MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993
SHA3-384 hash: 4e3d1126479dbc09285a8daac639d96b7cc8f111dd3ec38372cf1f9b21895014ba36c8116b6fd53a8ad88e01a2c2e93c
SHA1 hash: 2bc60a524f84940ea8a413a68617c33aed1722c2
MD5 hash: 8985cd9f9757d62feacf042c3b9eecda
humanhash: louisiana-bluebird-magazine-burger
File name:file
Download: download sample
File size:1'205'760 bytes
First seen:2025-11-03 01:07:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eacac408b9ffd808bbf3ab4f77948252
ssdeep 24576:zofMpDDU74syHxpyKr+dsiW6HYSV31hDXkzQ:zofMBU7qKYyjW6lPhD0z
TLSH T18B454B17E36385F8C16FC178865387B2B970B8554238BD6E1E98D7212F23E605F6EB24
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847
File size (compressed) :306'176 bytes
File size (de-compressed) :1'205'760 bytes
Format:win64/pe
Packed file: dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
_7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993.exe
Verdict:
Malicious activity
Analysis date:
2025-11-03 01:10:04 UTC
Tags:
uac auto-sch auto-reg asyncrat amsi-bypass
Link:
https://app.any.run/tasks/ad7c1351-35df-4c4a-be08-e42460309cbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35042/
Detection(s):
ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6908009e9942f1282ecb8ea3
Tags:
asyncrat autorun emotet ewind
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Running batch commands
Creating a service
Connection attempt
Creating a window
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Changing the Windows explorer settings to hide files extension
Disabling the operating system update service
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 cmd crypto dllhost evasive evasive eventvwr explorer fingerprint lolbin packed schtasks wmic
Link:
https://www.filescan.io/uploads/69080099a3d1631095295704/reports/47017c61-3eae-4dc4-a6b0-07fc056ab457/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-02T22:17:00Z UTC
Last seen:
2025-11-02T22:52:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb HEUR:Trojan.PowerShell.Generic HEUR:Exploit.Win32.BypassUAC.b
Link:
https://opentip.kaspersky.com/7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b357d6ea-2010-460e-9300-4b3b551dc4c5
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806652
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Deletes shadow drive data (may be related to ransomware)
Disables Windows Defender (via service or powershell)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Suspicious powershell command line found
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1806652 Sample: file.exe Startdate: 03/11/2025 Architecture: WINDOWS Score: 100 97 Malicious sample detected (through community Yara rule) 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Sigma detected: Powershell Defender Disable Scan Feature 2->101 103 4 other signatures 2->103 9 file.exe 3 2->9         started        12 file.exe 2->12         started        14 file.exe 2 1 2->14         started        16 9 other processes 2->16 process3 dnsIp4 119 Changes the view of files in windows explorer (hidden files and folders) 9->119 121 Creates multiple autostart registry keys 9->121 123 Deletes shadow drive data (may be related to ransomware) 9->123 133 2 other signatures 9->133 19 cmd.exe 1 9->19         started        22 cmd.exe 1 9->22         started        34 4 other processes 9->34 125 UAC bypass detected (Fodhelper) 12->125 24 fodhelper.exe 12->24         started        26 fodhelper.exe 12->26         started        28 fodhelper.exe 14->28         started        30 fodhelper.exe 14->30         started        95 127.0.0.1 unknown unknown 16->95 127 Changes security center settings (notifications, updates, antivirus, firewall) 16->127 129 Modifies Windows Defender protection settings 16->129 131 Disables Windows Defender (via service or powershell) 16->131 32 cmd.exe 16->32         started        36 7 other processes 16->36 signatures5 process6 signatures7 105 Suspicious powershell command line found 19->105 107 Modifies Windows Defender protection settings 19->107 109 Disables Windows Defender (via service or powershell) 19->109 47 2 other processes 19->47 49 2 other processes 22->49 38 file.exe 24->38         started        41 Conhost.exe 24->41         started        43 file.exe 28->43         started        51 2 other processes 32->51 53 5 other processes 34->53 45 file.exe 36->45         started        55 7 other processes 36->55 process8 signatures9 111 Deletes shadow drive data (may be related to ransomware) 38->111 113 Modifies Windows Defender protection settings 38->113 115 Disables Windows Defender (via service or powershell) 38->115 57 cmd.exe 38->57         started        60 cmd.exe 38->60         started        62 cmd.exe 38->62         started        70 3 other processes 38->70 64 cmd.exe 43->64         started        66 cmd.exe 43->66         started        68 cmd.exe 43->68         started        72 3 other processes 43->72 74 2 other processes 45->74 117 Loading BitLocker PowerShell Module 51->117 process10 signatures11 76 2 other processes 57->76 79 2 other processes 60->79 81 2 other processes 62->81 135 Suspicious powershell command line found 64->135 137 Modifies Windows Defender protection settings 64->137 139 Disables Windows Defender (via service or powershell) 64->139 83 2 other processes 64->83 85 2 other processes 66->85 87 2 other processes 68->87 89 5 other processes 70->89 91 3 other processes 72->91 93 2 other processes 74->93 process12 signatures13 141 Loading BitLocker PowerShell Module 83->141
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/8985cd9f9757d62feacf042c3b9eecda
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2025-11-03 01:09:42 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oeqkwwskvmis2zb4guk7zerkevgamj7gfilpwm3kulmpgzzcfgjq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/251103-bhklnadp4z/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Launches sc.exe
Drops file in System32 directory
Adds Run key to start application
Indicator Removal: File Deletion
Disables service(s)
Command and Scripting Interpreter: PowerShell
Contains code to disable Windows Defender
Modifies visibility of file extensions in Explorer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ef7f077f-5a03-41bb-ab7f-237940d6763b
Unpacked files
SH256 hash:
7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993
MD5 hash:
8985cd9f9757d62feacf042c3b9eecda
SHA1 hash:
2bc60a524f84940ea8a413a68617c33aed1722c2
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Link:
https://www.unpac.me/results/5780b9b8-ea90-4c99-a6b6-5e0b44e8182f/
Parent samples :
7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993
dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7120ab5a4aab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:dgaaga
Create hunting rule
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifacts associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847

Executable exe 7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993

(this sample)

  
Dropped by
SHA256 dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847
  
URLhaus
https://urlhaus.abuse.ch/url/3694508/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/35042/
  
Dropped by
MD5 b8f007cdb7c35f470ec3fb71961a9ea7

Comments