MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DattoRMM


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0
SHA3-384 hash: fd11c9acce475e931be9fccf571d382b71fa1594b4e537c962fe2778aea3f2528d8ce6fe6a86da25b9a7ab931632d53a
SHA1 hash: efc33b39cf027164e4e263cedb1ee8f271afe416
MD5 hash: 29315275ab0a9a394292c358c7ff552b
humanhash: two-william-hot-twelve
File name:DHL420964.exe
Download: download sample
Signature DattoRMM
Create hunting rule
File size:11'055'728 bytes
First seen:2026-01-03 08:25:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 187b3ae62ff818788b8c779ef7bc3d1c (56 x DattoRMM, 14 x Stealc, 1 x GCleaner)
ssdeep 196608:4aZk+wC0rsRTjTtR43PG8PZHj2BPFOsti7A95R8jsFp29XaIT030Hy05s6r8Ar8t:SnC04RT9R4PkE7Ap84p29qIT0Z6rXr8t
TLSH T10FB63313D57BCCF0CB234678D6E10A46BB4A058A9C5AB8D4E584633E55D34ADEF38B8C
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:DattoRMM DHL exe signed

Code Signing Certificate

Organisation:Datto, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-17T00:00:00Z
Valid to:2027-06-29T23:59:59Z
Serial number: 012a9b58571397956cdcfc20203acf49
Intelligence: 33 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 12ca78c07f0b671572de939a5c5bee7687079265babc7d2cb6aab6aa954b5a33
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Spread via Firebase -> https://invoicing-kyc.com/Invoice/instructions.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Archives
extracted contents of the ZIP archive
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/57bc26ca-c7fb-44f1-a10c-ec2f0a9c12ab/
Malware family:
n/a
ID:
1
File name:
https://track.pstmrk.it/3s/invoicing-kyc.com%2FInvoice/dzXf/T3PCAQ/AQ/2cddb915-98e8-445c-b90c-4bfdea66371f/1/mBWYd8J27c
Verdict:
Malicious activity
Analysis date:
2026-01-03 00:22:14 UTC
Tags:
datto rmm-tool loader arch-exec arch-doc
Link:
https://app.any.run/tasks/b87a7ed9-0257-4e1f-a368-75dc2b5a30dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47331/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6958d278e148d42004dec830
Tags:
micro remo blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Creating a file
Creating a service
Launching a service
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Loading a suspicious library
Creating a file in the system32 subdirectories
Moving a file to the system32 subdirectory
Using the Windows Management Instrumentation requests
Moving a recently created file
Launching a process
Creating a window
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug installer installer installer-heuristic masquerade mingw nsis overlay packed signed
Link:
https://www.filescan.io/uploads/6958d2712fb7bb52ca85ca41/reports/fbbb9073-c422-4000-aed0-a69568fa9153/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0
Verdict:
Clean
File Type:
PE
First seen:
2026-01-03T04:24:00Z UTC
Last seen:
2026-01-03T14:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0/results?tab=lookup
Malware family:
PuTTY
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/81008ace-3e99-4802-aae4-d9d3af5de270
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1843992
Signature
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1843992 Sample: DHL420964.exe Startdate: 03/01/2026 Architecture: WINDOWS Score: 100 108 zinfandel-agent.centrastage.net 2->108 110 zinfandel-agent-notifications.centrastage.net 2->110 112 6 other IPs or domains 2->112 126 Malicious sample detected (through community Yara rule) 2->126 128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->128 130 Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines) 2->130 132 8 other signatures 2->132 10 CagService.exe 34 410 2->10         started        15 DHL420964.exe 12 87 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 120 15.197.238.235, 443, 49775, 49777 TANDEMUS United States 10->120 122 03ws.centrastage.net 3.33.246.235, 443, 49732, 49733 AMAZONEXPANSIONGB United States 10->122 124 5 other IPs or domains 10->124 92 microsoft.manageme...ative.unmanaged.dll, PE32+ 10->92 dropped 94 microsoft.manageme...tructure.native.dll, PE32+ 10->94 dropped 96 microsoft.management.infrastructure.dll, PE32 10->96 dropped 104 301 other malicious files 10->104 dropped 154 Creates files in the system32 config directory 10->154 156 Reads the Security eventlog 10->156 158 Reads the System eventlog 10->158 21 AEMAgent.exe 10->21         started        26 powershell.exe 10->26         started        28 AEMAgent.exe 10->28         started        34 11 other processes 10->34 98 C:\Users\user\AppData\Local\...\nsisXML.dll, PE32 15->98 dropped 100 C:\Users\user\AppData\Local\...\nsSCM.dll, PE32 15->100 dropped 102 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 15->102 dropped 106 44 other files (6 malicious) 15->106 dropped 160 Enables network access during safeboot for specific services 15->160 30 Gui.exe 15->30         started        162 Changes security center settings (notifications, updates, antivirus, firewall) 17->162 32 MpCmdRun.exe 17->32         started        file6 signatures7 process8 dnsIp9 114 zinfandel-agent-notifications.centrastage.net 52.223.44.223, 443, 49744, 49756 AMAZONEXPANSIONGB United States 21->114 116 agent-gateway.zinfandel.rmm.datto.com 52.223.63.230, 443, 49742 AMAZONEXPANSIONGB United States 21->116 118 2 other IPs or domains 21->118 84 C:\ProgramData\...\websocket-sharp.dll, PE32 21->84 dropped 86 microsoft.manageme...ative.unmanaged.dll, PE32+ 21->86 dropped 88 microsoft.manageme...tructure.native.dll, PE32+ 21->88 dropped 90 63 other malicious files 21->90 dropped 140 Uses netsh to modify the Windows network and firewall settings 21->140 142 Modifies the windows firewall 21->142 144 Unusual module load detection (module proxying) 21->144 36 RMM.WebRemote.exe 21->36         started        40 netsh.exe 21->40         started        42 netsh.exe 21->42         started        50 9 other processes 21->50 146 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 26->146 148 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 26->148 150 Queries memory information (via WMI often done to detect virtual machines) 26->150 152 Loading BitLocker PowerShell Module 26->152 44 csc.exe 26->44         started        52 2 other processes 26->52 46 conhost.exe 32->46         started        48 regsvr32.exe 34->48         started        54 8 other processes 34->54 file10 signatures11 process12 file13 80 C:\ProgramData\...\RMM.RTC.Proxy.exe, PE32+ 36->80 dropped 134 Creates an undocumented autostart registry key 36->134 136 Unusual module load detection (module proxying) 36->136 56 netsh.exe 36->56         started        58 netsh.exe 36->58         started        60 netsh.exe 36->60         started        138 Creates files in the system32 config directory 40->138 62 conhost.exe 40->62         started        64 conhost.exe 42->64         started        82 C:\Windows\Temp\tzm1bsge\tzm1bsge.dll, PE32 44->82 dropped 66 cvtres.exe 44->66         started        68 conhost.exe 50->68         started        70 conhost.exe 50->70         started        72 7 other processes 50->72 signatures14 process15 process16 74 conhost.exe 56->74         started        76 conhost.exe 58->76         started        78 conhost.exe 60->78         started       
Score:
7%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/29315275ab0a9a394292c358c7ff552b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycyauis2civ56s4vw62zmirtv325wz6fod34hfrg6nnwzilbocya._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution installer persistence privilege_escalation spyware trojan
Link:
https://tria.ge/reports/260106-kg1qxsylaq/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Adds Run key to start application
Boot or Logon Autostart Execution: Active Setup
Modifies Windows Firewall
Manipulates Digital Signatures
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9969521a-596d-4e81-ae56-c39fe580dec3
Unpacked files
SH256 hash:
c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0
MD5 hash:
29315275ab0a9a394292c358c7ff552b
SHA1 hash:
efc33b39cf027164e4e263cedb1ee8f271afe416
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
ea9c13c4192587e36858d7b2ade40208c2b186ce6358be298eb54e6df3fa2ef6
MD5 hash:
52b075e8a8effdd2e09914b14e2bafd6
SHA1 hash:
6a83f9d2aa54ff4c68ec8d7e465e998712f8786c
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
97c25a7a0532e474e87e9c63280055f252a229c17f9f5455a7545ee1a162afe4
MD5 hash:
a89951cc9e1498c405a7ebf9ec68c92e
SHA1 hash:
b2555fb42f139305c4c2a931f1e2df690c91549c
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
3b15c6e4ca42036d7424f93ea0806a2d35220d65faaf2bd2479a54258f631b55
MD5 hash:
428c3a07fba184367a5085e46e4a790b
SHA1 hash:
f2de6cd4ec99ab784d18914a21de9d919a450089
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
MD5 hash:
56a321bd011112ec5d8a32b2f6fd3231
SHA1 hash:
df20e3a35a1636de64df5290ae5e4e7572447f78
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
0df23b577e3cb2cf8b1fc356eb3a70faeb89e3974871855e2c2ff33953053371
MD5 hash:
234829a34a9d264dacd52c5b0cbdb95a
SHA1 hash:
95dc9fcaa40e01afaa084555b328fb3e0623af89
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
0e92d3683673d7899d33c71d2b5e022d83198aab9413dcafc43f6ce597cdf252
MD5 hash:
fcbce484db6b9051b50381be4c70d4ad
SHA1 hash:
f752be7a7a0d9e7986855db6806b01c70350c058
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
18b34feb4cc8529be7433eb179391ebdbd047fe5d8a83f9b6d80843c7bddfaa5
MD5 hash:
38fb4d949cc3014095bff7655b778977
SHA1 hash:
95a41ad05448ad37365f7e9bfdcb3a2419f812d9
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
24bd076d31dc9d363eb2adb8b27a7d45d9f975aeec565132d27901537e31f239
MD5 hash:
d552de7d39179b914db7cc2dbdd005c2
SHA1 hash:
044329c6c335224ba05a4e398a5fcb204f13ac36
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d
MD5 hash:
c8164876b6f66616d68387443621510c
SHA1 hash:
7a9df9c25d49690b6a3c451607d311a866b131f4
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
5413095e2e536356a2f8facfcf0818f711bc512aad8a0034f646cbd4e9f979df
MD5 hash:
9bd9998fada60eb7e157148a5d681633
SHA1 hash:
0715f534b854ac2e3660dd073610e2c6426ef274
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
5a7ca101fd8efe0006f2f69d786989adc968d82cea35d83e976fb12d9baace32
MD5 hash:
e42998e3bb92e6696a82ef796efac507
SHA1 hash:
8202e573a8abedaaa138b3cef6135ce09c0e87e6
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
5f29e16edff5379e93d5be9bee4cddf98132b84326027688511ac0f3157aaf94
MD5 hash:
d01819bfe03222dfa9e35a36555b6b6c
SHA1 hash:
25f8069590b14724f28e6a04b8a42e4ef4a8562d
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
662f70439057ffeb64e86ab141d9d2352150b471f9d6c5934480b1514ed8219b
MD5 hash:
8599919c89b3036965406402c4e0eb59
SHA1 hash:
c7ac8ed03dd709de70b12b91eaae483455f24731
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
74c94094f7fe86c9969093456c4c167f129f9e1943c29c669b8e57cce3b3b07d
MD5 hash:
05bc5532d193dd7d8c9809eefe5f6717
SHA1 hash:
1fcee2c1c9ecf87cc62fc927db77b49b56eb289d
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
87af304c8fb7c84b15f160331e1a4c803eeb6f4632499875a7d8f438353dcc63
MD5 hash:
b0f179e4047b97f8de9744743e878486
SHA1 hash:
e63dd8ad4591cce60b9bd44b3a6451ec567f2b62
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
8b0f62bb2f3af65e458ca56535a580c31fc9ce555ec8dae825031c843b440f1e
MD5 hash:
93847672e8ab6a31d56a93b28daa130c
SHA1 hash:
3654b18fa3b2cbb90bf65ffd78b4449c04e7fd69
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
8e0c73e94cdd28b0373bb6e1fbebe29f258f8fbf0d4771ac9dd08dbcda3ef6d9
MD5 hash:
ae2f45308384f5f2aaec76f079dca1af
SHA1 hash:
30e20b3f79f9164644b7ba2bc171cd60bcfb0690
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
9292eb06bf4cd100c94abd2949a96351a0f3710008674993c7491da578e1ede1
MD5 hash:
99a817a04b25690b98edf3370ed2eb83
SHA1 hash:
1a878f0e4fb4f7ea1d75674eb724fc6feaccdff0
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
92f1d0d6ccfb0d030789f3c5c636fcdd08f6d0541a5a54f185e8ecd85592e3f9
MD5 hash:
6aa2393ff1fde1a61d0cf51730428f74
SHA1 hash:
3c847a95a6547aa49919789d7a0cb6ed76122849
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
9d6f57b2cda902df276730d76c481d4537402643d1aed03dab81a5d17286c913
MD5 hash:
ad23b4cdfda55b7abe505087b246b1a3
SHA1 hash:
442fb06d6c8173429f8f4133478086ccaf4dc271
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
a3591b9aafe80ed526ee2ab0e27ea84ddb41781be425f89ce9a13fdcc60626d3
MD5 hash:
25770e0d1027f328aa172c9f8c43395a
SHA1 hash:
a0ca64fc8c267d1192bb808f797ecc0227d659a5
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294
MD5 hash:
83cd62eab980e3d64c131799608c8371
SHA1 hash:
5b57a6842a154997e31fab573c5754b358f5dd1c
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
ab94b6aace3b74ed0fa4a70a199606e1bf8c312b81d1c075f1b3a40e47922cba
MD5 hash:
997dc0eb0f031a6b5b0f5bbcfa45a056
SHA1 hash:
47f9d69749316cdfb9c746390acf3219dd75229c
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
b400644c9d4762d6d9649b8005338b2bef76b4f8704cff794b859c46ec1ee924
MD5 hash:
5293cccc52665f2ce1a8bdb13374854f
SHA1 hash:
fc5dc77a74728f9a9c8a931508d102ad92bfe3a7
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
b46f763461aea32fcea7ad964533a0706e6ea377c211f8dbd1841241a4edc7e3
MD5 hash:
c9217b4fc057c99ef0b1c603de094a30
SHA1 hash:
8b6326767783e351c6bed00ea2aa46ce441048c0
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
b635ba89e9cc8455f252b7e24e5d2838f50aaf75121ca7d070bb7d6cf41a6235
MD5 hash:
06b971620bda7960f7d8e43ce69e3bbe
SHA1 hash:
08e1f37cd9c1d320fac3a32105f16abbbb73092c
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
MD5 hash:
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 hash:
168f3c158913b0367bf79fa413357fbe97018191
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
dc6cf05cde0f011869a289faa32a791994e200a3fbaff3e30678d67672ed3543
MD5 hash:
980a9457e4dd84b0e002523cb5ca728e
SHA1 hash:
f725746ee48bb640778dcf241c8fb7805a07172e
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
dfa9351dcbbbde572684f569b900ade24380fc0ad63d592c4100d754b2bfdf7e
MD5 hash:
e28c8111ea4cab3890fb559e977f5847
SHA1 hash:
cc19e6ceee81d2dcea7358cd0d9c53f442088dad
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
dfeab83e6a9555a6c18070c611d868e117fa2fef6f815da26e622feb2e610254
MD5 hash:
8e4e0ea396b5452bed54e6888cb07ca1
SHA1 hash:
1a7afcdd7f118b3ef8f1d9761fa71faeee16fd2c
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
e333548749078be5b6207453755e40220361ace77bae0b81b60e2666b5fa8986
MD5 hash:
aa78ec5b23873e94e11f619b7566cc95
SHA1 hash:
3e4b0d084212dc096ae1b2b4194a11c4e9fa255c
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
e9932fb947df5125648828248f51beb1f0b213b41f0a15bf77d56bc4b9217375
MD5 hash:
9defb2682db3afbc640ac3fdf4045154
SHA1 hash:
3996fe866d6bd39878ea6b498e439589020c1ed8
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
ea7fd75e2bb069699d4da09f3601d70ca8e401f58949178cdbf2c5928720daa1
MD5 hash:
8f6875148b45c300b95514cb40703c2e
SHA1 hash:
0015b8e21d84e0f6f174cf71b63651bad94582df
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
efef690d875957f60dda6804a1adc538c598901b61bd3da2deba010e3a78fc6b
MD5 hash:
2a56ded81943787d054f5dc55acc5849
SHA1 hash:
db43d79f10c7007d79859474215516300016a119
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
f041747b5b6b20b6620ca13a7b276c9e9070e54cda8c29f6add54cba9a42a2f5
MD5 hash:
0f581e56ed5ba500ce5d98d105b04a37
SHA1 hash:
b6e2cade601bc6fd15e7f07ed41a4dfa4ee0a589
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
f43ec0e1544baf147e28a7135f3e9cda40cf2657f31fa8c6acb2501fd95b4e3e
MD5 hash:
a5a4cd5e052208055b3154e9afe2f463
SHA1 hash:
3be61fcc6003faab2f96577dc721618489dc367c
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
f71621c47c610e0886846cf53d955fd0e7448951f99ecc22facd47493ef97a87
MD5 hash:
e548a93d16964e52868c47cef1c98f2e
SHA1 hash:
4b96b0aa48f6ac050a764c7d65f4129a9bb8cf21
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
SH256 hash:
7274fe736fe36cdc8343b04fea6ff598ce384ead99ea94e4b47d4d329037331d
MD5 hash:
941a7b4dc105c3487d2b2961dc6ccb01
SHA1 hash:
ac71c5b759cabd78213748329909eaee60810d12
Link:
https://www.unpac.me/results/b0ed749d-3ee3-4092-a719-7a104f14b15a/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0b00a225a12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DattoRMM

Executable exe c0b00a225a122bdf4b95b7b5962233aef5db67c570f7c39626f35b6ca16170b0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/47331/

Comments