MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81a06228b93832fd6f17240410a6038dbafb50817da6840611660d288fb45a10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	81a06228b93832fd6f17240410a6038dbafb50817da6840611660d288fb45a10
SHA3-384 hash:	5a6fd7f0866d661859aeb6a976cb9235e32dd3592c3047d398c5699fc641a787c3cf9a943c95eb78a9b713f4d34ecbcb
SHA1 hash:	95fd4a1310b85c5d587dc5f6a67b31c6f3409d11
MD5 hash:	5f055852f9c21b1be1b94969828d7dde
humanhash:	charlie-hydrogen-sixteen-cat
File name:	TXbvlYUu6Lo4iPkd.exe
Download:	download sample
File size:	10'157'584 bytes
First seen:	2025-12-24 16:25:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cbe752bbc801c29abce7f33b556a8699
ssdeep	196608:gYVmDcHT4QOkgPi1jpqUdaVdhhu2/MidH2QszNigyI/hxxAvNasN7lPMEijcT:gYVm3QO3kdBcHuAPdH2Qs4Y/ZA1tvMEJ
TLSH	T181A612AD86A4D953F3D40734E894FB794B387E3C6F9B4512B8BB38CD7A34B589809211
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	burger
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

TXbvlYUu6Lo4iPkd.exe

Verdict:

No threats detected

Analysis date:

2025-12-24 16:14:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a371ebdd-2b9a-4a88-9484-8981a136a842

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45985/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694c117d038f10550b555546

Tags:

packed remo

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypto microsoft_visual_cc obfuscated packed packed themidawinlicense

Link:

https://www.filescan.io/uploads/694c1425e126b9ff43901f52/reports/80b1fe2d-c57b-4f5f-923c-f241b114ecae/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/81a06228b93832fd6f17240410a6038dbafb50817da6840611660d288fb45a10

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-24T02:26:00Z UTC

Last seen:

2025-12-24T09:19:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Agent.xcbqhy Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/81a06228b93832fd6f17240410a6038dbafb50817da6840611660d288fb45a10/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ad74ddce-2dde-4aa8-a39f-02ba1352be28

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1838969

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/81a06228b93832fd6f17240410a6038dbafb50817da6840611660d288fb45a10

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/5f055852f9c21b1be1b94969828d7dde

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/81a06228b93832fd6f17240410a6038dbafb50817da6840611660d288fb45a10/

Verdict:

Malicious

Threat:

Trojan.Win32.Agent

Link:

https://tip.neiki.dev/file/81a06228b93832fd6f17240410a6038dbafb50817da6840611660d288fb45a10

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qgqgekfzhazp23yxeqcbbjqdrw5pwuebpwtiibqrmygsrd5uliia._file

Gathering data

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d2f654a8-89ff-40a8-a2dd-ec896ad380da

Unpacked files

SH256 hash:

81a06228b93832fd6f17240410a6038dbafb50817da6840611660d288fb45a10

MD5 hash:

5f055852f9c21b1be1b94969828d7dde

SHA1 hash:

95fd4a1310b85c5d587dc5f6a67b31c6f3409d11

Link:

https://www.unpac.me/results/015380dd-833a-4d00-a73d-1492fc064543/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45985/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample