MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0
SHA3-384 hash: fab2f6b17cc6e27b1fe7555e0e581fb4ce0b7fda1b98d32fa1866035f28cdd853c94bd230b53278103b413a0af122fb6
SHA1 hash: 116a9b2d2b5f55c3fa8c672ae6fb4576d4f93bd9
MD5 hash: 04a0287db9563a85e139d7740408ece5
humanhash: magazine-missouri-kilo-yellow
File name:buding.exe
Download: download sample
File size:5'218'858 bytes
First seen:2025-11-16 16:27:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9165ea3e914e03bda3346f13edbd6ccd (3 x ValleyRAT, 2 x QuasarRAT, 1 x Redosdru)
ssdeep 98304:VGM0dhpYiqTVpNjvePmCqYRGKIPIvPn0CYijpJoG3uOi:M7dhpYHTVzTEGKIPm0CjjkX
TLSH T17336D063A51188D4E02809F291B30BD42A786EA2D878655FFAC4FCBD3CB75318EB55DC
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
File size (compressed) :4'240'938 bytes
File size (de-compressed) :5'218'858 bytes
Format:win32/pe
Packed file: b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
buding.exe
Verdict:
Malicious activity
Analysis date:
2025-11-16 16:40:52 UTC
Tags:
xor-url generic ip-check icmp loader upx aspack
Link:
https://app.any.run/tasks/29f70c36-4aef-48d6-955e-44e44d856d32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38365/
Detection(s):
Win.Malware.Flystudio-6937682-0
Create hunting rule

Win.Trojan.Agent-111655
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6919fba4434cd67b17c22325
Tags:
shellcode extens madi sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Modifying an executable file
Restart of the analyzed sample
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
babar flystudio microsoft_visual_cc overlay
Link:
https://www.filescan.io/uploads/6919fba053bda2a5d9f6d631/reports/9ffdf015-dfa8-4eaf-8e07-19f80c9e4f77/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-16T14:04:00Z UTC
Last seen:
2025-11-16T19:49:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea23ab62-91dc-4510-9328-e746ed1d2ade
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad.rans
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1814913
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionalty to change the wallpaper
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814913 Sample: buding.exe Startdate: 16/11/2025 Architecture: WINDOWS Score: 88 79 xui.ptlogin2.qq.com 2->79 81 ui.ptlogin2.qq.com 2->81 83 13 other IPs or domains 2->83 99 Antivirus detection for URL or domain 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 PE file has a writeable .text section 2->105 15 buding.exe 28 2->15         started        signatures3 process4 dnsIp5 87 47.98.224.91, 49690, 49693, 49694 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 15->87 69 C:\Users\user\Desktop\1.exe, PE32 15->69 dropped 71 C:\Users\user\AppData\Local\...\xplib.fne, PE32 15->71 dropped 73 C:\Users\user\AppData\Local\Temp\...\spec.fne, PE32 15->73 dropped 75 17 other files (10 malicious) 15->75 dropped 89 Contains functionalty to change the wallpaper 15->89 91 Contains functionality to infect the boot sector 15->91 93 Contains functionality to detect sleep reduction / modifications 15->93 20 cmd.exe 1 15->20         started        file6 signatures7 process8 file9 77 C:\Users\user\Desktop\buding.exe (copy), PE32 20->77 dropped 107 Uses ping.exe to sleep 20->107 109 Uses ping.exe to check the status of other devices and networks 20->109 24 buding.exe 8 20->24         started        26 PING.EXE 1 20->26         started        29 taskkill.exe 1 20->29         started        31 4 other processes 20->31 signatures10 process11 dnsIp12 33 cmd.exe 1 24->33         started        85 localhost.ptlogin2.qq.com 127.0.0.1 unknown unknown 26->85 process13 signatures14 95 Uses ping.exe to sleep 33->95 36 buding.exe 8 33->36         started        38 taskkill.exe 1 33->38         started        40 conhost.exe 33->40         started        42 4 other processes 33->42 process15 process16 44 cmd.exe 1 36->44         started        signatures17 113 Uses ping.exe to sleep 44->113 47 buding.exe 8 44->47         started        49 taskkill.exe 1 44->49         started        51 conhost.exe 44->51         started        53 4 other processes 44->53 process18 process19 55 cmd.exe 47->55         started        signatures20 111 Uses ping.exe to sleep 55->111 58 buding.exe 55->58         started        60 conhost.exe 55->60         started        62 taskkill.exe 55->62         started        64 4 other processes 55->64 process21 process22 66 cmd.exe 58->66         started        signatures23 97 Uses ping.exe to sleep 66->97
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/04a0287db9563a85e139d7740408ece5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-11-16 16:28:22 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4mfjx3s64jxdd3n52jsus2kvds5l2juuxbydkopxndaewu6btpqa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/251116-tys7vazran/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Loads dropped DLL
Verdict:
Malicious
Tags:
Win.Malware.Flystudio-6937682-0
YARA:
n/a
Link:
https://app.threat.zone/submission/a52e8cfa-ae71-4bb5-bda4-cd7030e1c2e3
Unpacked files
SH256 hash:
e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0
MD5 hash:
04a0287db9563a85e139d7740408ece5
SHA1 hash:
116a9b2d2b5f55c3fa8c672ae6fb4576d4f93bd9
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
590c9ba4cad5a401c071f89f8468c45031a637f1c137ca320d9dbe82e4beabd6
MD5 hash:
2b86ad8cd1903916ae5a3cd7ec2f1b9e
SHA1 hash:
0240b4f0795ed3bf24748954fee6751901f26f2c
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
b1eb520ff83d6403e04fb8ddb253e76c10b800af49629d8974d44b330d377da6
MD5 hash:
f0e18dab16cc67f81ec762abb9a63585
SHA1 hash:
22f44703a214033d9f267ae4983963112cd93fad
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
19b4d189a73b79a73c2ddd678ed5ff7357d92494cf76a21372a58e3dce075d50
MD5 hash:
e5e521468e2a9f9b314e06e29116b5a9
SHA1 hash:
4044a4efd7998e8c4245e632b18056b089f0aa53
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
1b28d05c306b575319c6fb9b08276b2204a7b569d9e540879ce67c8d17640990
MD5 hash:
f6a2a92194fc69858ffa9aa1557454da
SHA1 hash:
47dbb9abb4d83e2d21c6107c11244f8daae0cc5d
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731
MD5 hash:
7c1ff88991f5eafab82b1beaefc33a42
SHA1 hash:
5ea338434c4c070aaf4e4e3952b4b08b551267bc
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
25ed7ed1a08c63f40da1d378c9922efd0db9627e2856848469961bf64a86e40d
MD5 hash:
af60aac7484ba84bfb6d5a39aea349a3
SHA1 hash:
7e4862c0735ac4f881de87317fc3e864eaa33cce
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
d1a1c6bac6a498adccdafab9d600a372aa9d5b826a33cfa06aaa9f75357c5b23
MD5 hash:
8f385e7c8cf1f8ebdae0448473977cc7
SHA1 hash:
942bf465e29a5e5f85580eb30aa9510b92f802d7
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37
MD5 hash:
dba5fdbe7ec94463b3f6fdf2162c9f95
SHA1 hash:
a97137b4f2b77166b2a23da1f58e0bdb7365f4f2
Detections:
win_xiaoba_auto
Create hunting rule
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
Parent samples :
05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
0b2a852742c7d974fe16a45a7c6fb5efcf7b03f19e7029f9c43284a2ea5be84f
b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0
SH256 hash:
2e9769ace867c79d5fcdda0eb2660c52b5e062c69b36add42d22eb0dddc4b3ee
MD5 hash:
f9a994df4d407bc79f7c84886fe7a654
SHA1 hash:
c93e4be70794164b7b339218cc832ac94074d08e
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
fd672602ed6371ee5ec7d4d1c0311c4326ff075316c91dd628b075b046fae682
MD5 hash:
1a4d03ebc83a1fc3150c4bc9fd597b45
SHA1 hash:
dd7b3aead6f38ebfa3a3439b39beab3de1d0513b
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
SH256 hash:
0216a0f6d6d5360ab487e696b26a39eb81a1e2c8cd7f59c054c90ab99a858daf
MD5 hash:
d2a9c02acb735872261d2abc6aff7e45
SHA1 hash:
fce6c2cf2465856168ea55ccd806155199a6f181
Link:
https://www.unpac.me/results/59ec2422-6657-4224-bf93-e6888c79e869/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ASPackv212AlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:ASProtectV2XDLLAlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97

Executable exe e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0

(this sample)

  
Dropped by
SHA256 b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
  
URLhaus
https://urlhaus.abuse.ch/url/2301795/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38365/
  
Dropped by
MD5 0af146fb7e7f5f6146b6b5bec4eb9a4f

Comments