MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 17

Intelligence 17 IOCs YARA 8 File information Comments

SHA256 hash:	5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee
SHA3-384 hash:	b0c7d8ec1d754c04bad28c55048c2fd69774faa4119c6029225bb000f604d827bbae132a4ff95ec885a36984b847c984
SHA1 hash:	4f930782e6758c3477e54592343c43ef0f89439f
MD5 hash:	26c943fd54264ee8b33be5401374dd51
humanhash:	winter-seven-earth-pip
File name:	file
Download:	download sample
File size:	240'640 bytes
First seen:	2025-12-15 11:18:51 UTC
Last seen:	2025-12-24 22:02:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b866f0f66fb97719a5d216d0ab292d76
ssdeep	3072:tTYJXvMiyst3v05Q2/NBpEPT4pC2tVTEKuak3ldXnEgl+B5X5ERtq+qjEeGUk+8R:+JXkiy2x2/hSTyC2fPJyTpg+q9kLs
Threatray	1'894 similar samples on MalwareBazaar
TLSH	T182344B1A77A550B4D8A79139CDA3964AF6F278690770A3CF036043BA6F3B7E0953D321
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	a3dacb dropped-by-amadey exe

Bitsight

url: http://62.60.226.159/defsyscn.exe

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PECrypter TinyNuke

Details

PECrypter

extracted PE file component(s) (plaintext) from the .data section

TinyNuke

an extracted component, a mutex, and an injected process name

Link:

https://research.acce.ciphertechsolutions.com/results/aba74154-30bb-4898-9e9a-e44581fe624a/

Malware family:

n/a

ID:

File name:

file.exe

Verdict:

Malicious activity

Analysis date:

2025-12-15 11:22:42 UTC

Tags:

auto-reg crypto-regex

Link:

https://app.any.run/tasks/bc37543a-87db-439b-a509-94340df44126

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45074/

Detection(s):

Win.Trojan.Ulise-10037990-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693feec4838ad7e48539a6d2

Tags:

emotet agentb

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Launching a process

Сreating synchronization primitives

DNS request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Enabling a "Do not show hidden files" option

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm exploit explorer fingerprint hacktool krypt lolbin microsoft_visual_cc msiexec zusy

Link:

https://www.filescan.io/uploads/693feeb11eac7b9b76aadfbb/reports/730669b7-68d2-4a5e-bb97-3a49679107dd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-15T08:29:00Z UTC

Last seen:

2025-12-15T19:03:00Z UTC

Hits:

~100

Detections:

Trojan-Banker.Win32.ClipBanker.sb Backdoor.Win32.Androm Trojan-Banker.Win32.ClipBanker.sba HEUR:HackTool.Win32.Inject.heur Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Agent.sb VHO:Backdoor.Win32.Androm.gen Trojan-Banker.Win32.ClipBanker.aglj Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic MEM:Trojan.Win32.Cometer.gen HEUR:Trojan-Banker.Win32.ClipBanker.gen

Link:

https://opentip.kaspersky.com/5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee/results?tab=lookup

Malware family:

LogMeIn

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/051f67eb-49b3-4e38-a6a9-84d5c838658b

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/26c943fd54264ee8b33be5401374dd51

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee/

Verdict:

Malicious

Threat:

Backdoor.Win32.Injector

Link:

https://tip.neiki.dev/file/5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee

Threat name:

Win64.Infostealer.ClipBanker

Status:

Malicious

First seen:

2025-12-15 11:19:18 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lm67deuofldzdjtpmlvquttxwepinjlabwgt7vmz5oduwpllvhxa._file

Verdict:

malicious

Label(s):

unc_loader_074

unc_loader_073

21b3ca1c26d28630a0661f99c017a5e3fc12705f8d85dae86ab139622728251f

2771e4bb8df2b285faafe71c278f3c65ab27631e5bdeafab3b05075f74f71489

2dbee2aec305103a2ad3fbd4e56c8973e138c30b7fb349c0d6ecd38ddc421aaf

3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9

3f330238d57306a66db5b50caa1dc9513c755f6ed840f28774260624f62ea6a3

811471a5b0b641fb1f8e9e077f54f9f631022cb1f8372f2daca3323c7e7128d6

bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773

c23250e624a2b1275511311ede6b522134d18717a131f216a26a0e1a16e86cc2

error

fe25b82980f7a684dd6b56caee553e1e118d8755424d85b7cc47cd32a89adcb9

+ 1'884 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/251215-nexs2avncp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Verdict:

Malicious

Tags:

Win.Trojan.Ulise-10037990-0

YARA:

n/a

Link:

https://app.threat.zone/submission/d70612b2-753c-4ab3-a7bf-63c2bfc3f6c8

Unpacked files

SH256 hash:

5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee

MD5 hash:

26c943fd54264ee8b33be5401374dd51

SHA1 hash:

4f930782e6758c3477e54592343c43ef0f89439f

Link:

https://www.unpac.me/results/da376512-58c5-41fc-b86c-9d34abfd2c21/

SH256 hash:

ae42522dfb95cd09754b65a02bea18ae9fe803b8c1bcbe9add4c454b1c01660e

MD5 hash:

84b8acacac6ed88110558e451ca535ee

SHA1 hash:

97c1c160ccc84c1a3d86bb914e39ef6eb5c9a8fc

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/da376512-58c5-41fc-b86c-9d34abfd2c21/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5b3df1928e2a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3733936/

Cape

https://www.capesandbox.com/analysis/45074/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample