MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 569abed215074edb9ba9b451f7834c27eb905c04e15941b2dd3a03bcef70e89d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 569abed215074edb9ba9b451f7834c27eb905c04e15941b2dd3a03bcef70e89d
SHA3-384 hash: e2fe0aa004bad6aeb1627a20de398752b9246e54342aa3d7577d0661aee987461997ec97cbedd6e655c27e2a15156e42
SHA1 hash: 881aad2c5e145aaf866f234624d06add8788fe85
MD5 hash: b1863c513358f81d1de180a26c568b21
humanhash: coffee-six-item-potato
File name:569abed215074edb9ba9b451f7834c27eb905c04e15941b2dd3a03bcef70e89d.bat
Download: download sample
File size:6'254'209 bytes
First seen:2025-02-26 12:36:37 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:Wdl/J8LZIsKy3rvpVIJv2LsaVuMBWTW446WLLHTx14bYpHYTdaNPIDru4QC8E/L:+
Threatray 17 similar samples on MalwareBazaar
TLSH T18C562362A9D65DFF0D18527CF4A7162C6F0C1FA0402ED4F787A4338BA75F99A315B822
Magika batch
Reporter JAMESWT_WT
Tags:195-211-190-61 bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa.bat
Verdict:
Malicious activity
Analysis date:
2025-02-26 00:13:45 UTC
Tags:
omani rat
Link:
https://app.any.run/tasks/e5f579ed-e03c-4dac-ba38-f1ac6eac039c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67be5cb8a0fd713c335cd526
Tags:
obfuscate vmdetect shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67bf0b016222db7f23dc4631/reports/51a421fd-0b26-4538-be65-1e8d30c40649/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/569abed215074edb9ba9b451f7834c27eb905c04e15941b2dd3a03bcef70e89d
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1624699
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Suspicious powershell command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1624699 Sample: oZ6IXNH7pm.bat Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Found large BAT file 2->49 51 Joe Sandbox ML detected suspicious sample 2->51 10 cmd.exe 1 2->10         started        process3 signatures4 65 Suspicious powershell command line found 10->65 13 powershell.exe 12 10->13         started        16 conhost.exe 10->16         started        process5 signatures6 67 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->67 18 cmd.exe 1 13->18         started        process7 signatures8 53 Suspicious powershell command line found 18->53 21 powershell.exe 17 29 18->21         started        25 powershell.exe 15 18->25         started        27 more.com 1 18->27         started        29 2 other processes 18->29 process9 dnsIp10 45 195.211.190.61, 1001, 49911, 49937 PITLINE-ASUA Ukraine 21->45 57 Deletes itself after installation 21->57 59 Writes to foreign memory regions 21->59 61 Modifies the context of a thread in another process (thread injection) 21->61 63 4 other signatures 21->63 31 winlogon.exe 21->31 injected 34 findstr.exe 1 25->34         started        signatures11 process12 signatures13 69 Injects code into the Windows Explorer (explorer.exe) 31->69 71 Writes to foreign memory regions 31->71 73 Allocates memory in foreign processes 31->73 75 3 other signatures 31->75 36 lsass.exe 31->36 injected 39 dwm.exe 31->39 injected 41 svchost.exe 31->41 injected 43 27 other processes 31->43 process14 signatures15 55 Writes to foreign memory regions 36->55
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/569abed215074edb9ba9b451f7834c27eb905c04e15941b2dd3a03bcef70e89d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/569abed215074edb9ba9b451f7834c27eb905c04e15941b2dd3a03bcef70e89d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-25 21:35:31 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2nl5uqva5hnxg5jwri7pa2me7vzaxae4fmudmw5hib3z33q5coq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
0999322e8a2a984b5400544b31a91ae8dd49b362a2517fe497a8e1455de07d8f
33aac84b649e5475245a4f58fd01eba93596780e78a5577ff951de815fee696e
39fa01d351c5cdb6de9c4155f0c7d4241578ea02e5fc735c19faae312487dc20
5ed218ab665b3546f1ccf5e2e15e01e8078929f83f7c33f6114c222cc1493d40
c45628b9f65c92571bcd7f3b3799ae4215a006b5893d4879a279676007f9f141
d829b8ffdb11832632e9799419d78b649481d7b9b261ec587c6fc0fc20a76eee
d92fd1f359ea6cee13109181468106e381b66479c650dafcce8e3bde4e109e6c
ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c
e12902c413b76be7f75f527a84c41823e4b96417495c264dc09e77761a105931
error
fca0a09f36e3113cb76d31db06e30dc531a59556e237965ed0a7ebf33ffce11f
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250226-pt4essztet/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/569abed215074edb9ba9b451f7834c27eb905c04e15941b2dd3a03bcef70e89d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments