MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764
SHA3-384 hash: 307494863670c0b321eed70ccd1deedefcd3e7aa907fc265db9a259d81649000e8fdb2e1f1da6eab74498367b534f10c
SHA1 hash: 5f296a4199a157cd5f50ccb0d0196c36c2e08c8a
MD5 hash: 6aab2d9dbb3d3a7f1814e3d2d8e6ee79
humanhash: glucose-london-arizona-kentucky
File name:SecuriteInfo.com.Trojan.KillProc2.22760.1585.87
Download: download sample
File size:3'403'457 bytes
First seen:2025-09-25 13:19:41 UTC
Last seen:2025-09-25 14:23:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4b8b0aba9f9c876ca624bdbda64d516 (1 x Koadic, 1 x Sality)
ssdeep 49152:3E3wYEMp0BCdy88Z/1IZHKV/ktlvnjJtEtj5DuLj3aEhJphXXXq:3fcp8CdyQqMtlvnjJtEtVuLThJO
TLSH T11CF539149B1631B1E486D3B1085EC020D87D7ECE9ABB3C50FC68EBD6119AF159AD33B6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-25 13:13:59 UTC
Tags:
stealc stealer auto redline amadey vidar botnet loader unlocker-eject tool arch-exec themida auto-reg rdp gcleaner phishing autoit lumma anti-evasion rhadamanthys aurotun
Link:
https://app.any.run/tasks/dd59bda1-66cf-4673-ac25-ddbf3a90b9dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29016/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.22760.1585.87.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d552911e4783989051f49c
Tags:
vmdetect stration sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Launching cmd.exe command interpreter
Creating a window
Launching a service
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Creating a process from a recently created file
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Launching the process to change the firewall settings
Launching a tool to kill processes
Forced shutdown of a system process
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc overlay
Link:
https://www.filescan.io/uploads/68d5418274e5a2898992fb7d/reports/e2523762-f951-464f-843b-293eae0bc844/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-25T10:15:00Z UTC
Last seen:
2025-09-25T10:15:00Z UTC
Hits:
~10
Detections:
BSS:Trojan.Win32.Generic UDS:DangerousObject.Multi.Generic RemoteAdmin.Autoit.HTTP.ServerRequest not-a-virus:HEUR:RemoteAdmin.Win32.UltraVNC.gen
Link:
https://opentip.kaspersky.com/bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/04a702d8-26d3-4d7c-a79e-4b334651c9ca
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/6aab2d9dbb3d3a7f1814e3d2d8e6ee79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764/
Verdict:
Malicious
Threat:
RemoteAdmin.Win32.UltraVNC
Link:
https://tip.neiki.dev/file/bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-25 12:47:58 UTC
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlnju6iqk3ywavcxcdtboaazq4hcluqtnekp6ycgmlyenpyog5sa._file
Verdict:
malicious
Label(s):
admintool_winvncserver
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250925-qlpgcaywfv/
Behaviour
Views/modifies file attributes
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Modifies Windows Firewall
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/002b7c83-45ef-44bd-8478-bbf9902de8d6
Unpacked files
SH256 hash:
bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764
MD5 hash:
6aab2d9dbb3d3a7f1814e3d2d8e6ee79
SHA1 hash:
5f296a4199a157cd5f50ccb0d0196c36c2e08c8a
Link:
https://www.unpac.me/results/f5926906-394c-4230-bd2e-397f75389541/
SH256 hash:
7eab621f89b28fb0f64c23da110da75281cccd6ee2f32d82de68284a8710aafd
MD5 hash:
72021e16410af77d75d515e6ef1e6694
SHA1 hash:
d802428a58b64e8596a3c93bc5bb575ddfa02fea
Link:
https://www.unpac.me/results/f5926906-394c-4230-bd2e-397f75389541/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe bada9a791056f160545710e6170019870e25d2136914ff604662f046bf0e3764

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/29016/
  
URLhaus
https://urlhaus.abuse.ch/url/3631808/
  
Delivery method
Distributed via web download

Comments