MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dce7213526e308a4decd939c5caa83de1f67b7a9f82fd6cee0e6a8bfc008b430. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dce7213526e308a4decd939c5caa83de1f67b7a9f82fd6cee0e6a8bfc008b430
SHA3-384 hash: 4311bdb81c22acfd3cd9975aafe3c293cc57623544bffe199804d2086aca6ca1c426c8803910f221266b227fcc75b6f5
SHA1 hash: d2c5b4538308e4574e549577103db3349ad46a95
MD5 hash: 75a8de0370ec88a20494f5bad260d215
humanhash: fish-quiet-oven-high
File name:dce7213526e308a4decd939c5caa83de1f67b7a9f82fd6cee0e6a8bfc008b430.bat
Download: download sample
File size:6'312'693 bytes
First seen:2025-03-06 08:46:03 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:w/AUMqO7EHqWZCEHUZUqPlQJocMEZTeM/O/SO8XdpENThWAOdo3sJyeUy3nbJrRz:y
TLSH T1F556332437EA2D550DAD893921E71A2EFB97CF660C51F0D382AE29011F4FB523877972
Magika txt
Reporter JAMESWT_WT
Tags:193-34-77-163 bat WDS100T2B0A

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SPAM.zip
Verdict:
Malicious activity
Analysis date:
2025-03-06 08:44:59 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/78062876-805b-4af6-8296-7363497ccf83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Onimai.GenericKD.22.20154.31782.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c9620dc668b65489bf697d
Tags:
shell spawn sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67c960d925afd133013255d4/reports/891c7e6f-924c-4c24-8678-70fb0f97bd83/overview
Verdict:
Malicious
Labled as:
Trojan.Onimai.Generic
Link:
https://www.hybrid-analysis.com/sample/dce7213526e308a4decd939c5caa83de1f67b7a9f82fd6cee0e6a8bfc008b430
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1630803
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630803 Sample: P7x3sGrCUJ.bat Startdate: 06/03/2025 Architecture: WINDOWS Score: 100 50 ipwho.is 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected Powershell decrypt and execute 2->60 62 4 other signatures 2->62 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 76 Suspicious powershell command line found 11->76 14 powershell.exe 12 11->14         started        17 conhost.exe 11->17         started        19 doskey.exe 1 11->19         started        21 7 other processes 11->21 process6 signatures7 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->86 23 cmd.exe 1 14->23         started        process8 signatures9 72 Suspicious powershell command line found 23->72 26 powershell.exe 29 30 23->26         started        30 powershell.exe 15 23->30         started        32 conhost.exe 23->32         started        34 11 other processes 23->34 process10 dnsIp11 52 193.34.77.163, 3434, 49812 FORKNETWORKINGUS United Kingdom 26->52 54 ipwho.is 195.201.57.90, 443, 49819 HETZNER-ASDE Germany 26->54 78 Deletes itself after installation 26->78 80 Writes to foreign memory regions 26->80 82 Modifies the context of a thread in another process (thread injection) 26->82 84 4 other signatures 26->84 36 winlogon.exe 26->36 injected 39 findstr.exe 1 30->39         started        signatures12 process13 signatures14 64 Injects code into the Windows Explorer (explorer.exe) 36->64 66 Contains functionality to inject code into remote processes 36->66 68 Writes to foreign memory regions 36->68 70 4 other signatures 36->70 41 lsass.exe 36->41 injected 44 svchost.exe 36->44 injected 46 dwm.exe 36->46 injected 48 15 other processes 36->48 process15 signatures16 74 Writes to foreign memory regions 41->74
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/dce7213526e308a4decd939c5caa83de1f67b7a9f82fd6cee0e6a8bfc008b430
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dce7213526e308a4decd939c5caa83de1f67b7a9f82fd6cee0e6a8bfc008b430/
Threat name:
Script-BAT.Trojan.Onimai
Create hunting rule
Status:
Malicious
First seen:
2025-02-16 15:55:16 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ttscnjg4mekjxwnsoofzkud3ypwpn5j7ax5ntxa42ul7qaiwqya._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250306-kpcztstyax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments