MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackSuit


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805
SHA3-384 hash: 396ead9652449827014a30b2b2ebafdf7050b6954f4ce4082f65df86492247dcfe5d920afb0845a2cba96c1e20b43f95
SHA1 hash: edee2c23114158fce48124a01db9c53f7a228a79
MD5 hash: 87d5fbaa3cd647071c51df0e07443c6f
humanhash: wolfram-asparagus-fix-pluto
File name:oledlg.dll
Download: download sample
Signature BlackSuit
Create hunting rule
File size:26'836'992 bytes
First seen:2026-01-01 17:11:17 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fb7fef127dba18844de1273f7bed056b (1 x BlackSuit)
ssdeep 393216:rIG6qcMK405dsuJTGHmVN+nO0NrN1IG6+ckj405dsOJTGHmVNwffnG0NrN:rlcMK40IsUO0lnlAkj40IM0/G0l
Threatray 657 similar samples on MalwareBazaar
TLSH T188472310EB605029F8FB22F756FD956D992CEEF0275450CF42C565ED8A2A6E03E3231B
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter smica83
Tags:blacksuit dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46837/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6956aaf2e148d42004de5f61
Tags:
n/a
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805
Verdict:
Malicious
File Type:
dll x32
First seen:
2025-10-30T02:45:00Z UTC
Last seen:
2026-01-01T19:09:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.DLLhijack.sb Trojan.Win32.DLLhijack.sb Trojan.Win32.Agentb.sb HEUR:HackTool.Python.Inject.gen
Link:
https://opentip.kaspersky.com/35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805/results?tab=lookup
Result
Threat name:
DonutLoader, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1843191
Signature
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DonutLoader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1843191 Sample: oledlg.dll Startdate: 01/01/2026 Architecture: WINDOWS Score: 100 95 phong.11011.lol 2->95 99 Suricata IDS alerts for network traffic 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 4 other signatures 2->105 12 loaddll32.exe 2 2->12         started        14 wscript.exe 2->14         started        17 wscript.exe 2->17         started        signatures3 process4 signatures5 19 rundll32.exe 2 12->19         started        22 cmd.exe 1 12->22         started        24 rundll32.exe 2 12->24         started        26 5 other processes 12->26 121 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->121 process6 signatures7 107 Bypasses PowerShell execution policy 19->107 28 powershell.exe 19->28         started        32 python.exe 38 19->32         started        109 Uses schtasks.exe or at.exe to add and modify task schedules 22->109 34 rundll32.exe 3 22->34         started        36 powershell.exe 24->36         started        38 python.exe 3 24->38         started        process8 file9 77 C:\Users\user\AppData\Local\...\winsound.pyd, PE32 28->77 dropped 79 C:\Users\user\AppData\...\vcruntime140.dll, PE32 28->79 dropped 81 C:\Users\user\AppData\...\unicodedata.pyd, PE32 28->81 dropped 91 56 other files (55 malicious) 28->91 dropped 119 Loading BitLocker PowerShell Module 28->119 40 conhost.exe 28->40         started        83 C:\Users\user\AppData\Local\...\python.exe, PE32 32->83 dropped 85 C:\Users\user\AppData\Local\...\winsound.pyd, PE32 32->85 dropped 87 C:\Users\user\AppData\...\vcruntime140.dll, PE32 32->87 dropped 93 26 other files (none is malicious) 32->93 dropped 42 cmd.exe 1 32->42         started        44 conhost.exe 32->44         started        89 C:\Users\user\AppData\Local\...\macOSx.zip, Zip 34->89 dropped 46 powershell.exe 41 34->46         started        49 conhost.exe 36->49         started        51 conhost.exe 38->51         started        signatures10 process11 signatures12 53 python.exe 8 42->53         started        58 conhost.exe 42->58         started        123 Loading BitLocker PowerShell Module 46->123 125 Powershell drops PE file 46->125 60 conhost.exe 46->60         started        process13 dnsIp14 97 phong.11011.lol 51.79.214.122, 49692, 56001 OVHFR Canada 53->97 71 C:\Users\user\AppData\...\tmp0kr5uto1.xml, XML 53->71 dropped 73 C:\Users\user\AppData\Local\Drivers\run.vbs, ASCII 53->73 dropped 75 C:\Users\user\AppData\Local\python.exe, PE32 53->75 dropped 111 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 53->111 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 53->113 115 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 53->115 117 4 other signatures 53->117 62 powershell.exe 53->62         started        65 cmd.exe 53->65         started        file15 signatures16 process17 signatures18 127 Loading BitLocker PowerShell Module 62->127 67 conhost.exe 62->67         started        69 schtasks.exe 65->69         started        process19
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805
Verdict:
Malware
YARA:
6 match(es)
Tags:
DeObfuscated Executable Obfuscated PDB Path PE (Portable Executable) PE File Layout T1059.005 VBScript Win 32 Exe x86
Link:
https://app.malva.re/file/87d5fbaa3cd647071c51df0e07443c6f
Gathering data
Verdict:
Malicious
Threat:
Family.BLACKSUIT
Link:
https://tip.neiki.dev/file/35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805
Threat name:
Win32.Backdoor.Asyncrat
Create hunting rule
Status:
Suspicious
First seen:
2025-12-26 09:21:16 UTC
File Type:
PE (Dll)
Extracted files:
2787
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxz64vjwe2zcm7skr425zznubbaoljdb6e3ffpjglfubymigracq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
03e32f965938c127a3c4478d5f065609b0e8ccd455a832bdc122d3a8627490a9
BlackSuit
05b636682bbe2b0798bf3bf5941fd038db982b8b194271e8935c202bc20c243e
BlackSuit
0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23
BlackSuit
1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc
BlackSuit
35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805
BlackSuit
5834d20cfc80f6fe20514b7a1e3e9764765aa3f548e2874504e9d26345f80560
BlackSuit
901d6191e8bf99cf1a2a6b770519d18b82875294e95a55d1e87e42ef8bad213a
BlackSuit
cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62
BlackSuit
d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4
BlackSuit
error
BlackSuit
+ 647 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/260106-k7ax7aep2z/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35f3ee553626b2267e4a8f35dce5b40840e5a461f13652bd2659681c31068805

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/46837/

Comments