MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c23f6c59660be0080ec7e6977514b041dec8a66d1e04361bd73708dd9c964189. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	c23f6c59660be0080ec7e6977514b041dec8a66d1e04361bd73708dd9c964189
SHA3-384 hash:	431254ca679c28b4a565a7fd84738d9531a9a35fcc56cec26c22b09c76d0c6ea2d3cb9f64359b06572bfb7778b1d3f75
SHA1 hash:	0243d675b4ad94dce071568a98e94b2d18688269
MD5 hash:	e25c61ae720a872701f2fc366a871394
humanhash:	fourteen-cola-vegan-winter
File name:	NEW ORDER-PDF.bat
Download:	download sample
File size:	10'311 bytes
First seen:	2025-11-14 13:54:16 UTC
Last seen:	2025-11-14 14:05:22 UTC
File type:	bat
MIME type:	text/plain
ssdeep	192:mYQkB4fiN9FiiiiiiiiiiiiiiiiiiiiiiwDiiiiiiiiiiiiiiiiiiiiiiziiiii9:ukufu9FiiiiiiiiiiiiiiiiiiiiiiwDW
TLSH	T1872265CE0A0D1C23EBB70F2953744ED04A6ED4C38B91E08D564F6B73986A3D3A19AD94
Magika	txt
Reporter	James_inthe_box
Tags:	bat exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW ORDER-PDF.bat

Verdict:

No threats detected

Analysis date:

2025-11-14 13:57:01 UTC

Tags:

susp-powershell

Link:

https://app.any.run/tasks/c3c10829-c41d-4e42-bed1-0efb853c7da2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38207/

Detection(s):

SecuriteInfo.com.Other.Malware-gen.75326237.UNOFFICIAL

SecuriteInfo.com.Generic.BatDwnld.A.EA2DC852.29863.17483.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6917348e434cd67b17c13f10

Tags:

obfuscate xtreme shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Connection attempt to an infection source

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 base64 batch masquerade obfuscated obfuscated opendir overlay powershell

Link:

https://www.filescan.io/uploads/6917348ec1835ca0815acb6c/reports/dc9494e8-9945-43d2-aa33-247e44ed1185/overview

Verdict:

Malicious

Labled as:

BatDwnld.A.Generic

Link:

https://www.hybrid-analysis.com/sample/c23f6c59660be0080ec7e6977514b041dec8a66d1e04361bd73708dd9c964189

Verdict:

Malicious

File Type:

text

First seen:

2025-11-14T02:46:00Z UTC

Last seen:

2025-11-16T10:53:00Z UTC

Hits:

~1000

Detections:

Trojan.BAT.Agent.sb HEUR:Trojan.BAT.Generic

Link:

https://opentip.kaspersky.com/c23f6c59660be0080ec7e6977514b041dec8a66d1e04361bd73708dd9c964189/results?tab=lookup

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/c23f6c59660be0080ec7e6977514b041dec8a66d1e04361bd73708dd9c964189

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c23f6c59660be0080ec7e6977514b041dec8a66d1e04361bd73708dd9c964189/

Verdict:

Malicious

Threat:

Trojan.BAT.Agent

Link:

https://tip.neiki.dev/file/c23f6c59660be0080ec7e6977514b041dec8a66d1e04361bd73708dd9c964189

Threat name:

Script-BAT.Trojan.BatDwnld

Status:

Malicious

First seen:

2025-11-14 07:01:34 UTC

File Type:

Text (Batch)

AV detection:

8 of 38 (21.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yi7wywlgbpqaqdwh42lxkffqihpmrjtndycdmg6xg4en3hewigeq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

collection discovery execution

Link:

https://tria.ge/reports/251114-q7n3pscj8w/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Malware Config

Dropper Extraction:

http://ia600202.us.archive.org/3/items/msi-pro-with-b-64_20251114/MSI_PRO_with_b64.png

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c23f6c59660b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c23f6c59660be0080ec7e6977514b041dec8a66d1e04361bd73708dd9c964189

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/38207/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample