MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599
SHA3-384 hash: 83cf8ab4b0e74f6dcc8b3caaad466a2f03bd0a1334ed02b4129dd8f56ddd1f0f494887ec8260d1154637f2bc6ba033ec
SHA1 hash: 6f2c57a9965e6ee64cb2ddfebd258c0d890673d8
MD5 hash: 304e8c2fc98d4d63e37ea730ff1d10db
humanhash: thirteen-apart-don-mockingbird
File name:d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599
Download: download sample
File size:1'533'440 bytes
First seen:2025-04-08 08:26:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:SqNArx/MvKxIcFwil++V4iXGk8z5WU7WQU9Pvk6t9W2mZW8k9k5Leln0Di7VatCI:SqNclx9TD44Gb5WUKjE6t9mfAcU25
TLSH T18265225C47EC7A36DBFD02BDD0B6450DBA71E4A6B222F3C6188D74A0305E750A5932EE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599
Verdict:
Malicious activity
Analysis date:
2025-04-08 12:44:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d935faf1-a712-4744-bad3-db659475ef50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4dfb2a695a0cd1facae7e
Tags:
autorun virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin obfuscated obfuscated packed packed packer_detected zusy
Link:
https://www.filescan.io/uploads/67f4dded2d430c849e0c7c06/reports/430a55b5-1a9e-474f-9145-f4dddf174774/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/eaffe01e-e00e-4497-aa6e-ad9cc8e8f3a8
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1659719
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599/
Threat name:
ByteCode-MSIL.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-03-25 12:59:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qxnjzb2a3i7s62ds3plknmfoooyxq5oeb47z2tvptbohi2x2wmq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250408-kcn7bs11ax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bf5171ca-2001-4d20-affe-bbfa9f0310c7
Unpacked files
SH256 hash:
d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599
MD5 hash:
304e8c2fc98d4d63e37ea730ff1d10db
SHA1 hash:
6f2c57a9965e6ee64cb2ddfebd258c0d890673d8
Link:
https://www.unpac.me/results/36548ed5-adb6-475a-bb39-71bed4405244/
SH256 hash:
071a5bbd55ae8c39c7b6af215cd1c82146996e536eb6736f108880bfa5d45ee2
MD5 hash:
584a27cda3a858fb1d909e9f04dbedfc
SHA1 hash:
b274b6df2584ad1b7cf884f3921057eeb8d41be4
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/36548ed5-adb6-475a-bb39-71bed4405244/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/36548ed5-adb6-475a-bb39-71bed4405244/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/36548ed5-adb6-475a-bb39-71bed4405244/
SH256 hash:
386b0eb94e75301b9aa6226c6a722074aebb50e7864b09dcde0930decdfc5b6c
MD5 hash:
e5898a950919bdced60bf137a0221ed6
SHA1 hash:
74e302d9b87a257dab4e9cfef699e96ca35d955a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/36548ed5-adb6-475a-bb39-71bed4405244/
SH256 hash:
ce27d520a65d80a6708ae9280aeb720b83b3ab8ab22f7419e14a917b14c90ba0
MD5 hash:
de56b46501f88843c2ffcfa5ed85eb63
SHA1 hash:
d7d67e652abf4b8dce29b4c2a6df68fb640b2b0b
Link:
https://www.unpac.me/results/36548ed5-adb6-475a-bb39-71bed4405244/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d42ed4e43a06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d42ed4e43a06d1f97b4396deb53585739d8bc3ae2079fcea757cc2e3a357d599

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments