLSH T1F885338A1CEB8BBACD7E667442191F6D407B10283499E04BC9E07F96F6FC4193EDA741
TrID 30.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
11.9% (.EXE) Win64 Executable (generic) (10522/11/4)
7.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon a661d572b3b0f0f2 (1 x Adware.QQpass, 1 x CoinMiner)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
451
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
buding.exe
Verdict:
No threats detected
Analysis date:
2025-06-16 14:03:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0537c9b9-a672-48c1-9a55-15f543d1ff84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9676/
Detection(s):
Win.Malware.Flystudio-6937682-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6850135b8bd5d68a12e8dbb4
Tags:
injection obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/293a4c49ea391a5a8b43ba3daf8bca8ae2ebe9b881a0e5cef06926e07fff0fad
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/440f7aa0-839f-4c1f-84f5-e347dd439c18
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1715555
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/293a4c49ea391a5a8b43ba3daf8bca8ae2ebe9b881a0e5cef06926e07fff0fad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/293a4c49ea391a5a8b43ba3daf8bca8ae2ebe9b881a0e5cef06926e07fff0fad/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fe5eyspkhenfvc2dxi627c6krlrox2nyqgqoltxqnetoa777b6wq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery upx
Link:
https://tria.ge/reports/250616-p3txqacn5s/
Behaviour
System Location Discovery: System Language Discovery
UPX packed file
Verdict:
Malicious
Tags:
Win.Malware.Flystudio-6937682-0
YARA:
n/a
Link:
https://app.threat.zone/submission/17f7a7bb-99d2-400e-9077-c95c11f51217
Unpacked files
SH256 hash:
293a4c49ea391a5a8b43ba3daf8bca8ae2ebe9b881a0e5cef06926e07fff0fad
MD5 hash:
b842e565efe93c6e4d43672eae987899
SHA1 hash:
ad491764e8365df25a50a5bb8d881685c6e6db5c
Link:
https://www.unpac.me/results/a41020df-c9cf-42e3-8dda-abcbcffe1a31/
SH256 hash:
7116a37795049a14ad7d184e352d80c8544950cfddb9155cfa77a1019069e7b0
MD5 hash:
7387d494facd43bdccb488c633e2b7d9
SHA1 hash:
859ce5ebf0e50daa6769315ff5c710f1a3e81b2c
Link:
https://www.unpac.me/results/a41020df-c9cf-42e3-8dda-abcbcffe1a31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/293a4c49ea391a5a8b43ba3daf8bca8ae2ebe9b881a0e5cef06926e07fff0fad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 293a4c49ea391a5a8b43ba3daf8bca8ae2ebe9b881a0e5cef06926e07fff0fad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2301795/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9676/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments