MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a05603fd3adbd7c74e32248e6da4e52dc8fc1412910c0f473261996ad4f8652. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a05603fd3adbd7c74e32248e6da4e52dc8fc1412910c0f473261996ad4f8652
SHA3-384 hash: e30d3a1944f799e83b4f67a4a316a67a45542297f2f70ed053ec9545a90ca5e72a443f03c7ebdb2fe87bae5b739b5ac9
SHA1 hash: 5f298eacb4444ae3ebbf1d2affedc9b73e09cd79
MD5 hash: 9831c845c5003cf9dd55764b03b167a4
humanhash: south-texas-thirteen-vermont
File name:9831c845c5003cf9dd55764b03b167a4.exe
Download: download sample
File size:9'164'800 bytes
First seen:2025-09-06 06:55:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 98304:FvbBEXm42foY9xz5QbrUoArITvd9tWpmIgMlqVz+rQVe97lwu9cXvBxDh3DYnskR:FjBEXSP5QbrUl2JC0MR
TLSH T1F896BE0173A88E26C1BF9739A0B14A146775BD0AAB47D35F38CDBB696CB33024D1176B
TrID 62.2% (.RLL) Microsoft Resource Library (x86) (177572/6/26)
25.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 104810f0f0700040
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9831c845c5003cf9dd55764b03b167a4.exe
Verdict:
Suspicious activity
Analysis date:
2025-09-06 07:04:58 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/87591a65-d2d1-4637-a5ac-0451d8efe3db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25954/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bbdb1feb163e0ec184e9bd
Tags:
phishing micro virus hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file
Searching for synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dotfuscator fingerprint obfuscated obfuscated packed packed packer_detected threat
Link:
https://www.filescan.io/uploads/68bbdb2f20d0ee406d97bd5e/reports/5d183b75-ef83-46f2-916d-97aeb1b834b2/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/2a05603fd3adbd7c74e32248e6da4e52dc8fc1412910c0f473261996ad4f8652
Verdict:
Unknown
File Type:
exe x32
First seen:
2025-09-02T11:55:00Z UTC
Last seen:
2025-09-02T11:55:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/2a05603fd3adbd7c74e32248e6da4e52dc8fc1412910c0f473261996ad4f8652/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ef7af33-5827-45ae-9886-48cfdcc97fcc
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1772275
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Score:
61%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2a05603fd3adbd7c74e32248e6da4e52dc8fc1412910c0f473261996ad4f8652
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.13 SOS: 0.18 SOS: 0.19 SOS: 0.20 SOS: 0.21 SOS: 0.23 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.28 SOS: 0.33 SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/9831c845c5003cf9dd55764b03b167a4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a05603fd3adbd7c74e32248e6da4e52dc8fc1412910c0f473261996ad4f8652/
Threat name:
Win32.Trojan.Marsilia
Create hunting rule
Status:
Malicious
First seen:
2025-09-02 20:26:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
294
AV detection:
7 of 37 (18.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ficwap6tvw6xy5hdejeonwsokloi7qkbfeimb5dteymznlkpqzja._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/250906-hqtymastgt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Looks up external IP address via web service
Verdict:
Suspicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/30c32d4d-e7ca-4eef-81af-098f7a7b0765
Unpacked files
SH256 hash:
2a05603fd3adbd7c74e32248e6da4e52dc8fc1412910c0f473261996ad4f8652
MD5 hash:
9831c845c5003cf9dd55764b03b167a4
SHA1 hash:
5f298eacb4444ae3ebbf1d2affedc9b73e09cd79
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
63d50dbe094bbce5d7bf8af08c0d919cfa5e057ca05ae7b27704a8477c8b348f
MD5 hash:
2ace85429eee9e8320c82d878e5562b4
SHA1 hash:
77ed8b89210930d1de2495ba363519b696d0b6e2
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
c90db689c659d6281a922a2948b560ff993c208609be339d8f404168c82e1bc3
MD5 hash:
fd380ba8058147f7188b22558ec79fac
SHA1 hash:
435d2c4a0a8a4c8c2f8e4abd28c5ac21e2a890ba
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
44704eae327b9f8d32b7b46fffae79672707bf50389a89e4adfaca89f66c402b
MD5 hash:
7e84355c8a109310e4981959846031ad
SHA1 hash:
7527f975a78778e65fccde20b15ce3bb62a6b97d
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
612cc7e474d0d73213b3a50ed46cb42d29923cdd8de8151f7f6f954725a89954
MD5 hash:
16fbfb72ead1cf8de5d5189ebb8eff9f
SHA1 hash:
7c296b770ee6a149e99546f35b4793d8d6a8a3a9
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
e9a9d281c1a708aaae366f82fd6a1742f65da2918cc4fa5eaaaada0be24277d9
MD5 hash:
59c48aacb1c413c108161afe13fdbed9
SHA1 hash:
31ace4b26d8a069c84aad6001e06c2a5483806f3
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
3b02791103bc63a527a0bbe3ca5b2a6a0ecf521b13c4bbfee3f34e73ad5669e0
MD5 hash:
04bcfe2a65335aa1fe91504958acb238
SHA1 hash:
cec85fbe01b63b1c5ce4b8fe268bf89ad6e10a40
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
7eeb6fac4f1caa84fa60568ca4920296c3eb5b49176bf4460825ca4f72d9981f
MD5 hash:
3ab0237e71315118c5abdcb1cdc3aa7e
SHA1 hash:
df8546bbacb6ed266155f23574b25c3862a01334
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
MD5 hash:
081d9558bbb7adce142da153b2d5577a
SHA1 hash:
7d0ad03fbda1c24f883116b940717e596073ae96
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
7f6e40694711f087cba7013a0e30bfa1db5f559f01398a2372fee05c18f32fa4
MD5 hash:
8d139b87c665b02191f66c519ae44010
SHA1 hash:
0122cf5426426aa14a3c2b6d10270e56b2e104af
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
faf668a7e955ceb95bd51624a3635a707d4fe61dc62d79911d9b0e22215a2bdf
MD5 hash:
0bff42b73b380f746368d11763330846
SHA1 hash:
5e5a7a37db74b901ba1797be95285ae2d5877b21
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
d20df0126b851edab2155859926ffe037bf67c642d6f1ae87855181c7cb34cf7
MD5 hash:
16dcc3e84cdb4a6209cd7eba6074f6dd
SHA1 hash:
a6b439532bd63dc2a56c459c0ec4fcf18dafcbd0
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
2d8800d0ab20711af316fca20244cc06261a15021b2a78ac3ec6bd489f352594
MD5 hash:
a37d8988990b3843182c51f1b9e5be4c
SHA1 hash:
d91b359403b3522cf718114174791b7b5c4de508
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
18865984b0f28f12d1607e5315682ce1fc5aeda7d13c68805338fe371363ec06
MD5 hash:
07d501c7ae0eb987d67624b2d6289512
SHA1 hash:
0f4e6bee740902a655b7dc41ff760bf2e9089570
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
63ff1146555876002518d6a77092a553151c9d1b749dec37a6b80e5233d2db66
MD5 hash:
a1a4002c481e5828c9bae4b0e982bfeb
SHA1 hash:
420708b18a503b398eca8a4edf2ce203fe26a620
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
ec1088ac38f4071d809311ffbda28f99f15d9dc7f437fcd04aba8616be56ee2f
MD5 hash:
dc64f53e5c3f71bfce7fcc955c02e6d5
SHA1 hash:
5217f535f64d1df21ffe18c9cefa6b99cb3c5256
Detections:
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
SH256 hash:
5bd22ae4e9d0243ee6ff83e5e3e2d5d8bcbe9024e63c4b5dc72800757d722240
MD5 hash:
db2003f9647e96302d03c4fc5a128685
SHA1 hash:
ce9b2845232e1fdf6ea5abf6f279d6dd8799305e
Link:
https://www.unpac.me/results/61c147c7-a369-4f65-9eb3-bd6a9ff03ac6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a05603fd3adbd7c74e32248e6da4e52dc8fc1412910c0f473261996ad4f8652

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_Dlls
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:dotfuscator
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Dotfuscator
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25954/

Comments