MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44
SHA3-384 hash: 2141c666864b77d14d0f4309c698d0cf145c23c55d57687309ee073f00dda38d494c25eef004da75ed565e5b0edf5114
SHA1 hash: 4a27f7cc20f358febfc1288b20886b998c632626
MD5 hash: bc1795ac55eee5f68ae989f4264bcd2a
humanhash: july-utah-august-rugby
File name:file
Download: download sample
File size:3'856'968 bytes
First seen:2026-02-10 10:43:35 UTC
Last seen:2026-02-10 15:02:33 UTC
File type: zip
MIME type:application/zip
ssdeep 98304:CsIwqJJE5JgriIYCL0cG7ZItuZwha/93ghsLONPVxLeW:Cs4Ju5Jgrz1IPatuUi9Q1zLeW
TLSH T141063305E9C3E015FB6F42B62DC5E917CE2CF58A329897FD1C1E895C46EBC60DB1A680
Magika zip
Reporter Bitsight
Tags:d429b4 dropped-by-amadey zip


Avatar
Bitsight
url: https://papeoficial.com.br/wp-content/uploads/ugui.zip

Intelligence

File Origin
# of uploads :
3
# of downloads :
181
Origin country :
US US
File Archive Information

This file archive contains 4 file(s), sorted by their relevance:

File name:MSVCP140.dll
File size:58'483'712 bytes
SHA256 hash: 2be837eb6570063bfe902f56aad6e045d62592a641ccdf98ac9f82fa6ce130c0
MD5 hash: b4b36ab9122bbd11d9f38e5883f8b928
MIME type:application/x-dosexec
File name:VCRUNTIME140.dll
File size:124'544 bytes
SHA256 hash: d5e4d9a3e835fa679450145d6a7d94e36573a509317111904d9b3712c30d9066
MD5 hash: 6ca4edb2b52ec46c7fca3fd372ca6c00
MIME type:application/x-dosexec
File name:ugui.exe
File size:188'936 bytes
SHA256 hash: 5376b0fea8d666fdcc1f330bd6f34aa5623dcbcad4b0ffed53087456ee849214
MD5 hash: 8d8309a795cb4b5c7e66bf202d111037
MIME type:application/x-dosexec
File name:VCRUNTIME140_1.dll
File size:49'792 bytes
SHA256 hash: 1f2d41c4aa5db0bc33ebf7b66d72943a817d7ce6cbe880502a9403823633093f
MD5 hash: cd1b08f4930b276ad78853580b76b5c6
MIME type:application/x-dosexec
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/676c2877-bde2-4eec-99ad-ab1f6121be15/
Detection(s):
SecuriteInfo.com.W64.Aotera.BU.tr.9623.32352.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698b0c0142fd65534cce3b75
Tags:
n/a
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/698b0c00981ff1d38a4fb738/reports/43fb862f-6d0c-4783-9149-35972d8fb089/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
Detections:
HEUR:Trojan.Win64.Generic HEUR:Trojan.Win32.Heavy.gen
Link:
https://opentip.kaspersky.com/bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/bc1795ac55eee5f68ae989f4264bcd2a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44/
Verdict:
Malicious
Threat:
Trojan.Win32.Heavy
Link:
https://tip.neiki.dev/file/bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xw2glnq5cxtfs3h2xta5yxwkjkmixazk335f7tfsovde74xpfjca._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/260210-nqp8bsbx2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip bdb465b61d15e6596cfabcc1dc5eca4a988b832adefa5fccb275464ff2ef2a44

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3775420/

Comments