MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc
SHA3-384 hash:	006a32e8a59ac2bcdadf3089d7490b1b138b09fbe52bc24d95763b22a62bd1beb9c9305d8cb85f1b415151e2c73ded83
SHA1 hash:	346654ff81b4e29e97edba4cd7c8fd140929da70
MD5 hash:	bb9b1bda5d8d9b50eb701e14cbc8afd2
humanhash:	comet-delaware-vegan-don
File name:	xsh.exe
Download:	download sample
File size:	4'513'792 bytes
First seen:	2025-09-12 14:41:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bdf3b65a3b2abda30244ae652aafeae8
ssdeep	98304:jZOEOdf1jvI/wKippOTjxjEOVKDtgdptmG59Cn+xjNggz:jZOEOdf1jvI/wK2pOTjxjEOVKDtgdptv
TLSH	T1B6261A13CBA0640CFD6355306AB4A66391396C3B684DC80FF741AF586874AD7AEF532B
TrID	70.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 9.0% (.EXE) Win64 Executable (generic) (10522/11/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	3f7d7cd6d8fcf7ff
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

2to1ep.bin

Verdict:

Malicious activity

Analysis date:

2025-09-12 13:09:17 UTC

Tags:

auto metasploit framework python amadey botnet stealer github payload smb xenorat rat anti-evasion lumma meterpreter backdoor anydesk rmm-tool diamotrix clipper agenttesla miner loader generic tinynuke sparkrat evasion xworm formbook vidar stormkitty phishing possible-phishing cobaltstrike koadic quasar njrat clickfix redline tool pyinstaller aurotun stealerium remcos coinminer remote gh0st masslogger vipkeylogger keylogger telegram stealc purelogsstealer meta asyncrat rhadamanthys sliver havoc arechclient2 snake ransomware cryptolocker loki nanocore darkroad rustystealer xmrig gcleaner networm amus zerotrace pythonstealer bladabindi auto-sch-xml frp ddr wannacry winring0-sys vuln-driver blankgrabber susp-powershell xor-url ims-api api-base64 crypto-regex delphi reverseloader

Link:

https://app.any.run/tasks/bd9d6968-52ef-4c57-8acf-78ee90c4ef56

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27158/

Detection(s):

PUA.Win.Adware.Popuper-6888135-0

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c4313e6e66ba602d7af9a9

Tags:

downloader injection dropper

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin obfuscated similar-threat threat update visual_basic

Link:

https://www.filescan.io/uploads/68c4319adbc6f5a29c421949/reports/c932483a-62cf-42a9-9c0d-5eb8c12902de/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc

Verdict:

Unknown

File Type:

exe x32

First seen:

2025-09-12T23:59:00Z UTC

Last seen:

2025-09-12T23:59:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e7291a6a-dbbb-4f44-bb40-c6fc46dc7a28

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1776555

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86

Link:

https://app.malva.re/file/bb9b1bda5d8d9b50eb701e14cbc8afd2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc/

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2025-09-12 14:46:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ju62kon7y4dltd3w5htuwquoifghba2c6x5pd2onc26bgee3g76a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250912-r3qleayxbz/

Behaviour

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/66b5f955-acaf-4b77-abc3-42bcffd2ff4a

Unpacked files

SH256 hash:

4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc

MD5 hash:

bb9b1bda5d8d9b50eb701e14cbc8afd2

SHA1 hash:

346654ff81b4e29e97edba4cd7c8fd140929da70

Link:

https://www.unpac.me/results/211c18bc-e7b9-4045-8e0a-fa8cb263255d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.84

Link:

https://yomi.yoroi.company/submissions/4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 4d3da539bfc706b98f76e9e74b428e414c708342f5faf1e9cd16bc13109b37fc

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3421183/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/27158/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample