MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051
SHA3-384 hash: 63387ed8f2f3f020fd5a9946dac15bc6d3caca5282da9ded394311dd72d965b9b1597cd80c0cb0b765942c0e7316c834
SHA1 hash: 43f29bd0e3e33a0e81166aac92bb4d80c789e580
MD5 hash: 2081c91d1bc001ffdaf1d1a83cdd72ed
humanhash: high-maryland-enemy-diet
File name:a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051
Download: download sample
File size:247'456 bytes
First seen:2026-05-01 15:50:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0bad7cadb368b06877b973d66e5fa7da
ssdeep 3072:uM6F2N2XWLPY29W8uiyF3QVyhw8A/CpFSYjgFaqmWOqCj:uM6kkmL7BP38ActgXmWYj
TLSH T17534F913F28254F9C45AE6704ADBE273FA31FC4D6234B71D9EA44B652E13F909A1E708
TrID 40.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.0% (.EXE) Win64 Executable (generic) (6522/11/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter johnk3r
Tags:backdoor cloudservbr-com exe latam signed

Code Signing Certificate

Organisation:X Grup Technology Tesis Yonetim Hizmetleri Ltd. Sti.
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2026-04-01T06:26:16Z
Valid to:2027-03-31T22:13:08Z
Serial number: 41fc5d610b8907bd08584d356598097d
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 7aa4cc24bb21776fe65b19a5edd61e93a62076894b25ca07a7d51716d6b103e5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
johnk3r
checkin:

{
"id": "",
"hostname": "***",
"username": "***",
"os": "***",
"arch": "***",
"internal_ip": "***",
"pid": ***,
"integrity": "***"
}

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
CH CH
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-05-01 15:52:08 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/3df00841-1b18-4a67-9b1c-6335c6a2901a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64195/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Launching the process to interact with network services
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 packed signed
Link:
https://www.filescan.io/uploads/69f4cbf7792fe2d217aa4c1b/reports/dab1662e-0331-4bde-9546-727dfbc6f0e2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051
Verdict:
Clean
File Type:
exe x64
First seen:
2026-05-01T13:41:00Z UTC
Last seen:
2026-05-01T17:29:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1f0696b7-cc1e-4ece-bc5a-f3c4e70e8099
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1907365
Signature
Multi AV Scanner detection for submitted file
Uses ipconfig to lookup or modify the Windows network settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1907365 Sample: yBk25wFqLW.exe Startdate: 01/05/2026 Architecture: WINDOWS Score: 52 68 infra-telemetry.com 2->68 72 Multi AV Scanner detection for submitted file 2->72 9 yBk25wFqLW.exe 1 14 2->9         started        13 yBk25wFqLW.exe 1 12 2->13         started        15 yBk25wFqLW.exe 12 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 70 infra-telemetry.com 104.21.28.119, 443, 49724, 49725 CLOUDFLARENETUS United States 9->70 66 C:\ProgramData\WinHealthMon.exe, PE32+ 9->66 dropped 19 cmd.exe 1 9->19         started        22 cmd.exe 1 9->22         started        24 cmd.exe 13->24         started        26 cmd.exe 13->26         started        28 cmd.exe 15->28         started        30 cmd.exe 15->30         started        32 cmd.exe 17->32         started        34 cmd.exe 17->34         started        36 2 other processes 17->36 file6 process7 signatures8 74 Uses ipconfig to lookup or modify the Windows network settings 19->74 38 3 other processes 19->38 40 3 other processes 22->40 42 3 other processes 24->42 44 3 other processes 26->44 46 3 other processes 28->46 48 3 other processes 30->48 50 3 other processes 32->50 52 3 other processes 34->52 54 6 other processes 36->54 process9 process10 56 net1.exe 1 40->56         started        58 net1.exe 1 42->58         started        60 net1.exe 46->60         started        62 net1.exe 1 50->62         started        64 net1.exe 52->64         started       
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ulm5dlj5rjqyzj6acjndzwhbv7rwowpzzt5usznkja2yichj2biq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/260501-tamp6acz8m/
Behaviour
Gathers network information
Modifies data under HKEY_USERS
Runs net.exe
Suspicious use of WriteProcessMemory
Executes dropped EXE
Drops file in System32 directory
Adds Run key to start application
Unpacked files
SH256 hash:
a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051
MD5 hash:
2081c91d1bc001ffdaf1d1a83cdd72ed
SHA1 hash:
43f29bd0e3e33a0e81166aac92bb4d80c789e580
Link:
https://www.unpac.me/results/6e5d0c17-f031-4e14-9b59-c61f6fcb191d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/a2d9d1ad3d8a618ca7c0125a3cd8e1afe36759f9ccfb4965aa48358408e9d051

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/64195/

Comments