MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175
SHA3-384 hash: e0695e3c9eddebe02e66908a31f896423ae43a46afc0cc0cdc6761b654f53240c142785d93a3f8a1028a8a1109863441
SHA1 hash: 96159b4bcc6505af0c9d2f8e8f701eb80913019b
MD5 hash: e9c702b91b495cea5915af62e223989c
humanhash: april-ten-alpha-autumn
File name:8GVk01wwWXHHto7BJ1pwBajM8YOnUuQf.exe
Download: download sample
File size:3'556'272 bytes
First seen:2025-10-28 07:22:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e0e6d32ffd90c41d6f9e812a56d2d80
ssdeep 49152:ylA9QruzQ4XeA6t9jMu4e86syvzGb7aRxm/CRaaYb0ajojZG4cZghDD2KF/xP/ks:f9xw5EyvzGv/CRatb0OoNRcgDiQ/x/X
TLSH T1D4F522B0BF86EFF4E02FC7706192145D72293F755A3815AF5A98E0295EB68B41D3328C
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8GVk01wwWXHHto7BJ1pwBajM8YOnUuQf.exe
Verdict:
Malicious activity
Analysis date:
2025-10-28 07:35:30 UTC
Tags:
crypto-regex golang
Link:
https://app.any.run/tasks/b4a6897e-2f12-43a1-aed6-bda260bf3215

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34426/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69006f955de5ca2707532a62
Tags:
autorun shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a process from a recently created file
Сreating synchronization primitives
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/690071973a79800405fa3c47/reports/71fd9f37-5582-41e0-a4b3-b4fdf1c34039/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-28T00:18:00Z UTC
Last seen:
2025-10-28T00:30:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic Trojan-Banker.Win32.Express.sb Trojan-Banker.Win32.ClipBanker.sb Trojan-Banker.Win32.ClipBanker.afip Trojan.Win32.Reconyc.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6d5c85ed-f79e-4543-907b-6d07ee86a606
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802994
Signature
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Self deletion via cmd or bat file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1802994 Sample: 8GVk01wwWXHHto7BJ1pwBajM8YO... Startdate: 28/10/2025 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Sigma detected: Schedule system process 2->47 49 PE file contains section with special chars 2->49 51 4 other signatures 2->51 7 8GVk01wwWXHHto7BJ1pwBajM8YOnUuQf.exe 21 2->7         started        11 svchost.exe 2->11         started        process3 file4 39 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 7->39 dropped 41 C:\Users\user\AppData\...\taskmanager.bat, DOS 7->41 dropped 53 Self deletion via cmd or bat file 7->53 55 Drops PE files with benign system names 7->55 57 Found direct / indirect Syscall (likely to bypass EDR) 7->57 13 cmd.exe 1 7->13         started        16 cmd.exe 1 7->16         started        18 cmd.exe 1 7->18         started        59 Multi AV Scanner detection for dropped file 11->59 20 cmd.exe 11->20         started        signatures5 process6 signatures7 61 Uses ping.exe to sleep 13->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 13->63 65 Uses ping.exe to check the status of other devices and networks 13->65 22 conhost.exe 13->22         started        24 schtasks.exe 1 13->24         started        26 PING.EXE 1 16->26         started        29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 schtasks.exe 1 18->33         started        35 conhost.exe 20->35         started        37 schtasks.exe 1 20->37         started        process8 dnsIp9 43 127.0.0.1 unknown unknown 26->43
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/e9c702b91b495cea5915af62e223989c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.ClipBanker
Link:
https://tip.neiki.dev/file/42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175
Threat name:
Win64.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2025-10-28 07:15:51 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilb6gbfmvcr4nv2hfdvq3xs2abva634qonbx5uegry4o3d2imf2q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/251028-jcsdbasrar/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Network Configuration Discovery: Internet Connection Discovery
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b7f3a854-9052-42c0-9127-88799ac37783
Unpacked files
SH256 hash:
42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175
MD5 hash:
e9c702b91b495cea5915af62e223989c
SHA1 hash:
96159b4bcc6505af0c9d2f8e8f701eb80913019b
Link:
https://www.unpac.me/results/884ba8ba-d81b-4770-a401-83cdde11861d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 42c3e304aca8a3c6d74728eb0dde5a006a0f6f9073437ed0868e38ed8f486175

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3687921/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34426/

Comments