MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dd5df725cde4f6913c4e895e068c4b4063d5eec26369fe44eba2809928a043e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dd5df725cde4f6913c4e895e068c4b4063d5eec26369fe44eba2809928a043e
SHA3-384 hash: 7bafe1d94692f28e35c17374f12af2b91deb27136d6e10e5853037d43164e1fddafeb7d001b00a45100b8f30d52ca014
SHA1 hash: 5f2331efcd71c2433dcc9f0bc245cb27f2b32532
MD5 hash: 61a2a3238b47f3956009e120555319d3
humanhash: failed-gee-twelve-winter
File name:windows.bat
Download: download sample
File size:512 bytes
First seen:2025-10-28 07:21:42 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6:hzLYVJhZiOrtovqLVLEVbADOrtovqLVLE4A7aHbOVomxRKVHAbKo0tVk30SAGGdt:5YVJhZnBLBiLBLB7OaVHAbr4OVlCk6Pp
Threatray 54 similar samples on MalwareBazaar
TLSH T183F09ECD0C324EBD0FC9CD73F5546186B40AA0CCCAA1A5D41B9125DD8D880D836EBF93
Magika batch
Reporter abuse_ch
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
windows.bat
Verdict:
Malicious activity
Analysis date:
2025-10-28 08:07:28 UTC
Tags:
payload loader golang
Link:
https://app.any.run/tasks/73866dde-d0b4-40a8-af19-39aeabe3ed86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34422/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69006f315c3edf10df531ae3
Tags:
rozena emotet
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Running batch commands
Launching a process
Creating a window
Connection attempt
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
certutil cmd findstr lolbin opendir opendir wmic
Link:
https://www.filescan.io/uploads/69007108c85c5c5697387ca3/reports/258b8194-68da-4e21-990f-18110dafde90/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/BAT.Small
Link:
https://www.hybrid-analysis.com/sample/9dd5df725cde4f6913c4e895e068c4b4063d5eec26369fe44eba2809928a043e
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-28T04:23:00Z UTC
Last seen:
2025-10-28T05:04:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/9dd5df725cde4f6913c4e895e068c4b4063d5eec26369fe44eba2809928a043e/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1802998
Signature
Drops PE files to the user root directory
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1802998 Sample: windows.bat Startdate: 28/10/2025 Architecture: WINDOWS Score: 92 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Uses known network protocols on non-standard ports 2->36 38 5 other signatures 2->38 7 cmd.exe 1 2->7         started        process3 process4 9 certutil.exe 3 17 7->9         started        14 bd2b8b2btcp.exe 7->14         started        16 cmd.exe 1 7->16         started        18 conhost.exe 7->18         started        dnsIp5 30 107.173.101.114, 10000, 49682, 49683 AS-COLOCROSSINGUS United States 9->30 24 C:\Users\user\...\windows_amd64[1].exe, PE32+ 9->24 dropped 26 C:\Users\...\F85B9BD446CA16B18B97F314486154E2, PE32+ 9->26 dropped 28 C:\Users\Public\bd2b8b2btcp.exe, PE32+ 9->28 dropped 40 System process connects to network (likely due to code injection or exploit) 9->40 42 Drops PE files to the user root directory 9->42 44 Multi AV Scanner detection for dropped file 14->44 20 WMIC.exe 1 16->20         started        22 findstr.exe 1 16->22         started        file6 signatures7 process8
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/9dd5df725cde4f6913c4e895e068c4b4063d5eec26369fe44eba2809928a043e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dd5df725cde4f6913c4e895e068c4b4063d5eec26369fe44eba2809928a043e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=txk564s43zhwse6e5ck6a2gewqdd2xxmey3j7zcoxiuateukaq7a._file
Verdict:
malicious
Label(s):
vshell
Create hunting rule
darkbit
Create hunting rule
Similar samples:
46b46ecf6987b3db9c3c66eb90b09580c1ec6e8094dc5a0531fa63313c5e4d43
49a2f1d116da65457939ac73e11c1c70c2ff8254ebd106862c2fd9e5fc2b7dd5
5aaf1bad66c12e29fd6c096f82876d8f13f585eb8cdd1c6667f99eac630e031e
a1946fb8c1ebfdc5abc4f50289a6bc36a6b52a49034919086cbb381da963e542
a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27
ce0687a3078756b837540ad76edc2dced4711146a67556822b6cefd61c07b06e
e96b1979a0e64f67d1071a97c4c6f4f7c97f192c821e46e9ae8e3aa8d48d87d8
eea66ef9539a0ca022156e3f798a99de3fdc7dd2782adc1551c2639a3784cf42
error
+ 44 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/251028-jbe2lavqfy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dd5df725cde4f6913c4e895e068c4b4063d5eec26369fe44eba2809928a043e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat 9dd5df725cde4f6913c4e895e068c4b4063d5eec26369fe44eba2809928a043e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3683250/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34422/

Comments