MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e
SHA3-384 hash:	16b4ec16bb35b18ce29f91e70c4eec24cfbb612b5b612d31d64fb0c1e2ed92a10653d9f47bd090176542a556b77556cd
SHA1 hash:	aca880f7263cd8ddd6d76cc691ca419857aae9b0
MD5 hash:	39b72ef0dcd8e89d1f19f1b94a73f493
humanhash:	oven-oklahoma-golf-equal
File name:	file
Download:	download sample
File size:	13'383'725 bytes
First seen:	2025-12-25 21:58:38 UTC
Last seen:	2025-12-26 05:46:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	573bb7b41bc641bd95c0f5eec13c233b (26 x GuLoader, 15 x VIPKeylogger, 11 x RemcosRAT)
ssdeep	393216:nSEd8CPhm0xmc1qW1+zflnpNm3ID1+TYgqSNDmjB:nzd8C5FWj1pNm3C1YgS9mt
TLSH	T118D633E3E5D2218FF4B7D27889783DB1EEA7059BD30B9D3E176809066ED1897CD29081
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: http://130.12.180.43/files/6858883307/HzVJzOd.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NSIS

Details

NSIS

extracted archive contents

Link:

https://research.acce.ciphertechsolutions.com/results/60348db1-f0b1-4f2c-9819-f2e3f01e6e3d/

Malware family:

n/a

ID:

File name:

HzVJzOd.exe

Verdict:

Malicious activity

Analysis date:

2025-12-25 21:29:42 UTC

Tags:

exploit python

Link:

https://app.any.run/tasks/5a2ca5d0-3d0c-4c21-822a-35ca9beb7315

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Emotet

Link:

https://www.capesandbox.com/analysis/46111/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694dacc801c7b4a8fe55d878

Tags:

phishing shell agent sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay

Link:

https://www.filescan.io/uploads/694db3b43f8fdbf8e9522668/reports/0af5b8e7-56e3-4cb5-96a1-80b5463ddaec/overview

Verdict:

Malicious

Labled as:

Trojan.Agent

Link:

https://www.hybrid-analysis.com/sample/3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-25T18:37:00Z UTC

Last seen:

2025-12-25T18:44:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.xcbrcs Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4e1541c8-5a4a-4069-8a08-e0f68c1abf13

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/39b72ef0dcd8e89d1f19f1b94a73f493

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hkatnoydtnyxnxafpktff2wm2lkxemkqgjos5uulltodh6at5v7a._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery execution persistence spyware

Link:

https://tria.ge/reports/251225-1v6gbsgl8x/

Behaviour

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Process spawned unexpected child process

Malware Config

Dropper Extraction:

https://indeanapolice.cc/OST_Walker.pdf
https://indeanapolice.cc

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e866c9d9-99ab-414f-a9d7-908b54ad3cf6

Unpacked files

SH256 hash:

3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e

MD5 hash:

39b72ef0dcd8e89d1f19f1b94a73f493

SHA1 hash:

aca880f7263cd8ddd6d76cc691ca419857aae9b0

Link:

https://www.unpac.me/results/55fb35f5-463d-4375-b7fe-ee63822e1d6c/

SH256 hash:

0e52de1473c33d8bdb57a86c4ebd3ec70b9042e3251626c721271b54c9208f77

MD5 hash:

bf631264336ee9226289ec7391839b19

SHA1 hash:

240a7bf9f01d800411e378315f51afe5412d3d38

Link:

https://www.unpac.me/results/55fb35f5-463d-4375-b7fe-ee63822e1d6c/

SH256 hash:

a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769

MD5 hash:

704d647d6921dbd71d27692c5a92a5fa

SHA1 hash:

6f0552ce789dc512f183b565d9f6bf6bf86c229d

Link:

https://www.unpac.me/results/55fb35f5-463d-4375-b7fe-ee63822e1d6c/

SH256 hash:

d278b258a6d565aa014a4cab0731134facdec77e9b25d97d0c235922353464b3

MD5 hash:

1c59f9647f434aece630b492133f6e36

SHA1 hash:

a9d14e0680ad4b853089720f2258cdd4c94cb6f6

Link:

https://www.unpac.me/results/55fb35f5-463d-4375-b7fe-ee63822e1d6c/

SH256 hash:

e3c1b4d2033071e4835bf4d13b5da21d3d11b097124983eb4d71b2ec399dbca4

MD5 hash:

327e5636c2d246686306c67004c9bd56

SHA1 hash:

138a84fa3022612b111057733bbda8d42f0f4de3

Link:

https://www.unpac.me/results/55fb35f5-463d-4375-b7fe-ee63822e1d6c/

Malware family:

MintsLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3a8136bb039b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 3a8136bb039b7176dc057aa652eaccd2d5723150325d2ed28b5cdc33f813ed7e

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/46111/

URLhaus

https://urlhaus.abuse.ch/url/3743599/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample