MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c
SHA3-384 hash:	0961a7c5f47e621744907b49a0b6214438c6d73fa9afbd510d21475ac2b4b5a23b9b7d5b03d2f6ed681cf9ac4d72e024
SHA1 hash:	7b5b320df8fff2bdf10ba559031efea73f4f2780
MD5 hash:	c5bc5fa58158ab6a88713667e5093c40
humanhash:	video-nine-utah-mobile
File name:	3.exe
Download:	download sample
File size:	258'048 bytes
First seen:	2025-10-16 07:16:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	93dcf3791c350e09006a5c488967d12f
ssdeep	3072:EX33J0UGu+FdwT9x+rwoTPpJzel7zEnGYa7skBCDiunxT+ckBc3oAQpGN+es0YK9:oJzpTarV62G3tWxT4BjlGNmczd
Threatray	28 similar samples on MalwareBazaar
TLSH	T15D44175A72A800B5E87BD13CC993560BF6B2785547B053CF13A843BA5F2B7E0963D362
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

j.exe

Verdict:

Malicious activity

Analysis date:

2025-10-15 22:37:38 UTC

Tags:

crypto-regex

Link:

https://app.any.run/tasks/9d80e1c4-9928-439a-a471-0b6df21664ea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/33017/

Detection(s):

Win.Trojan.Ulise-10037990-0

Win.Malware.Ulise-10040718-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f09be697a16d00a8da76bd

Tags:

ransomware injection dropper emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Launching a process

Сreating synchronization primitives

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm exploit explorer hacktool lolbin microsoft_visual_cc msiexec obfuscated threat

Link:

https://www.filescan.io/uploads/68f09c51cd7e15f338cad173/reports/99c08cb9-e5d4-4060-8556-39685e089b56/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-15T20:41:00Z UTC

Last seen:

2025-10-16T07:22:00Z UTC

Hits:

~10

Detections:

Backdoor.Win32.Androm Trojan.Win32.Agent.sb Trojan-Banker.Win32.Express.sb Trojan-Banker.Win32.ClipBanker.afeh Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic MEM:Trojan.Win32.Cometer.gen HEUR:HackTool.Win32.Inject.heur Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.ClipBanker.sb

Link:

https://opentip.kaspersky.com/9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2d5f604d-ea81-4f42-8c60-4aa339c98f99

Result

Threat name:

Clipboard Hijacker, MicroClip

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1796309

Signature

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking mutex)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Clipboard Hijacker

Yara detected MicroClip

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable Html PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/c5bc5fa58158ab6a88713667e5093c40

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c/

Verdict:

Malicious

Threat:

Trojan-Banker.Win32.ClipBanker

Link:

https://tip.neiki.dev/file/9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c

Threat name:

Win64.Trojan.TinbaInfostealer

Status:

Malicious

First seen:

2025-10-16 07:21:30 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tv2zscuxpc54cqzwxxce2h6obnmx4ffnyrotnwficgxqwfbc7boa._file

Verdict:

malicious

Label(s):

unc_loader_074

60e51b2abcd368df31c8cf584c2baa059b1c6f675d07f34ba197c598a21a3d3a

81763f0cba84e2002b64dcc07669fe331d26cd74afc4a09adadb93fc27ad9659

9764339a29c943e8b2bd9dc4ada6fd00ecff3768580d5a1610c5333e94c8d306

9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c

d253e526af4769fb171c7893a2d129794e6cbddbdc1c09d3186fbbd6a6c01843

error

+ 18 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/251016-h458tatpx2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/82593040-8280-46f4-9c8e-234bf0605ce3

Unpacked files

SH256 hash:

9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c

MD5 hash:

c5bc5fa58158ab6a88713667e5093c40

SHA1 hash:

7b5b320df8fff2bdf10ba559031efea73f4f2780

Link:

https://www.unpac.me/results/c3b09d15-d2e1-4a8e-b0a6-b7f8f2f9fe3a/

SH256 hash:

f31fdd6386f4eef4f8db7fcb02c01104e695b03150beb1d0566ef6892b185de7

MD5 hash:

42dfd5e2478d7fc7d9e478a53ab28dcc

SHA1 hash:

beafef996146a26a411f2470b02e243e87155caa

Detections:

ReflectiveLoader

INDICATOR_SUSPICIOUS_ReflectiveLoader

Link:

https://www.unpac.me/results/c3b09d15-d2e1-4a8e-b0a6-b7f8f2f9fe3a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9d75990a9778/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 9d75990a9778bbc14336bdc44d1fce0b597e14adc45d36d8a811af0b1422f85c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3600163/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/33017/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample