MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abad3e70da1afa3c8a34ee02e658004e254bc140caf873d6a62d8deeeb9d934d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abad3e70da1afa3c8a34ee02e658004e254bc140caf873d6a62d8deeeb9d934d
SHA3-384 hash: bd58d3a46de5cd4ae794d4f79efe1bc122aa92d81a2264a0ac28c2730a4a3938c18345538c058b62b6ed06b4393bb310
SHA1 hash: 5334fff6c62ba810f5ad66add2ea14bfa9de4acb
MD5 hash: af0854db00713cb91b6ff30dc93fc5d8
humanhash: foxtrot-ohio-leopard-equal
File name:rvtools4.7.1.exe
Download: download sample
File size:22'904'944 bytes
First seen:2025-11-24 14:26:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (32 x GuLoader, 17 x RemcosRAT, 16 x VIPKeylogger)
ssdeep 393216:FkPLbrZpaWM+yRXROscOwDp4R0r+4aVZkeV72962VW2dpcfgB3nUTiUhQ5:FkDhpaWM+ikscOip40nbe9B2Uf8nU7
TLSH T19537336D5460943BDED266F8E35D4377EAEB17F96A678C6D3A4A30CF4007BC0A11231A
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 696969496d696869
Reporter smica83
Tags:exe signed

Code Signing Certificate

Organisation:Chengdu Jiameini Technology Co., Ltd.
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-15T00:00:00Z
Valid to:2026-10-15T23:59:59Z
Serial number: 066295a2ac93a8eab2696cb8798e0c33
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 9ba60d4ca8c24f541b76cd418c82f2b12960238d72c9dc26f36a19d0c8416b48
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rvtools4.7.1.exe
Verdict:
Malicious activity
Analysis date:
2025-11-24 14:26:53 UTC
Tags:
auto-reg python arch-exec arch-doc
Link:
https://app.any.run/tasks/a9391be5-4e71-4a95-9072-477f8afd906f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41282/
Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69246b41587b4206e7f275c8
Tags:
vmdetect extens sage blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Searching for the window
Searching for the Windows task manager window
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Loading a suspicious library
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/69246b0fe5743ce589e808fc/reports/3c410ff8-80b3-4fca-8709-5d481674fcdf/overview
Verdict:
Suspicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/abad3e70da1afa3c8a34ee02e658004e254bc140caf873d6a62d8deeeb9d934d
Verdict:
Clean
File Type:
exe x32
First seen:
2025-11-24T16:27:00Z UTC
Last seen:
2025-11-25T13:35:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/abad3e70da1afa3c8a34ee02e658004e254bc140caf873d6a62d8deeeb9d934d/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/1820022
Signature
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses whoami command line tool to query computer and username
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1820022 Sample: rvtools4.7.1.exe Startdate: 24/11/2025 Architecture: WINDOWS Score: 46 88 ssl.bapiyat727.workers.dev 2->88 90 app.pofelal314.workers.dev 2->90 92 4 other IPs or domains 2->92 100 Suricata IDS alerts for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 Sigma detected: Dot net compiler compiles file from suspicious location 2->106 9 rvtools4.7.1.exe 2 240 2->9         started        12 unicodedata.exe 2->12         started        16 msiexec.exe 2->16         started        signatures3 process4 dnsIp5 80 C:\ProgramData\Microsoft\...\unicodedata.exe, PE32+ 9->80 dropped 82 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->82 dropped 84 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->84 dropped 86 92 other files (none is malicious) 9->86 dropped 18 unicodedata.exe 9->18         started        23 7za.exe 9->23         started        25 msiexec.exe 23 9->25         started        35 7 other processes 9->35 98 ssl.bapiyat727.workers.dev 172.67.176.156, 443, 49736, 49737 CLOUDFLARENETUS United States 12->98 116 Detected unpacking (creates a PE file in dynamic memory) 12->116 118 Uses whoami command line tool to query computer and username 12->118 120 Unusual module load detection (module proxying) 12->120 122 2 other signatures 12->122 27 csc.exe 12->27         started        29 conhost.exe 12->29         started        31 whoami.exe 12->31         started        33 msiexec.exe 16->33         started        file6 signatures7 process8 dnsIp9 94 app.pofelal314.workers.dev 104.21.13.248, 443, 49732, 49733 CLOUDFLARENETUS United States 18->94 60 C:\Users\user\AppData\...\f4gxxakw.cmdline, Unicode 18->60 dropped 108 Uses whoami command line tool to query computer and username 18->108 110 Unusual module load detection (module proxying) 18->110 112 Reads the Security eventlog 18->112 114 Reads the System eventlog 18->114 37 csc.exe 18->37         started        50 2 other processes 18->50 62 C:\ProgramData\Microsoft\...\unicodedata.exe, PE32+ 23->62 dropped 64 C:\ProgramData\...\web-get-process.py, Python 23->64 dropped 66 C:\ProgramData\Microsoft\...\tk86t.dll, PE32+ 23->66 dropped 74 83 other files (none is malicious) 23->74 dropped 40 conhost.exe 23->40         started        96 crl.comodoca.com.cdn.cloudflare.net 172.64.149.23, 49709, 49710, 49725 CLOUDFLARENETUS United States 25->96 68 C:\Users\user\AppData\Local\...\MSI16F9.tmp, PE32 25->68 dropped 70 C:\Users\user\AppData\Local\...\MSI165C.tmp, PE32 25->70 dropped 72 C:\Users\user\AppData\Local\...\awgu4moy.dll, PE32 27->72 dropped 52 2 other processes 27->52 42 WmiPrvSE.exe 33->42         started        76 2 other files (none is malicious) 35->76 dropped 44 conhost.exe 35->44         started        46 conhost.exe 35->46         started        48 conhost.exe 35->48         started        54 4 other processes 35->54 file10 signatures11 process12 file13 78 C:\Users\user\AppData\Local\...\f4gxxakw.dll, PE32 37->78 dropped 56 conhost.exe 37->56         started        58 cvtres.exe 37->58         started        process14
Score:
62%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/abad3e70da1afa3c8a34ee02e658004e254bc140caf873d6a62d8deeeb9d934d
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable NSIS Installer PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/af0854db00713cb91b6ff30dc93fc5d8
Gathering data
Verdict:
Malicious
Threat:
Win32.Trojan.Vigorf
Link:
https://tip.neiki.dev/file/abad3e70da1afa3c8a34ee02e658004e254bc140caf873d6a62d8deeeb9d934d
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 13:16:46 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vowt44g2dl5dzcru5ybomwaajysuxqkazl4hhvvgfwg65245sngq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence ransomware
Link:
https://tria.ge/reports/251124-rr1x1azndm/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Adds Run key to start application
Badlisted process makes network request
Enumerates connected drives
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/432af9be-6dc0-4399-88dd-846a81b313de
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41282/

Comments