MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d
SHA3-384 hash: cf10eaffb144fb791a36f67780a73cec6f61538931530629a47fd1adec29b3a27581bd5e259efe9be46b462897e0154d
SHA1 hash: 2ca171feb420939d90480a3ad313ec6bb5910d32
MD5 hash: 57cd907803c29d8d02e69b6f89dc669a
humanhash: six-september-ink-mirror
File name:file
Download: download sample
File size:296'448 bytes
First seen:2025-12-31 17:26:51 UTC
Last seen:2026-01-12 11:14:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b31da0971f03ad8d978723cd8ca7b5a0
ssdeep 6144:pRpTgCXrYSpHJ+4htNtbhFF1eTTi42xaLplTiM+jwJO:pjXFN9hFApcM+6
Threatray 122 similar samples on MalwareBazaar
TLSH T153544B4977A440F4D8A79139CDA39A46E7B2B859077193CF03A443B95F2B7D09E3E322
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:000000000000 dropped-by-smokeloader exe


Avatar
Bitsight
url: http://62.60.226.159/

Intelligence

File Origin
# of uploads :
3
# of downloads :
91
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/13640705-24b0-47ef-ab02-cc336ea33291/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-12-31 17:28:14 UTC
Tags:
auto-sch auto-reg
Link:
https://app.any.run/tasks/c035b366-b7ac-4d4e-97ed-2f281693ed67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46699/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69555cf5d2357cccc3de3ef5
Tags:
clipbanker autorun emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug clipbanker exploit explorer fingerprint lolbin microsoft_visual_cc schtasks
Link:
https://www.filescan.io/uploads/69555cf4127d6a14e0ca7ea4/reports/e683b615-5d73-4ae0-8c57-772040ae96f2/overview
Verdict:
Malicious
Labled as:
Trojan.Loader.Marte.6.Generic
Link:
https://www.hybrid-analysis.com/sample/b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-25T18:27:00Z UTC
Last seen:
2026-01-01T07:39:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Banker.Win32.ClipBanker.gen HEUR:HackTool.Win32.Inject.heur Trojan-Banker.Win32.ClipBanker.agpp Trojan.Win32.Agent.sb Trojan-Banker.Win32.ClipBanker.sb PDM:Trojan.Win32.Generic MEM:Trojan.Win32.Cometer.gen Backdoor.Win32.Androm Trojan-Dropper.Win32.Injector.sb
Link:
https://opentip.kaspersky.com/b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d3fa98d-d3be-4d10-843e-2db261545be2
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/57cd907803c29d8d02e69b6f89dc669a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.ClipBanker
Link:
https://tip.neiki.dev/file/b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d
Threat name:
Win64.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 23:13:16 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xak3bjocrrowgfbvjoz3b2ey3afs5zrhmnlz2kghbhems55xxy6q._file
Verdict:
malicious
Label(s):
unc_loader_073
Create hunting rule
Similar samples:
1586e6f714547d9ec024c9aeff1df7024d37a867d543de418b0af65c530c6738
2af5b20be78d166ff38cd23466548334f767fa22a58620dd049975ac1288caf6
312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da
3232706a6824a99e09588cbd5b4528632c0d2f8cf905e92fc1dad9d57152d390
b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d
dfa531e1ac9cb7c6ca7cd7cd052c5a33af615cc4f8b1a8cf8a0cc85a1064c3dd
error
+ 112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260106-n42taag17c/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5081c534-8745-4a95-aa50-aca8636d5e0d
Unpacked files
SH256 hash:
b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d
MD5 hash:
57cd907803c29d8d02e69b6f89dc669a
SHA1 hash:
2ca171feb420939d90480a3ad313ec6bb5910d32
Detections:
win_sdbbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/dc4ec53f-451d-4700-888b-7ca6c330bf65/
SH256 hash:
0006aeb5a1bdc6b1a7476d21c75cb8194b36c1bfebccb08a0817e97e1a195a15
MD5 hash:
d53b924b6a51b059684e35c950bd65d6
SHA1 hash:
fe5e5503ca1cbeb9afab0c885c71c9852d93534e
Detections:
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/dc4ec53f-451d-4700-888b-7ca6c330bf65/
Parent samples :
2af5b20be78d166ff38cd23466548334f767fa22a58620dd049975ac1288caf6
b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:win_sdbbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.sdbbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d

(this sample)

  
Dropped by
Smokeloader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/46699/

Comments