MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WraithBot

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9
SHA3-384 hash:	5d93f9c16a955909fa50246d229e68bb9ec11428dc0a474653778f202d18ec755eeea6db94c345bdbd48f10c8c4f819d
SHA1 hash:	d7e10bfb215136a8cd094377878dc46d8ffb3cfb
MD5 hash:	625324c2823c97276438ab5373214b01
humanhash:	leopard-alpha-kansas-wolfram
File name:	file
Download:	download sample
Signature	WraithBot Create hunting rule
File size:	124'928 bytes
First seen:	2025-12-10 21:45:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	45b228818529b5da8b4b637c5fbddd3b (1 x WraithBot)
ssdeep	3072:wGfXVsz92MCeNWHKE6evGUneSddmegp9+f:5emeRfIPn7qHpc
TLSH	T15DC312B6591CABB4C9F1C332CDB263E8F7B13D1A3167422F57F430152CB6988696B242
TrID	63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12) 24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 UPX WraithBot

Bitsight

url: http://178.16.55.189/files/8262475068/uajOd6y.exe

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	124'928 bytes
File size (de-compressed) :	302'080 bytes
Format:	win64/pe
Unpacked file:	8bee6e2f31a9dba9d1005f17f87ecdc3d6cdf7ce1fe11d4c7db66e03ae7ee8bf

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

PEPacker

Details

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/f5c60284-86c8-48f4-b748-ff194bb06acd/

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-12-10 21:48:14 UTC

Tags:

auto-sch auto-reg upx

Link:

https://app.any.run/tasks/cddd7da6-f722-448b-ac3f-030386d5b221

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44239/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6939ea2abde6a3e5971005b4

Tags:

autorun dropper shell sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint microsoft_visual_cc packed packed packed upx

Link:

https://www.filescan.io/uploads/6939ea2564bd958a520fe059/reports/a8a8b266-a090-4cc3-af42-be4ac9c7be80/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-10T19:36:00Z UTC

Last seen:

2025-12-11T22:29:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Dizemp.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic VHO:Trojan.Win32.Agent.gen Trojan.Win32.Tasker.bigc

Link:

https://opentip.kaspersky.com/5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9/results?tab=lookup

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/625324c2823c97276438ab5373214b01

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9/

Verdict:

Malicious

Threat:

Win64.Ransomware.Heuristic

Link:

https://tip.neiki.dev/file/5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9

Threat name:

Win64.Malware.Heuristic

Status:

Malicious

First seen:

2025-12-10 21:46:15 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lwrwxckcpmrx5l2x2a7h7gslxtz7wnhwb36mvhnl7dbaxt3wgpuq._file

Result

Malware family:

n/a

Score:

9/10

Tags:

defense_evasion execution persistence privilege_escalation ransomware upx

Link:

https://tria.ge/reports/251210-1mp5dasken/

Behaviour

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

UPX packed file

Adds Run key to start application

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Clears Windows event logs

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6f4133c3-e124-4909-80c6-94429f3027ca

Unpacked files

SH256 hash:

5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9

MD5 hash:

625324c2823c97276438ab5373214b01

SHA1 hash:

d7e10bfb215136a8cd094377878dc46d8ffb3cfb

Link:

https://www.unpac.me/results/ed86f410-a9f2-407d-b40b-9f5127eec6fc/

SH256 hash:

8bee6e2f31a9dba9d1005f17f87ecdc3d6cdf7ce1fe11d4c7db66e03ae7ee8bf

MD5 hash:

c27f7de4428c2e56900cf2fb0bd1c891

SHA1 hash:

94c829cdf588d1259ef551b04c409098324044d2

Detections:

INDICATOR_SUSPICIOUS_ClearWinLogs

Link:

https://www.unpac.me/results/ed86f410-a9f2-407d-b40b-9f5127eec6fc/

Parent samples :

5da36b89427b237eaf57d03e7f9a4bbcf3fb34f60efcca9dabf8c20bcf7633e9
8bee6e2f31a9dba9d1005f17f87ecdc3d6cdf7ce1fe11d4c7db66e03ae7ee8bf

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dgaaga Create hunting rule
Author:	Harshit
Description:	Detects suspicious PowerShell or registry activity

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_ClearWinLogs Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing commands for clearing Windows Event Logs

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)