MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackShades


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b
SHA3-384 hash: 018c24cdea35d43532755bac1c610e39f6670f41dd113053e5dda969f089d7d192f93fc92acb5f7cf92fedaf1dee4625
SHA1 hash: e29d13d2b722f47f69a7669b06112b27dc8336ef
MD5 hash: 7f53b50c805bfdc47d012f3c0f86aedf
humanhash: grey-lake-fifteen-hydrogen
File name:enbgjg.exe
Download: download sample
Signature BlackShades
Create hunting rule
File size:378'368 bytes
First seen:2026-01-24 22:50:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18aee7cc80e48017bb06b13550617d1d (5 x BlackShades, 1 x BabylonRAT)
ssdeep 6144:yL1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQTUoKVY4qf87iJwr:yLdcfxaeM6fy/KaVUtgKkTZ73coU5C/E
Threatray 35 similar samples on MalwareBazaar
TLSH T13C84231248C95617DDA795F806052ACC9C7B081F11CD8BB8CAE17AF7B04FEF199A4DE8
TrID 63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
4.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 30017068d2780170 (2 x BlackShades)
Reporter Anonymous
Tags:BabylonRAT c2 exe UPX


Avatar
Anonymous
The executable enbgjg.exe (SHA-256: 328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b, 369.50 KB) is a UPX-packed Windows PE file exhibiting a strong malicious consensus on VirusTotal, with 56 of 70 security vendors reporting detections related to backdoor and spyware activity. Several engines explicitly identify the sample as Backdoor.Win/Babylon, while others associate it with closely related families such as Dodiw, Mint, Zard, and Larby, which are commonly observed in Babylon RAT campaigns. This consistent cross-vendor detection pattern, combined with its packed form and repeated classification as a backdoor / trojan-spy, supports attribution of this sample to Babylon RAT, indicating unauthorized remote access and surveillance capabilities rather than benign or generic malware.
File size (compressed) :378'368 bytes
File size (de-compressed) :764'928 bytes
Format:win32/pe
Unpacked file: f68f579e4c1cf3865aa1eb383da2a25ff54b252b6dc7b128eb35991af552e26f

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
VN VN
Vendor Threat Intelligence
Malware configuration found for:
BabylonRAT PEPacker
Details
BabylonRAT
c2 socket addresses, a mutex, an interval, network encryption keys, and, if configured, installation parameters
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/420f7fea-44fe-42f7-8961-6f8ee0e7a09e/
Malware family:
babylon
Create hunting rule
ID:
1
File name:
enbgjg.exe
Verdict:
Malicious activity
Analysis date:
2026-01-24 22:50:29 UTC
Tags:
auto-reg babylon rat upx
Link:
https://app.any.run/tasks/c3c3afab-0034-4d94-888f-1ada124f2599

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50012/
Detection(s):
Win.Malware.Generic-10015566-0
Create hunting rule

SecuriteInfo.com.Trojan.WebPick.9018.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69754cb95d0c8b8130271d64
Tags:
dropper virus mint remo
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackshades crypto fingerprint keylogger microsoft_visual_cc packed packed packed packed spyagent upx
Link:
https://www.filescan.io/uploads/69754cb5abc6d3ca6dec8a6d/reports/d772b246-be71-479c-860f-0fb79e5be146/overview
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-24T20:02:00Z UTC
Last seen:
2026-01-24T20:36:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.Dorifel.sbd Trojan-Spy.Win32.Stealer.sb Trojan-Spy.Win32.Larby.sb Trojan-Dropper.Win32.Dapato.sb HEUR:Trojan-Spy.Win32.Larby.gen HEUR:Trojan.Win32.Generic Trojan-Spy.Win32.Xegumumune.sbc Trojan-Spy.Win32.KeyLogger.sb Trojan.Win32.Zonidel.sb Trojan.Win32.Foxhiex.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b/results?tab=lookup
Malware family:
Dodiw
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/406cbaa7-a483-4992-8068-0414e0f2d878
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7f53b50c805bfdc47d012f3c0f86aedf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b/
Verdict:
Malicious
Threat:
Family.BABYLONRAT
Link:
https://tip.neiki.dev/file/328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b
Threat name:
Win32.Backdoor.MintZard
Create hunting rule
Status:
Malicious
First seen:
2026-01-24 22:51:02 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkfyqowu57i3nj4m7paxhjs75zen5iqeng7hzwaxvmejowh25ifq._file
Verdict:
malicious
Label(s):
babylonrat
Create hunting rule
Similar samples:
45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
BlackShades
57b5a6c752a24058eb51cb09a2a031f6a618ac0da644e1f91646aa088613b34b
BlackShades
8618bf549fe77b12325caeac35e24857145cba568d740c191a5850e2cc2c3960
BlackShades
afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
BlackShades
e8eefab37fec532a017d60a2851ed8aff3f4589028e9ca6794d100ea758bddb1
BlackShades
error
BlackShades
+ 25 additional samples on MalwareBazaar
Result
Malware family:
babylonrat
Create hunting rule
Score:
  10/10
Tags:
family:babylonrat discovery persistence trojan upx
Link:
https://tria.ge/reports/260124-2sf94ahs7d/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
UPX packed file
Adds Run key to start application
Executes dropped EXE
Babylon RAT
Babylon RAT payload
Babylonrat family
Unpacked files
SH256 hash:
328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b
MD5 hash:
7f53b50c805bfdc47d012f3c0f86aedf
SHA1 hash:
e29d13d2b722f47f69a7669b06112b27dc8336ef
Link:
https://www.unpac.me/results/ddb019cf-f0ad-445d-81e7-1e1fd5344a07/
SH256 hash:
641518539a1318ca172d7727b3a084507dd2400d56d197555879408e6a51a567
MD5 hash:
cdc1829d8994bcb98bd4d76ec7b23440
SHA1 hash:
13eac15b1bc1832b03b1cf5f8b5061e071692ea0
Link:
https://www.unpac.me/results/ddb019cf-f0ad-445d-81e7-1e1fd5344a07/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/328b883ad4ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackShades_4
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:BlackShades
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_BabylonRAT
Create hunting rule
Author:ditekSHen
Description:Detects BabylonRAT / CollectorStealer / ParadoxRAT
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_babylon_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.babylon_rat.
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BlackShades

Executable exe 328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b

(this sample)

BlackShades

Executable exe f68f579e4c1cf3865aa1eb383da2a25ff54b252b6dc7b128eb35991af552e26f

  
Link
https://www.virustotal.com/gui/file/328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50012/
  
Dropping
SHA256 f68f579e4c1cf3865aa1eb383da2a25ff54b252b6dc7b128eb35991af552e26f
  
Dropping
MD5 b5234ebe0159696112ad1118d2f36435

Comments