MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a
SHA3-384 hash: e0d748cae2932bdbb0fa8905452c666fc1572e57b66f728be3a91d997a30225eef8974a99614b2e8ee790be4c2285353
SHA1 hash: a8ae0b6249321baaa2b4a2f65364c5124f73df90
MD5 hash: 3b490cf08eb8f0f340064749d30a6bbf
humanhash: october-carbon-quebec-tennis
File name:file
Download: download sample
File size:2'348'312 bytes
First seen:2026-01-26 03:18:39 UTC
Last seen:2026-01-26 05:23:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 815e1ba56e855b07daa7197697b159cd (4 x DarkVisionRAT)
ssdeep 49152:Z10hfv3/AdD/GJBWy7tAmUe+NtxeJiym5K7/27VeS8:Z1ivY9IAmUeKto8T5K71S8
TLSH T143B5238125C65AFCE872CB3290DBD1BDF7DB2F560852495B6BA834891D77BC1842B331
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/5561582465/nOLxbcM.exe

Intelligence

File Origin
# of uploads :
14
# of downloads :
135
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/30d944be-0fc2-40e7-a609-e0470e08f834/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-26 03:21:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3cc6e65-f177-48de-a83b-1845e782202f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50091/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.52748844.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6976dd41bec9764f452ede8b
Tags:
injection obfusc crypt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature obfuscated packed packed signed vmprotect
Link:
https://www.filescan.io/uploads/6976dd3c5db9ae477091a59b/reports/ec4a5352-4fe9-47be-b05b-0736d4f4fdd8/overview
Verdict:
Malicious
Labled as:
Win64/Packed.VMProtect
Link:
https://www.hybrid-analysis.com/sample/965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a
Result
Gathering data
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c63a938b-e9aa-40ff-a2db-ed22eedc897e
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/3b490cf08eb8f0f340064749d30a6bbf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szotqfddrbr45suinzsxvxro3q2pr3p2og2t7fkmuusdg76kvu5a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit defense_evasion discovery execution persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/260126-dvdpzshv8b/
Behaviour
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Deletes itself
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Sets service image path in registry
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a
MD5 hash:
3b490cf08eb8f0f340064749d30a6bbf
SHA1 hash:
a8ae0b6249321baaa2b4a2f65364c5124f73df90
Link:
https://www.unpac.me/results/cc27b6cc-e403-46a3-9fb4-aee56e5214b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 965d3814638863ceca886e657ade2edc34f8edfa71b53f954ca524337fcaad3a

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3763959/
Cape
Cape
https://www.capesandbox.com/analysis/50091/

Comments