MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd
SHA3-384 hash: 7b63854f41d91d0d5454d6000c2b33cbc5a96419a5bae98bfbd0c22cb9aa4c4344d8ad94d6e05503d364b5a788a9d97a
SHA1 hash: 3224387a003896a7dac654a5ff7d5473f4266a84
MD5 hash: 1f6765eaa07a6276f77dcab1b20f4f1a
humanhash: five-texas-hamper-eleven
File name:file
Download: download sample
File size:74'752 bytes
First seen:2025-11-12 16:31:39 UTC
Last seen:2025-11-12 18:23:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:ktsPIBXI/BERtyqa8gNkaGcm60yW3NtlTbCAQZbWmjg:ktc/BEba8w17MYAQZbWmjg
TLSH T175731EDC725072EFC85BC4729EA82DA8FA6174BB831F4217942715ADAE4C897CF540F2
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://178.16.54.200/files/8330368940/Aa00Lf4.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
101
Origin country :
US US
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-11-12 16:31:57 UTC
Tags:
confuser loader winring0-sys vuln-driver xmrig
Link:
https://app.any.run/tasks/7f176296-fa3d-4a0c-842b-aa6d3d1e7cbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37736/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.83535899.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6914b69960ebe843fe8d6b8e
Tags:
trojan shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a window
Searching for the window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Creating a process from a recently created file
Searching for analyzing tools
Launching a process
Creating a service
Launching a service
Setting browser functions hooks
Launching a tool to kill processes
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 confuser confuserex net obfuscated obfuscated packed packed reconnaissance
Link:
https://www.filescan.io/uploads/6914b7e7c239ac925580a36d/reports/ba435e34-57ce-42e2-bab1-232e369a1861/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-12T13:37:00Z UTC
Last seen:
2025-11-14T06:53:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Reflo.idd HEUR:Rootkit.Win64.Agent.gen Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.DOTHETUK.sb HEUR:Trojan.Win32.Generic PDM:Trojan.Win32.Generic HEUR:Trojan.Win64.Reflo.gen Trojan.Win64.Reflo.sb Trojan.MSIL.Inject Trojan-Dropper.Win32.Injector Trojan.Win32.Agent.rnd Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb RiskTool.BitCoinMiner.TCP.C&C RiskTool.BitCoinMiner.UDP.C&C
Link:
https://opentip.kaspersky.com/b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2d1557f6-3153-44bf-b63e-4f08419b84f4
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.99 Win 32 Exe x86
Link:
https://app.malva.re/file/1f6765eaa07a6276f77dcab1b20f4f1a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-12 16:31:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wl3pkwn3nqdx66r5xyx3ly5342vama4rezp6r5yz6rpj6lhcclgq._file
Verdict:
Malicious
Tags:
red_team_tool
YARA:
SUSP_NET_NAME_ConfuserEx
Link:
https://app.threat.zone/submission/f9fb038b-3837-4edc-b0c8-43019ff9d1c1
Unpacked files
SH256 hash:
b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd
MD5 hash:
1f6765eaa07a6276f77dcab1b20f4f1a
SHA1 hash:
3224387a003896a7dac654a5ff7d5473f4266a84
Link:
https://www.unpac.me/results/fce69d87-15b3-4240-84a6-09a947708b22/
SH256 hash:
4ee35fd7d90697718aaef292a415559b376a6d4ee23106588179916f5e59d560
MD5 hash:
6954c02d7bf3dda2fd715fbd21dc02e0
SHA1 hash:
01126c1c8743fa337b85f82b2c459f262e25d924
Detections:
Gen_Base64_EXE
Create hunting rule
Link:
https://www.unpac.me/results/fce69d87-15b3-4240-84a6-09a947708b22/
SH256 hash:
e25cca1cf31f55f86c5c2997f99f2b7722693c1820c609a6614f8d8d1c2e0a38
MD5 hash:
48d3abc9f1d81b12b3c2cb4aadf1d07d
SHA1 hash:
ee765bf431e3d1a4a73041d48f7f7a1cd690bf97
Link:
https://www.unpac.me/results/fce69d87-15b3-4240-84a6-09a947708b22/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2f6f559bb6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b2f6f559bb6c077f7a3dbe2fb5e3bbe6aa060391265fe8f719f45e9f2ce212cd

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3703719/
Cape
Cape
https://www.capesandbox.com/analysis/37736/

Comments