MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8015a84199f057940ae00f728a9a708a3a226ef0eb37e9ceb420a0fec7ba08b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8015a84199f057940ae00f728a9a708a3a226ef0eb37e9ceb420a0fec7ba08b
SHA3-384 hash: f56eba3e27084d1e6a4c9bf703e013157aab8fa3cb04cdb6eb120caf0cc10dac186501b248b5f90ad4a27c04d249586e
SHA1 hash: dd76cb03b1422967feeca452fb9de760058e7b58
MD5 hash: 4349e3225ae2b75718768f59d8155fae
humanhash: sodium-earth-nebraska-bacon
File name:DDD.bat
Download: download sample
File size:196'975 bytes
First seen:2026-01-22 10:14:32 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6144:oewqYsGTajbaUT1TOiBFjL+mNdtSeuZmtuExb:oewcGT2bagTXrjL3Fb
TLSH T1BC1412F133EB78DCC0A8105A977A04790E38BD53BE51ED94B4C42284998D76ECF9BC49
Magika batch
Reporter smica83
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Link:
https://research.acce.ciphertechsolutions.com/results/70c62ea2-3b68-4a3e-9055-4738046e752d/
Malware family:
n/a
ID:
1
File name:
DDD.bat
Verdict:
Malicious activity
Analysis date:
2026-01-22 10:16:52 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/ae8d27d1-ce1b-4029-b4c6-6d8e52015756

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49713/
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6971f88cbcad3327ec078baa
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/6971f88a55805a763fefc505/reports/dd8fbad2-0785-4f07-8e45-14ba9d9e1a77/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e8015a84199f057940ae00f728a9a708a3a226ef0eb37e9ceb420a0fec7ba08b
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-22T07:25:00Z UTC
Last seen:
2026-01-22T09:04:00Z UTC
Hits:
~10
Detections:
Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Agent.gen
Link:
https://opentip.kaspersky.com/e8015a84199f057940ae00f728a9a708a3a226ef0eb37e9ceb420a0fec7ba08b/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1855619
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Renames powershell.exe to bypass HIPS
Sigma detected: Suspicious Executable File Creation
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1855619 Sample: DDD.bat Startdate: 22/01/2026 Architecture: WINDOWS Score: 88 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Powershell decode and execute 2->45 47 .NET source code contains potential unpacker 2->47 49 3 other signatures 2->49 8 cmd.exe 2 2->8         started        12 Filename.exe 28 2->12         started        14 Filename.exe 2->14         started        process3 file4 35 C:\Users\user\Desktop\DDD.bat.exe, PE32+ 8->35 dropped 51 Renames powershell.exe to bypass HIPS 8->51 16 DDD.bat.exe 1 18 8->16         started        20 conhost.exe 8->20         started        53 Powershell is started from unusual location (likely to bypass HIPS) 12->53 55 Reads the Security eventlog 12->55 57 Reads the System eventlog 12->57 22 conhost.exe 12->22         started        24 conhost.exe 14->24         started        signatures5 process6 file7 31 C:\Users\user\AppData\Roaming\Filename.exe, PE32+ 16->31 dropped 33 C:\Users\user\AppData\...\DDD.bat.exe.log, CSV 16->33 dropped 37 Powershell is started from unusual location (likely to bypass HIPS) 16->37 39 Reads the Security eventlog 16->39 41 Reads the System eventlog 16->41 26 Filename.exe 28 16->26         started        signatures8 process9 signatures10 59 Powershell is started from unusual location (likely to bypass HIPS) 26->59 61 Reads the Security eventlog 26->61 63 Reads the System eventlog 26->63 29 conhost.exe 26->29         started        process11
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e8015a84199f057940ae00f728a9a708a3a226ef0eb37e9ceb420a0fec7ba08b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8015a84199f057940ae00f728a9a708a3a226ef0eb37e9ceb420a0fec7ba08b/
Verdict:
Malicious
Threat:
Trojan.BAT.Agent
Link:
https://tip.neiki.dev/file/e8015a84199f057940ae00f728a9a708a3a226ef0eb37e9ceb420a0fec7ba08b
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5aavvbazt4cxsqfoad3srknhbcr2ejxpb2zx5hhliifa73d3ucfq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/260122-l9z6jacx8f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8015a84199f057940ae00f728a9a708a3a226ef0eb37e9ceb420a0fec7ba08b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49713/

Comments