MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb
SHA3-384 hash: a0d5e7492b6a1256f8767203b3a2b0410153952aaa27761e117182f67f301e4b36c3740ab79636251f040b5913da4d46
SHA1 hash: 6d89256296cac304750e190e5650942449929b38
MD5 hash: 486063249f6b355cf0a50e7c2eb76445
humanhash: butter-kitten-mango-butter
File name:file
Download: download sample
File size:70'656 bytes
First seen:2026-06-20 23:58:27 UTC
Last seen:2026-06-21 00:30:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'075 x AgentTesla, 20'033 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 768:4YlbdXo81wwk+EgORzDZ3M5C0/M1c9GtCw/k5z+JicP27wzdvOfs39bS6rQlld52:HrYS8xinM1WGU+IcP2iYg9bS6Unc8G
TLSH T13463C7D8367B8831D17F6DFAE6C7624F5EB05133A801D6860CD226E26901A86DD4FCF9
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:d52f85 dropped-by-amadey exe


Avatar
Bitsight
url: http://62.60.226.140/files/7726345600/DsL2jed.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
175
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Violet
Details
Link:
https://research.acce.ciphertechsolutions.com/results/04d48ae9-f7ea-4f21-b1e8-368fa838de4e/
Malware family:
n/a
ID:
1
File name:
_2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb.exe
Verdict:
Malicious activity
Analysis date:
2026-06-21 00:01:42 UTC
Tags:
auto-reg auto-startup violet rat amsi-bypass
Link:
https://app.any.run/tasks/3c0efb9d-cb90-43a3-960c-2f13698a780e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71393/
Detection(s):
SecuriteInfo.com.Trojan.XWorm.1.28395749.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a37296186bc95245bf82268
Tags:
stration autorun sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Creating a file in the %AppData% directory
Creating a file
Creating a file in the Windows subdirectories
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive explorer lolbin obfuscated obfuscated reconnaissance vbnet
Link:
https://www.filescan.io/uploads/6a37295c9de4cf364c0f7ce9/reports/2b97cb0b-355c-44ca-b7ad-a2ecfa6bbc73/overview
Verdict:
Malicious
Labled as:
IL:Trojan.XWorm
Link:
https://www.hybrid-analysis.com/sample/2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-20T21:07:00Z UTC
Last seen:
2026-06-21T04:48:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a11e316-b536-4a42-9554-123931bd51ee
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.99 Win 32 Exe x86
Link:
https://app.malva.re/file/486063249f6b355cf0a50e7c2eb76445
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb/
Verdict:
Malicious
Threat:
Trojan.MSIL.Crypt
Link:
https://tip.neiki.dev/file/2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb
Threat name:
Win32.Backdoor.NjRAT
Create hunting rule
Status:
Malicious
First seen:
2026-06-20 23:59:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpyexgsyhzxr56tgdjb5gv54r2quhpfvh6uh7aiicnd64l7lqdvq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260620-31ea5sbt5w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb
MD5 hash:
486063249f6b355cf0a50e7c2eb76445
SHA1 hash:
6d89256296cac304750e190e5650942449929b38
Link:
https://www.unpac.me/results/3f2d7f9c-138a-424c-894f-0f1bf95b611a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_dotnet_vb_stealer_rat
Create hunting rule
Author:Arrbat
Description:Detects .NET/VB executables with stealer/RAT capabilities (sockets, HTTP, processes, registry, etc).
Rule name:XWorm_Violet_v5
Create hunting rule
Author:kirkderp
Description:XWorm / Violet v5 -- 80+ command RAT with HVNC, keylogger, crypto clipper, USB worm, webcam capture
Reference:https://github.com/kirkderp/yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2bf04b9a583e6f1efa661a43d357bc8ea143bcb53fa87f81081347ee2feb80eb

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/71393/

Comments