MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackShades


Vendor detections: 17


Intelligence 17 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d
SHA3-384 hash: 8858aabf8d344b927fb9b9913916af52194d707dcac55c811d224d15f08eb5a92730b1fb5dd1bacead2105146dd3fcca
SHA1 hash: e8f6a9a812b4dbe20933cc06e3c66797a92c9848
MD5 hash: 266053c06940992ccc5ae706fa85ad63
humanhash: mountain-california-pasta-single
File name:saiec.exe
Download: download sample
Signature BlackShades
Create hunting rule
File size:364'544 bytes
First seen:2026-05-24 10:14:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18aee7cc80e48017bb06b13550617d1d (5 x BlackShades, 1 x BabylonRAT)
ssdeep 6144:iL1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQTUoKVY4qf87iJw8:iLdcfxaeM6fy/KaVUtgKkTZ73coU5C/f
Threatray 55 similar samples on MalwareBazaar
TLSH T1E074232248DA171BC8AB96F844047ACCCC6B095F01CD9794DB917AFB704FEF295A49EC
TrID 63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
4.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Anonymous
Tags:auto-reg babylon BlackShades exe RAT UPX
File size (compressed) :364'544 bytes
File size (de-compressed) :750'592 bytes
Format:win32/pe
Unpacked file: 3626cfa5ffb16dc6aa208f33e238575fe4d5ad6649b59ba0b3611524a699020a

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
BE BE
Vendor Threat Intelligence
Malware configuration found for:
BabylonRAT PEPacker
Details
BabylonRAT
c2 socket addresses, a mutex, an interval, network encryption keys, and, if configured, installation parameters
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/01ccf237-aa5c-4d59-9e7a-d04a4705a77d/
Malware family:
babylon
Create hunting rule
ID:
1
File name:
saiec.exe
Verdict:
Malicious activity
Analysis date:
2026-05-24 10:03:46 UTC
Tags:
auto-reg upx babylon rat
Link:
https://app.any.run/tasks/c74f9427-1cd5-4200-a045-5608c2ca1711

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67754/
Detection(s):
Win.Malware.Generic-10015566-0
Create hunting rule

YARA.MALPEDIA_Win_Babylon_Rat_Auto.UNOFFICIAL
Create hunting rule

YARA.SEKOIA_Rat_Win_Babylon.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.WebPick.9018.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a12cd0198070a72bb9d7e6f
Tags:
downloader dropper remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Setting a single autorun event
Setting a global event handler for the keyboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint keylogger microsoft_visual_cc overlay packed packed reconnaissance upx
Link:
https://www.filescan.io/uploads/6a12cf89efbd399b39ca2b34/reports/36474e55-4423-4f42-9a05-115f53863988/overview
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-24T07:08:00Z UTC
Last seen:
2026-05-24T07:10:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Generic HEUR:Trojan-Spy.Win32.Larby.gen Trojan.Win32.Foxhiex.sb Trojan.Win32.Agent.sb Trojan-Spy.Win32.Xegumumune.sbc Trojan-Spy.Win32.Stealer.sb Trojan-Spy.Win32.Larby.sb Trojan-Spy.Win32.KeyLogger.sb Trojan-Dropper.Win32.Dapato.sb Trojan.Win32.Zonidel.sb
Link:
https://opentip.kaspersky.com/e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d/results?tab=lookup
Malware family:
Dodiw
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c34cc934-d0f2-47e4-99b2-ebd95cb5d622
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/266053c06940992ccc5ae706fa85ad63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d/
Verdict:
Malicious
Threat:
Family.BABYLONRAT
Link:
https://tip.neiki.dev/file/e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2026-05-24 10:03:52 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
34 of 36 (94.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42c4l2hmltuygqepe6fdhmrwzm2v7qhuzpfjgyojedji5yjn4joq._file
Verdict:
malicious
Label(s):
babylonrat
Create hunting rule
Similar samples:
328b883ad4efd1b6a78cfbc173a65fee48dea20469be7cd817ab089758faea0b
BlackShades
60afdd784796754f4c91bdd26b72157cc62692fa7134bc91bee694fbb2b0e057
BlackShades
a17e2f106640e3451af6faab503fbbc88b7aecb4ac091fc8cb1266dea7f1cdb3
BlackShades
afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
BlackShades
e9a8601a49cc030d4fedc70be3e7f3aeb47af4660ccba49eb3f8510e5eac4507
BlackShades
error
BlackShades
+ 45 additional samples on MalwareBazaar
Result
Malware family:
babylonrat
Create hunting rule
Score:
  10/10
Tags:
family:babylonrat discovery persistence trojan upx
Link:
https://tria.ge/reports/260524-l9ybyaaw3p/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
UPX packed file
Adds Run key to start application
Executes dropped EXE
Babylon RAT payload
Family: Babylon RAT
Unpacked files
SH256 hash:
e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d
MD5 hash:
266053c06940992ccc5ae706fa85ad63
SHA1 hash:
e8f6a9a812b4dbe20933cc06e3c66797a92c9848
Link:
https://www.unpac.me/results/1729bca3-2608-493b-8f0c-1d3d0db2a67d/
SH256 hash:
641518539a1318ca172d7727b3a084507dd2400d56d197555879408e6a51a567
MD5 hash:
cdc1829d8994bcb98bd4d76ec7b23440
SHA1 hash:
13eac15b1bc1832b03b1cf5f8b5061e071692ea0
Link:
https://www.unpac.me/results/1729bca3-2608-493b-8f0c-1d3d0db2a67d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e685c5e8ec5c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackShades_4
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:BlackShades
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_BabylonRAT
Create hunting rule
Author:ditekSHen
Description:Detects BabylonRAT / CollectorStealer / ParadoxRAT
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Babylonrat_0f66e73b
Create hunting rule
Author:Elastic Security
Rule name:win_babylon_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.babylon_rat.
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BlackShades

Executable exe e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d

(this sample)

BlackShades

Executable exe 3626cfa5ffb16dc6aa208f33e238575fe4d5ad6649b59ba0b3611524a699020a

anyrun
any.run
https://any.run/report/e685c5e8ec5ce983408f278a33b236cb355fc0f4cbca9361c920d28ee12de25d/c74f9427-1cd5-4200-a045-5608c2ca1711
  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/67754/
  
Dropping
SHA256 3626cfa5ffb16dc6aa208f33e238575fe4d5ad6649b59ba0b3611524a699020a
  
Dropping
MD5 a6043f689cc9a9c3ea194c8fb33ed557

Comments