MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90
SHA3-384 hash:	35853cce47009f6208c7aafefc3083894ae8ef93c437304826522128fecbe2d044b77df5f973791def6c930b0b50252d
SHA1 hash:	23e0ceb34a9d968465054fb7fb32e205f9ac786e
MD5 hash:	e5f76b2db75723b2803f5d4a5b5187e8
humanhash:	cardinal-july-winter-william
File name:	file
Download:	download sample
File size:	259'072 bytes
First seen:	2026-01-04 21:33:45 UTC
Last seen:	2026-01-17 01:06:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0bc790d86115172fa0bd2d854a03262b
ssdeep	3072:mNOwqK4rgK11DQFhjFs5zlwuSnXrZNkxIEAL9DVdUr6RFhPp3YVKrw90C8/NHLXI:8ORK4rg+1DOpskTXlNkxM/smwn8BobE
TLSH	T1CD448D51BAA40CFDE97BC13CC9524906DB72BC5A07A1EBCF07904A925F236E49E3E711
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	a3dacb dropped-by-amadey exe

Bitsight

url: http://196.251.107.23/duobs.exe

Intelligence

File Origin

# of uploads :

240

# of downloads :

124

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-01-04 21:34:09 UTC

Tags:

auto-reg crypto-regex

Link:

https://app.any.run/tasks/6135b561-ede4-455c-99de-fade8004d741

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/47652/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695adcd5d2357cccc3df6f43

Tags:

clipbanker ransomware injection dropper

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

exploit fingerprint microsoft_visual_cc

Link:

https://www.filescan.io/uploads/695adcd4127d6a14e0cfa9c7/reports/7932bd42-40e8-462e-9290-17ea1d47e194/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-01-04T19:03:00Z UTC

Last seen:

2026-01-05T12:48:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Banker.Win32.ClipBanker.gen Trojan-Dropper.Win32.Dorifel.sbd PDM:Trojan.Win32.Generic Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Reconyc.sb Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/187fc4aa-f95f-4b48-8967-514382422f19

Score:

67%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/e5f76b2db75723b2803f5d4a5b5187e8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90/

Verdict:

Malicious

Threat:

Trojan-Banker.Win32.ClipBanker

Link:

https://tip.neiki.dev/file/baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90

Threat name:

Win64.Infostealer.ClipBanker

Status:

Malicious

First seen:

2026-01-04 21:34:14 UTC

File Type:

PE+ (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xl2d2mpotzrha3ffvckhguqcxoxzdbzjucn43envazvy5aqnxsia._file

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/260106-jd29xaev9d/

Behaviour

Adds Run key to start application

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bc0f111f-d666-49d8-8593-bfdbc1d453b7

Unpacked files

SH256 hash:

baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90

MD5 hash:

e5f76b2db75723b2803f5d4a5b5187e8

SHA1 hash:

23e0ceb34a9d968465054fb7fb32e205f9ac786e

Link:

https://www.unpac.me/results/dc004879-5b83-4913-ad08-2cd4dbb087c5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Reflective DLL injection artifacts

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe baf43d31ee9e62706ca5a894735202bbaf918729a09bcd91b5066b8e820dbc90

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3750296/

Cape

https://www.capesandbox.com/analysis/47652/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample