MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 15 File information Comments

SHA256 hash:	b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
SHA3-384 hash:	4eb84f314e2fd6af29aab33fe7815d6e0ca766bb6e30b27c9075329ab4484c8bf72830f335697cb67ec6a2ad3e100335
SHA1 hash:	6891b7010eb461489865572bc540016779bcd817
MD5 hash:	0af146fb7e7f5f6146b6b5bec4eb9a4f
humanhash:	eighteen-blossom-snake-neptune
File name:	buding.exe
Download:	download sample
File size:	4'240'938 bytes
First seen:	2025-11-16 16:26:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	51a854d285aa12eb82e76e6e1be01573
ssdeep	98304:oHVb+5pSNjvePmCqYRGKIPIvPn0CYijpJoG3uOi:UsOTEGKIPm0CjjkX
TLSH	T1B616338954D393BAFA7E95B584A6EC5C2709012EBA94980ECFE44D93CCFDC4D3083E65
TrID	34.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 34.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 8.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	4'240'938 bytes
File size (de-compressed) :	5'218'858 bytes
Format:	win32/pe
Unpacked file:	e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

buding.exe

Verdict:

Malicious activity

Analysis date:

2025-11-16 16:31:51 UTC

Tags:

upx xor-url generic ip-check icmp

Link:

https://app.any.run/tasks/7dcfa097-c782-4148-8e41-6e8ff48c6ace

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38360/

Detection(s):

Win.Malware.Flystudio-6937682-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6919fb70bdb0ec3a9dc26365

Tags:

dropper extens madi smtp

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Сreating synchronization primitives

Connection attempt

Sending an HTTP GET request

Creating a file

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

microsoft_visual_cc overlay overlay packed packed packed upx xor-url

Link:

https://www.filescan.io/uploads/6919fb73a130a437f88efb45/reports/1ced2dcd-fcb7-4991-afae-3e44a082327d/overview

Verdict:

Malicious

Labled as:

Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97

Verdict:

Unknown

File Type:

exe x32

First seen:

2025-11-16T09:16:00Z UTC

Last seen:

2025-11-16T14:06:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97/results?tab=lookup

Gathering data

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1814918

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/0af146fb7e7f5f6146b6b5bec4eb9a4f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97/

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-11-16 16:27:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wwizsrkpwztfx7leywui2e2tf22wwittlob3ujrmyzb52kinl6lq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery upx

Link:

https://tria.ge/reports/251116-tx8wxazqhr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

UPX packed file

Loads dropped DLL

Verdict:

Malicious

Tags:

Win.Malware.Flystudio-6937682-0

YARA:

n/a

Link:

https://app.threat.zone/submission/ba8b5473-4978-4c73-b821-19bc2d6fcef9

Unpacked files

SH256 hash:

b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97

MD5 hash:

0af146fb7e7f5f6146b6b5bec4eb9a4f

SHA1 hash:

6891b7010eb461489865572bc540016779bcd817

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

590c9ba4cad5a401c071f89f8468c45031a637f1c137ca320d9dbe82e4beabd6

MD5 hash:

2b86ad8cd1903916ae5a3cd7ec2f1b9e

SHA1 hash:

0240b4f0795ed3bf24748954fee6751901f26f2c

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

b1eb520ff83d6403e04fb8ddb253e76c10b800af49629d8974d44b330d377da6

MD5 hash:

f0e18dab16cc67f81ec762abb9a63585

SHA1 hash:

22f44703a214033d9f267ae4983963112cd93fad

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

19b4d189a73b79a73c2ddd678ed5ff7357d92494cf76a21372a58e3dce075d50

MD5 hash:

e5e521468e2a9f9b314e06e29116b5a9

SHA1 hash:

4044a4efd7998e8c4245e632b18056b089f0aa53

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

1b28d05c306b575319c6fb9b08276b2204a7b569d9e540879ce67c8d17640990

MD5 hash:

f6a2a92194fc69858ffa9aa1557454da

SHA1 hash:

47dbb9abb4d83e2d21c6107c11244f8daae0cc5d

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731

MD5 hash:

7c1ff88991f5eafab82b1beaefc33a42

SHA1 hash:

5ea338434c4c070aaf4e4e3952b4b08b551267bc

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

25ed7ed1a08c63f40da1d378c9922efd0db9627e2856848469961bf64a86e40d

MD5 hash:

af60aac7484ba84bfb6d5a39aea349a3

SHA1 hash:

7e4862c0735ac4f881de87317fc3e864eaa33cce

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

d1a1c6bac6a498adccdafab9d600a372aa9d5b826a33cfa06aaa9f75357c5b23

MD5 hash:

8f385e7c8cf1f8ebdae0448473977cc7

SHA1 hash:

942bf465e29a5e5f85580eb30aa9510b92f802d7

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37

MD5 hash:

dba5fdbe7ec94463b3f6fdf2162c9f95

SHA1 hash:

a97137b4f2b77166b2a23da1f58e0bdb7365f4f2

Detections:

win_xiaoba_auto

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

Parent samples :

05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
0b2a852742c7d974fe16a45a7c6fb5efcf7b03f19e7029f9c43284a2ea5be84f
b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0

SH256 hash:

2e9769ace867c79d5fcdda0eb2660c52b5e062c69b36add42d22eb0dddc4b3ee

MD5 hash:

f9a994df4d407bc79f7c84886fe7a654

SHA1 hash:

c93e4be70794164b7b339218cc832ac94074d08e

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

fd672602ed6371ee5ec7d4d1c0311c4326ff075316c91dd628b075b046fae682

MD5 hash:

1a4d03ebc83a1fc3150c4bc9fd597b45

SHA1 hash:

dd7b3aead6f38ebfa3a3439b39beab3de1d0513b

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

0216a0f6d6d5360ab487e696b26a39eb81a1e2c8cd7f59c054c90ab99a858daf

MD5 hash:

d2a9c02acb735872261d2abc6aff7e45

SHA1 hash:

fce6c2cf2465856168ea55ccd806155199a6f181

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

SH256 hash:

94b085fec6c9f80bfff6e8f64778fb305e91c88b1cceb4c80d9e617947934da7

MD5 hash:

61686c308d6c527900150705b2ced92c

SHA1 hash:

d8fb31d436e0561730468fd167d65680f7a5c5c6

Detections:

SUSP_XORed_URL_In_EXE

Link:

https://www.unpac.me/results/fddcb816-a441-4c5e-b207-d0734acaa1de/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ASPackv212AlexeySolodovnikov Create hunting rule
Author:	malware-lu

Rule name:	ASProtectV2XDLLAlexeySolodovnikov Create hunting rule
Author:	malware-lu

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	UPX20030XMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97

(this sample)

exe e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0

URLhaus

https://urlhaus.abuse.ch/url/2301795/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/38360/

Dropping

SHA256 e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0

Dropping

MD5 04a0287db9563a85e139d7740408ece5

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample