MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79
SHA3-384 hash: e803f8d3d61d2084f9966fe3f19145ed8920a587f910784b26227fa10d7c711245ccc4de8fee306e8cb3988022903198
SHA1 hash: 140ad92f9988baa2cebc07e7b5dc822e1a16f6cb
MD5 hash: b4d2fe21a468efff2e1a41eaa3cdd50c
humanhash: mexico-florida-jig-nine
File name:file
Download: download sample
File size:91'648 bytes
First seen:2026-02-13 22:08:52 UTC
Last seen:2026-02-13 22:12:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:f7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfPwuOZ:T7DhdC6kzWypvaQ0FxyNTBfPe
Threatray 3'124 similar samples on MalwareBazaar
TLSH T19A936C41F3E142F7EAF2053100A6722F973663389724E8DBC75C2E529913AD5A63D3E9
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/1773787694/hXeJTcA.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
150
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
BatToExeConverter
Details
BatToExeConverter
an RC4 decrypted batch script or command line
Link:
https://research.acce.ciphertechsolutions.com/results/dbb00d27-e4a9-439b-814d-8317d7d38843/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-02-13 22:09:54 UTC
Tags:
auto-reg powershell keylogger agenttesla pastebin evasion susp-powershell
Link:
https://app.any.run/tasks/39ac598d-b64b-4a12-883f-901393150aaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53309/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698fa10e76589225f6669bc8
Tags:
vmdetect emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bat_to_exe_converter packed packed powershell purebasic
Link:
https://www.filescan.io/uploads/698fa10d981ff1d38a555d6d/reports/851ea0a2-ebbb-453c-8043-2459b7adf36f/overview
Verdict:
Malicious
Labled as:
BZC.MNT.Boxter.957
Link:
https://www.hybrid-analysis.com/sample/a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-31T14:22:00Z UTC
Last seen:
2026-02-01T01:27:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan-Downloader.Win32.Paph.peb
Link:
https://opentip.kaspersky.com/a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7274acf-7195-445f-9c82-41f6b6e023a5
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b4d2fe21a468efff2e1a41eaa3cdd50c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79
Threat name:
Win32.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2026-01-31 19:46:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugiiynergpewvlv36hfab4bruvuchqmzpg4nk3l76yk72qjo5r4q._file
Verdict:
malicious
Label(s):
unc_loader_048
Create hunting rule
Similar samples:
02414d1572729bf910a4d7c45a0d391bf0559f68d4cbafd8cb5c070cd1d21b4b
15dab1b74bd82eb2598a93a32443678b6cc668637e593d46507f003680ef12dc
2556634f5839fec791d514bc5a754fe6ec5de33d74e3c9ef8dfbe645acfdb8f1
54377c4b80cf5ba0fec73f37bd9e0179e0a3b6de2fd4d97090a8dc5cff87349f
57ba846df06131c313eb2414e921e28b812e385f706bea77b73d86261daa06a8
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
78cc8f73f5e693f5f2d353df6fd6bc07ebad66d8c40616aa23c7b594161a2807
e18302f0ee0e1e3a293697c37418902fa9a2127465dbd047fcc58c3f2b64dfab
error
+ 3'114 additional samples on MalwareBazaar
Result
Malware family:
xorium_stealer
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:quasar family:xorium_stealer collection discovery execution loader persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/260213-12w68sht4g/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects DonutLoader
Detects XoriumStealer payload
DonutLoader
Donutloader family
Quasar RAT
Quasar family
Quasar payload
XoriumStealer
Xorium_stealer family
Unpacked files
SH256 hash:
a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79
MD5 hash:
b4d2fe21a468efff2e1a41eaa3cdd50c
SHA1 hash:
140ad92f9988baa2cebc07e7b5dc822e1a16f6cb
Link:
https://www.unpac.me/results/fc0e9c85-2ce7-4d99-a022-71d9b3e9d3b2/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a1908c349133/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PureBasic4xNeilHodgson
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a1908c349133c96aaebbf1ca00f031a56823c19979b8d56d7ff615fd412eec79

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3777454/
Cape
Cape
https://www.capesandbox.com/analysis/53309/

Comments