MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AdaptixC2


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb
SHA3-384 hash: 6fc00ce08751d47a231dfcb5bdbb2f3543e1bbcf6ad9b48b9278acd1dcea595cc9a0cf170f2964d80388681ab13e17b2
SHA1 hash: c72f3470d90c1472614efc295107f3fe24813c4e
MD5 hash: c4d3f34d5f258eba4ce9937474d7416b
humanhash: november-finch-four-salami
File name:Formulario Revisao RH Movitel.pdf.hta
Download: download sample
Signature AdaptixC2
Create hunting rule
File size:324'632 bytes
First seen:2026-06-18 10:20:26 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 6144:KlWoe6cTAHEWByBdclm2I3w+SHoBDBlmHICws/:MBaTAHE7dcMI5IhXXK
Threatray 22 similar samples on MalwareBazaar
TLSH T106645C76055B7DE9269C1E96F405BE190E2DA70B051A814ABFCC60FD1FF86F48E04E3A
Magika vba
Reporter smica83
Tags:AdaptixC2 hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection(s):
PUA.Win.Trojan.Script-44
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a33c6a754a045c3408a250f
Tags:
dropper shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 masquerade obfuscated packed
Link:
https://www.filescan.io/uploads/6a33c6a69de4cf364c0e0951/reports/530cd414-b234-4feb-9dfd-ff35540f54b8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb
Verdict:
Malicious
File Type:
hta
First seen:
2026-06-17T11:23:00Z UTC
Last seen:
2026-06-19T21:46:00Z UTC
Hits:
~100
Detections:
Backdoor.Win64.C2.jg Backdoor.Win64.AdaptixC2.sb PDM:Trojan.Win32.Generic Backdoor.AdaptixC2.HTTP.C&C Trojan.VBS.Runner.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb/results?tab=lookup
Result
Threat name:
MalHTA
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1929880
Signature
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: rundll32 run dll from internet
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Uses certutil -decode
Yara detected malicious HTA
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929880 Sample: Formulario Revisao RH Movit... Startdate: 18/06/2026 Architecture: WINDOWS Score: 84 54 internal-services.analytis.co 2->54 60 Suricata IDS alerts for network traffic 2->60 62 Sigma detected: rundll32 run dll from internet 2->62 64 Yara detected malicious HTA 2->64 66 2 other signatures 2->66 10 mshta.exe 4 2->10         started        signatures3 process4 file5 48 C:\Users\user\...\winhttp_2026.dll.b64, PEM 10->48 dropped 50 C:\Users\user\...\relatorio_2026.pdf.b64, PEM 10->50 dropped 52 C:\ProgramData\OneDriveUpdate.bin.b64, PEM 10->52 dropped 70 Uses certutil -decode 10->70 14 rundll32.exe 10->14         started        16 certutil.exe 2 10->16         started        19 certutil.exe 2 10->19         started        21 2 other processes 10->21 signatures6 process7 file8 23 rundll32.exe 12 14->23         started        42 C:\Users\user\AppData\...\relatorio_2026.pdf, PDF 16->42 dropped 27 conhost.exe 16->27         started        44 C:\ProgramData\OneDriveUpdate.bin, data 19->44 dropped 29 conhost.exe 19->29         started        46 C:\Users\user\AppData\...\winhttp_2026.dll, PE32+ 21->46 dropped 31 Acrobat.exe 57 21->31         started        33 conhost.exe 21->33         started        35 conhost.exe 21->35         started        process9 dnsIp10 56 internal-services.analytis.co 93.113.25.227, 49696, 8080 INTERNET-MAGNATEZA Romania 23->56 68 System process connects to network (likely due to code injection or exploit) 23->68 37 AcroCEF.exe 101 31->37         started        signatures11 process12 process13 39 AcroCEF.exe 3 37->39         started        dnsIp14 58 23.62.176.141, 443, 49694 AKAMAI-AS-AkamaiTechnologiesIncUS United States 39->58
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Base64 Block Base64 Payload Contains Base64 Block Html
Link:
https://app.malva.re/file/c4d3f34d5f258eba4ce9937474d7416b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb/
Verdict:
Malicious
Threat:
Family.ADAPTIXC2
Link:
https://tip.neiki.dev/file/d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-18 10:21:25 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2anphszqcbwsaa6jm6d7umls23zpdxpzujjxn3d2hxci256b3tnq._file
Verdict:
malicious
Label(s):
adaptixc2
Create hunting rule
Similar samples:
606da9e8d627a1c95a90f876fcc465a741a1750a2c15cf4700f307f4ae108fe9
AdaptixC2
8b002c2daf45f934bf66abba01a308805cc1e3b9cbfcb35ea496a0a770ac60a0
AdaptixC2
d31afbeed9cfdb323aed6a4d1ae74ddd9d50b25474913d7bef8a3ff3299adff5
AdaptixC2
dafc1cc5d39bc303562d8587b698b6351e843b77c01764efa8b423a36b88fa6d
AdaptixC2
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/260618-mdxafagz6x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Deobfuscate/Decode Files or Information
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Badlisted process makes network request
Manipulates Digital Signatures
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/d01af3cb30106d2003c96787fa3172d6f2f1ddf9a25376ec7a3dc48d77c1dcdb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Certutil_Decode_OR_Download
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Certutil Decode
Reference:Internal Research
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Adaptix_b2cda978
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments