MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27
SHA3-384 hash: 3b3470e3c7b379c6020b443a730bbc826780b71d365cfe9f6161749613987c898541aca64b93bac0c58ff3c05c4f1ea4
SHA1 hash: 2a4d83ad5e7a56fda243531128f5bffd3cc4c8ce
MD5 hash: ad5d7c0072f91f01a2bb64b1485b4b33
humanhash: bravo-fourteen-utah-ten
File name:windows.bat
Download: download sample
File size:512 bytes
First seen:2025-10-22 12:49:03 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:5YVJhZnBLBiLBLB7r40aVHAbr4OVlCk6Pp:gVcF5r4TlAHZ/ip
Threatray 50 similar samples on MalwareBazaar
TLSH T173F09ECD48324EBD0FC9C873F5546186B00AA0CCCAA2A5D51B9225DD4D580D836EBB92
Magika batch
Reporter abuse_ch
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
windows.bat
Verdict:
Malicious activity
Analysis date:
2025-10-22 12:52:19 UTC
Tags:
payload loader golang
Link:
https://app.any.run/tasks/7d51fea0-5561-481c-958b-30305050492a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33750/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f8d333ad6ce0f5ad40a709
Tags:
rozena emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Launching a process
Creating a window
Connection attempt
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
certutil cmd findstr lolbin opendir opendir wmic
Link:
https://www.filescan.io/uploads/68f8d37bfd2d7e012f4c6a73/reports/356ddc45-d882-4508-831f-a1193b16836b/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/BAT.Small
Link:
https://www.hybrid-analysis.com/sample/a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-21T17:31:00Z UTC
Last seen:
2025-10-22T11:24:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Alien.gen Trojan.VBS.Runner.sb
Link:
https://opentip.kaspersky.com/a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1799816
Signature
Drops PE files to the user root directory
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1799816 Sample: windows.bat Startdate: 22/10/2025 Architecture: WINDOWS Score: 92 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Uses known network protocols on non-standard ports 2->36 38 5 other signatures 2->38 7 cmd.exe 1 2->7         started        process3 process4 9 certutil.exe 3 17 7->9         started        14 69181921tcp.exe 7->14         started        16 cmd.exe 1 7->16         started        18 conhost.exe 7->18         started        dnsIp5 30 107.173.101.114, 10000, 49690, 49691 AS-COLOCROSSINGUS United States 9->30 24 C:\Users\user\...\windows_amd64[1].exe, PE32+ 9->24 dropped 26 C:\Users\...\F85B9BD446CA16B18B97F314486154E2, PE32+ 9->26 dropped 28 C:\Users\Public\69181921tcp.exe, PE32+ 9->28 dropped 40 System process connects to network (likely due to code injection or exploit) 9->40 42 Drops PE files to the user root directory 9->42 44 Multi AV Scanner detection for dropped file 14->44 20 WMIC.exe 1 16->20         started        22 findstr.exe 1 16->22         started        file6 signatures7 process8
Score:
8%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27/
Verdict:
Malicious
Threat:
Trojan.VBS.Runner
Link:
https://tip.neiki.dev/file/a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-22 12:52:45 UTC
File Type:
Text (Batch)
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvloacqelxcj5gfs5xw7p7rcjq2bnwanyacykxw3nnw3ezl5ritq._file
Verdict:
malicious
Label(s):
vshell
Create hunting rule
darkbit
Create hunting rule
Similar samples:
46b46ecf6987b3db9c3c66eb90b09580c1ec6e8094dc5a0531fa63313c5e4d43
49a2f1d116da65457939ac73e11c1c70c2ff8254ebd106862c2fd9e5fc2b7dd5
5aaf1bad66c12e29fd6c096f82876d8f13f585eb8cdd1c6667f99eac630e031e
a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27
ce0687a3078756b837540ad76edc2dced4711146a67556822b6cefd61c07b06e
e96b1979a0e64f67d1071a97c4c6f4f7c97f192c821e46e9ae8e3aa8d48d87d8
eea66ef9539a0ca022156e3f798a99de3fdc7dd2782adc1551c2639a3784cf42
error
f9ddae03124a6ced3b29b6f6e40c990b0f616fc78140bba1afa8b9e3891b956c
+ 40 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/251022-p3n2ga1qdt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat a556e00a045dc49e98b2ededf7fe224c3416d80dc005855edb6b6db2657d8a27

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3683250/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/33750/

Comments