MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceaa99440a1294e1a574941c6f1b01db99ad6d85d314264156989e893a64cd6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Koadic


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceaa99440a1294e1a574941c6f1b01db99ad6d85d314264156989e893a64cd6e
SHA3-384 hash: 640e48642ce3f33c74761be42fb25625ca593c79aebd6c2ceaf41defecbe287f099bc20692cf04f27828b3a54d9c373f
SHA1 hash: 70cbd1cb34fde535a52914529272d0481ee6f426
MD5 hash: f66c0c185742a12f8772390531984916
humanhash: steak-winter-london-ceiling
File name:Intesa Sanpaolo_Pagamento fatture.pdf.bat
Download: download sample
Signature Koadic
Create hunting rule
File size:2'050'847 bytes
First seen:2025-04-17 06:40:13 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:zETBL59nRrEIKbuDBqI3QPUSm4WSblRAgF/AZS7jSNHMM68bA4E6BC:mULCMdxRSBMMDo6U
Threatray 877 similar samples on MalwareBazaar
TLSH T16F95493C71E217A5F4A2852473F3EB3CCAFD6D08C04D19BF513EB9542A9EAB85983446
Magika txt
Reporter lowmal3
Tags:bat Koadic

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Intesa Sanpaolo_Pagamento fatture.pdf.bat
Verdict:
Malicious activity
Analysis date:
2025-04-17 09:03:08 UTC
Tags:
autoit evasion snake keylogger stealer ims-api generic
Link:
https://app.any.run/tasks/af8db152-931a-4ae5-90a2-dbd870c5c236

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2663/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.1004.14983.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800a690280f5f89a0d03872
Tags:
obfuscated xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/6800a25790767142c3d88b84/reports/829cf82c-2402-438f-a81f-80aa1513679d/overview
Verdict:
Malicious
Labled as:
BZC.MNT.Boxter.836
Link:
https://www.hybrid-analysis.com/sample/ceaa99440a1294e1a574941c6f1b01db99ad6d85d314264156989e893a64cd6e
Result
Verdict:
MALICIOUS
Result
Threat name:
Koadic, MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667207
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found large BAT file
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Koadic BAT payload
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667207 Sample: Intesa Sanpaolo_Pagamento f... Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 40 reallyfreegeoip.org 2->40 42 checkip.dyndns.org 2->42 44 checkip.dyndns.com 2->44 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 64 12 other signatures 2->64 10 cmd.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 40->62 process4 dnsIp5 74 Suspicious powershell command line found 10->74 76 Suspicious command line found 10->76 78 PowerShell case anomaly found 10->78 16 cmd.exe 1 10->16         started        19 conhost.exe 10->19         started        50 127.0.0.1 unknown unknown 13->50 signatures6 process7 signatures8 52 Suspicious powershell command line found 16->52 54 PowerShell case anomaly found 16->54 21 powershell.exe 24 16->21         started        25 MpCmdRun.exe 1 16->25         started        process9 file10 38 C:\Users\user\AppData\Local\KhgsxCifXT.exe, PE32+ 21->38 dropped 70 Found suspicious powershell code related to unpacking or dynamic code loading 21->70 72 Powershell drops PE file 21->72 27 KhgsxCifXT.exe 21->27         started        30 conhost.exe 21->30         started        32 conhost.exe 25->32         started        signatures11 process12 signatures13 80 Writes to foreign memory regions 27->80 82 Allocates memory in foreign processes 27->82 84 Creates a thread in another existing process (thread injection) 27->84 34 iexpress.exe 15 2 27->34         started        process14 dnsIp15 46 checkip.dyndns.com 193.122.130.0, 49687, 80 ORACLE-BMC-31898US United States 34->46 48 reallyfreegeoip.org 104.21.32.1, 443, 49688 CLOUDFLARENETUS United States 34->48 66 Tries to steal Mail credentials (via file / registry access) 34->66 68 Tries to harvest and steal browser information (history, passwords, etc) 34->68 signatures16
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ceaa99440a1294e1a574941c6f1b01db99ad6d85d314264156989e893a64cd6e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ceaa99440a1294e1a574941c6f1b01db99ad6d85d314264156989e893a64cd6e/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-04-15 22:12:27 UTC
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2vjsrakckkodjlusqog6gyb3om223mf2mkcmqkwtcpisotezvxa._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
novastealer
Create hunting rule
Similar samples:
13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c
Koadic
14f6cc465c16b2b06dca025ac97d6824d0793554b1599b68e401379b4f2cb12a
Koadic
6357866d9a4110843c44f4a4986d50a0af5380f4e185373d062f123d73fe63d9
Koadic
ced40caee716f956a4db4d96f10daa8b80f6c30371f2490129b6cf212dcfd223
Koadic
dfd642ed5f14bce81563b3921c242393a9ac2a1865a8344af8b29b9faaa16a7f
Koadic
error
Koadic
+ 867 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/250417-hfdhwsy1ht/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ceaa99440a1294e1a574941c6f1b01db99ad6d85d314264156989e893a64cd6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Koadic

Batch (bat) bat ceaa99440a1294e1a574941c6f1b01db99ad6d85d314264156989e893a64cd6e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/2663/

Comments