MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 16 File information Comments

SHA256 hash:	b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9
SHA3-384 hash:	752a02075d5449134b9bc050d4c80a60b5fa1e26001844226e8da0b8cf41aa0bc82b9439523b753143ee68fb8447f4d6
SHA1 hash:	6d40af31dbbd925c3b3fb3f4a6d4f7f02401cef5
MD5 hash:	77e20c09d58da572e7d2ac213ca95f88
humanhash:	fifteen-ink-music-april
File name:	wechathelper1.exe
Download:	download sample
File size:	18'810'145 bytes
First seen:	2025-12-22 11:02:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1418e44b536f42ef5db8fd35c961985c (2 x DCRat, 1 x Blackmoon, 1 x Vidar)
ssdeep	393216:bKQ9OkYK95oSrcPoYfrips62fK6K8QsGAkT/p6xg/okINGg8S00HlKYXDa1mB0ZN:tO+oSAPoM2sJK6K91fLs57plKYz9eZYq
TLSH	T147173325AD824833C52E653C69A662D1583AFD203F1CBD8727D83B59067F680C7EA377
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Ling
Tags:	exe Trojan:Win32/Wacatac.C!ml wacatac

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/b81fc016-3ce9-43ce-8300-96813816af0a/

Malware family:

n/a

ID:

File name:

wechathelper1.exe

Verdict:

No threats detected

Analysis date:

2025-12-22 11:04:54 UTC

Tags:

delphi

Link:

https://app.any.run/tasks/8b856ac2-6d66-408f-9195-d089597a7c1c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45719/

Detection(s):

Win.Packed.Zusy-10014517-0

SecuriteInfo.com.Win32.Trojan.Agent.ALRO1E.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6949257ca6c88bb4cc2373ba

Tags:

vmdetect emotet

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9

Verdict:

Clean

File Type:

exe x32

First seen:

2025-12-22T03:00:00Z UTC

Last seen:

2025-12-23T02:53:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump)

Link:

https://app.malva.re/file/77e20c09d58da572e7d2ac213ca95f88

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2025-12-22 09:46:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wc4s5vz3j2jfjjha2nj4beyf67zh3345hkdnoaabwf2if5zrp34q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251223-kpk1fa1jas/

Verdict:

Malicious

Tags:

Win.Packed.Zusy-10014517-0

YARA:

n/a

Link:

https://app.threat.zone/submission/de3a9446-e78b-4b12-b51a-460a644aecd8

Unpacked files

SH256 hash:

b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9

MD5 hash:

77e20c09d58da572e7d2ac213ca95f88

SHA1 hash:

6d40af31dbbd925c3b3fb3f4a6d4f7f02401cef5

Link:

https://www.unpac.me/results/0fd1b0f4-3286-4117-bc64-d1501b69ffd3/

SH256 hash:

1a8d9d382f56b5ea9dfa635dc48a1addda78cfd67b6f2510b4bf210d6b86b3f7

MD5 hash:

49f33d5bc41a22a36ab1fc1153b8a77f

SHA1 hash:

0687dd4500abd68cbcc9acaa4e5f235743033e25

Link:

https://www.unpac.me/results/0fd1b0f4-3286-4117-bc64-d1501b69ffd3/

SH256 hash:

59154351b2d40ff2cdda1451a72bcb2482a4e8cdc52010142143c5c4d276d53a

MD5 hash:

025fbfbf006de4c922aaa7892cf17b7b

SHA1 hash:

1ce14c4c1cf8a7d89decd23dd00c64ef1cd899e7

Link:

https://www.unpac.me/results/0fd1b0f4-3286-4117-bc64-d1501b69ffd3/

SH256 hash:

dc55202634e140b9817805094e6631b7241dd5ea31644ad6e0a39acca6db5780

MD5 hash:

fba61a3e479647477625f13e905ced7d

SHA1 hash:

633331a306237922d247482042b5d91b4ddc4902

Detections:

INDICATOR_EXE_Packed_Loader

Link:

https://www.unpac.me/results/0fd1b0f4-3286-4117-bc64-d1501b69ffd3/

Parent samples :

b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9
66c00afa5d90cc2d1a5c2cd2e4107964fe7765c74f73ab098ebb5d02c074b2f0

SH256 hash:

95349cbb0ce9bd2bb939c04e611750eca5d1ac1b8baa53641c28c147a59dc725

MD5 hash:

95b2c0f892fe4c15ac1d4929bcb54df1

SHA1 hash:

b13abc14da4b7f1c0a8f5aacd98f0c6fb18873fd

Link:

https://www.unpac.me/results/0fd1b0f4-3286-4117-bc64-d1501b69ffd3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b0b92ed73b4e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Enigma Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Enigma

Rule name:	INDICATOR_EXE_Packed_Loader Create hunting rule
Author:	ditekSHen
Description:	Detects packed executables observed in Molerats

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b0b92ed73b4e9254a4e0d353c09305f7f27def9d3a86d70001b17482f7317ef9

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/45719/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample