MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8
SHA3-384 hash:	557da90cf83793e7857785bffa508eea0630b89ec16b3e704f59268a7d48380c9e24aa53780e910d466f400af8cd8a38
SHA1 hash:	3db5a97d9b0f2545e7ba97026af6c28512200441
MD5 hash:	f227cdfd423b3cc03bb69c49babf4da3
humanhash:	romeo-uranus-pennsylvania-pluto
File name:	SecuriteInfo.com.Win64.MalwareX-gen.8683.29053
Download:	download sample
File size:	3'004'928 bytes
First seen:	2025-04-20 13:31:50 UTC
Last seen:	2025-08-03 17:13:20 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	49152:xlcyXfHnaBTof9ePCjkIAm1skqXfd+/9A9ByClY1v/a/ehH7pNLLn2:DZXfHaFoCIvqkqXf0FglY1XOe97vLn
TLSH	T1F0D5225BF36FCE16E40A253C1945D33259227C369DE6F30F308CBEE5C97A6691AC0A85
TrID	56.5% (.EXE) Win64 Executable (generic) (10522/11/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
File icon (PE):
dhash icon	cc8e333333338ecc (6 x SalatStealer, 3 x DCRat, 3 x SheetRAT)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BootstrapperNewV2.exe

Verdict:

Malicious activity

Analysis date:

2025-03-17 16:10:19 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/d9e8ae9e-0b10-4339-8bdc-dba3ae533ba0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/3120/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.5591.11267.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6804f76d280f5f89a0d26317

Tags:

packed virus core

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

entropy obfuscated packed packed packer_detected reconnaissance redcap zero

Link:

https://www.filescan.io/uploads/6804f760931404048d809619/reports/8e82438e-3916-409d-92c7-3cd79d59926c/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20b6631c-64d7-46b4-b45b-a6ae2697a5ad

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1669782

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

70%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8/

Threat name:

ByteCode-MSIL.Trojan.Malgent

Status:

Malicious

First seen:

2025-02-13 00:42:50 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 36 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=znowyhfavjrdfiwvlyklecwevgkfuc6qmpcx2yff5u5osqla4pua._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250420-qs5f5szl18/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/874391db-fb8e-4fde-8736-cc2d46870d31

Unpacked files

SH256 hash:

cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

MD5 hash:

f227cdfd423b3cc03bb69c49babf4da3

SHA1 hash:

3db5a97d9b0f2545e7ba97026af6c28512200441

Detections:

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Link:

https://www.unpac.me/results/9f293109-977f-41e3-bf16-b71ddbe52812/

Parent samples :

1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74
494c215c4485565fbb9701f0b2dd709bd5be57d3463a827f7276f74fa6ef4b34
6c7fd8731d8b9cbb61ade117afbaa8e622437aae4b859dd50036cfbe857f0be5
f57a8361f3da23bb65b2498f4204cb6e22a129909bca742d8c2bb898590731b1
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

(this sample)

Cape

https://www.capesandbox.com/analysis/3120/

URLhaus

https://urlhaus.abuse.ch/url/3519469/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample