MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb
SHA3-384 hash: b60390cef1c58fb595ad6ffe6b1b482c21708a3ee00453205784e6a60730d29c6300c41d44daa172a870397a83bdb5f5
SHA1 hash: 35c23ffe93c04967960e29bbf944bea66a8c225b
MD5 hash: bf9e11ee6bd7a61ac0829f802e2c7fef
humanhash: october-robert-lactose-summer
File name:41lglxP.exe
Download: download sample
File size:12'917'400 bytes
First seen:2025-12-11 13:57:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (9 x OffLoader, 9 x HijackLoader, 7 x ValleyRAT)
ssdeep 196608:rDbmlC0CPU8bPxYfklh7MWRit6r9RXRKnpn2Wi8hPeyjmZC+gx02VYWTGcQSKonn:rDbvbPCmYn6r9RXsNdP9me5XQ+pc+
TLSH T18FD62327B28F633EE46949360A776951093FBA61651A8CB3C6F40D4CCF2D0A11E7EE17
TrID 60.0% (.EXE) Inno Setup installer (107240/4/30)
23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
SE SE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/87d19e44-4b5c-4fa9-bc74-6ca3890eb2b1/
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
NewTextDocumentmod.exe
Verdict:
Malicious activity
Analysis date:
2025-12-11 03:01:20 UTC
Tags:
xred backdoor hausbomber github loader pastebin delphi discord stealer evasion python dyndns xmrig auto coinminer miner metastealer redline golang xor-url generic stealc anti-evasion exfiltration meterpreter payload metasploit purecrypter netreactor crypto-regex purelogs clipper diamotrix amadey botnet cobaltstrike svc agenttesla offloader asyncrat rat quasar
Link:
https://app.any.run/tasks/21441ad6-b4f7-484f-8ac4-2861f64ea815

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44297/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693acdfea675b653bd101a41
Tags:
shellcode dropper overt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypt embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed
Link:
https://www.filescan.io/uploads/693acdf5cf690d27f3dc998a/reports/78dc94fe-1dab-4149-8a02-8c9d6a2c1316/overview
Verdict:
Malicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb
Verdict:
Clean
File Type:
exe x32
Link:
https://opentip.kaspersky.com/3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3b69e93c-0535-452c-aaab-d55509212614
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1830938
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/bf9e11ee6bd7a61ac0829f802e2c7fef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 15:51:42 UTC
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hugzduh43ulopozhbrl52445j3rtwlfhavsptp5h3sggvbvrw7fq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/251211-q9x4dscx2a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/79d7163c-180b-4c7c-9821-bc1485cb8f8e
Unpacked files
SH256 hash:
0beb824e9feb65ece9ea398aa3f948572e5d0f91eb1d26a646e0acdbcf31b0e9
MD5 hash:
27bebf7f43dcaca280999fc2f777132b
SHA1 hash:
27f670d478cf473ce7b065fc38c6cdc17d4fd876
Link:
https://www.unpac.me/results/a89711d5-27c3-4510-8213-1e8129e4b4a7/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/a89711d5-27c3-4510-8213-1e8129e4b4a7/
SH256 hash:
3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb
MD5 hash:
bf9e11ee6bd7a61ac0829f802e2c7fef
SHA1 hash:
35c23ffe93c04967960e29bbf944bea66a8c225b
Link:
https://www.unpac.me/results/a89711d5-27c3-4510-8213-1e8129e4b4a7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3d0d91d0fcdd16e7bb270c57dd739d4ee33b2ca70564f9bfa7dc8c6a86b1b7cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3730355/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44297/

Comments