MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f
SHA3-384 hash: 92ac79aa454d2e87b77d367a65e2cdd10be985f5ed464c71782a3bfd8c132b07daf436d43b5d97e2318894ef23208a9b
SHA1 hash: b37ed924a2c227057db3684a92eaddb9cc169fa9
MD5 hash: 161a85ea4cbf5b9ee2a489f8d90bba14
humanhash: mexico-carbon-snake-vegan
File name:597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f
Download: download sample
File size:8'355'840 bytes
First seen:2025-06-06 13:24:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:91PvxpAIl0kn+v9s4EFdFXLVC5OI52KMZwfZPNVePHay:9lvfpl0kI9s4EFrX5WK3wfVPePay
TLSH T1DC861A17FA8A48A3C984337FC5BB490A33A6D681E323D35B3599B31A5C42B7D5B446C3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f
Verdict:
Malicious activity
Analysis date:
2025-06-06 14:02:57 UTC
Tags:
purecrypter netreactor
Link:
https://app.any.run/tasks/063ecbbb-73ad-40d6-90d3-3f742ea4ff32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7729/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.1170.15591.15473.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6842ef5e8bd5d68a12e5f234
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1eb29879-4238-4f3e-aa28-3fe285a64be8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1708240
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f/
Threat name:
Win32.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 17:05:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lf5cgjopuw4h7v3xsb6hiwo4uk54ds5vztgnogbipvvbbasepr7q._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250606-qn2vfsvl15/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c840dde8-0fb1-49ae-97ac-c8d9fabf7369
Unpacked files
SH256 hash:
d7e721419a0a40e47440435c2735dba80eda3db76929404ab3b135a2b885a163
MD5 hash:
c2b0853f811e8d5174889b03239e3fca
SHA1 hash:
2064708d38ba8aea7cd28d4db4bc331cb79c6ffa
Link:
https://www.unpac.me/results/39b71297-fc33-4b61-ba22-281713402b26/
SH256 hash:
aed7663641ea21eae2db3dba4a50ce21b2a86e4e778ae67242c92dcb2c2bb7d6
MD5 hash:
beb6d54726b7346c7901e7a3e8da5cd3
SHA1 hash:
264a87e26b10c6f9b98e2a7ede4ca6d1aec96cd5
Link:
https://www.unpac.me/results/39b71297-fc33-4b61-ba22-281713402b26/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/39b71297-fc33-4b61-ba22-281713402b26/
SH256 hash:
250525447ed401249b2283274f7b932e48f7cebaca58b0ab2f78cd1f903a65ef
MD5 hash:
d1abb06a606e575a4290e746192aa093
SHA1 hash:
8bf7575a4f7875dd67cf4b27cdfdfc115f707f6d
Link:
https://www.unpac.me/results/39b71297-fc33-4b61-ba22-281713402b26/
SH256 hash:
793206807676e737b1d28319d9de71f919afccb5c1cb41ea2346b9a878f4b7e5
MD5 hash:
878d1cc2d67eb03613511b05391c8226
SHA1 hash:
fbaeee70f8beede6c32899b55932c9d0d258eefe
Link:
https://www.unpac.me/results/39b71297-fc33-4b61-ba22-281713402b26/
SH256 hash:
597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f
MD5 hash:
161a85ea4cbf5b9ee2a489f8d90bba14
SHA1 hash:
b37ed924a2c227057db3684a92eaddb9cc169fa9
Link:
https://www.unpac.me/results/39b71297-fc33-4b61-ba22-281713402b26/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/597a2325cfa5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/597a2325cfa5b87fd777907c7459dca2bbc1cbb5ccccd718287d6a1082447c7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/7729/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments