MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb
SHA3-384 hash: e8b3922f0bc27c412c85fb76fe006d9b97afcea389bbb8581131fd1883f40fb09f1f5109c5edef84983261e53a20684e
SHA1 hash: 8a05376bb8a28113df02cc84d8d57e4f0278551a
MD5 hash: 09b20ab098ed3a7e0a8ff215f3b99037
humanhash: timing-wisconsin-quiet-wyoming
File name:mpclient.dll
Download: download sample
File size:2'644'023 bytes
First seen:2025-11-04 15:06:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96ea0a05de9bd8786a471a32a5c6040a (2 x XWorm, 1 x AsyncRAT)
ssdeep 24576:OmXVveqs51pom/YaekDoXDFOB09DIERoZ1W+xneNJ6clMi81s3Adc+zM8f:OmXVvE51pom/NPDozFBx+xnc+o8f
Threatray 12 similar samples on MalwareBazaar
TLSH T131C5094369DF0DA9C9D277B8A1C35336B734FD708B295E3EAA48C23119536C4AE1BB40
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://sunseekernoosa.com.au/home.php
Verdict:
Malicious activity
Analysis date:
2025-11-04 09:58:52 UTC
Tags:
webdav stealer auto generic loader auto-sch-xml arch-exec remote xworm
Link:
https://app.any.run/tasks/197ed08b-448e-46f8-a1ab-473c16c83453

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35313/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690a1752706befaf4ecba84f
Tags:
vmdetect
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm evasive masquerade mingw overlay overlay packed
Link:
https://www.filescan.io/uploads/690a175b54bd57cadc985fb4/reports/d3b6a1ce-72fb-4297-aa85-2c4edad2c4f6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb
Verdict:
Malicious
File Type:
dll x64
First seen:
2025-11-04T12:14:00Z UTC
Last seen:
2025-11-04T18:55:00Z UTC
Hits:
~10
Detections:
Backdoor.MSIL.XWorm.fed Backdoor.Agent.TCP.C&C Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Backdoor.MSIL.XWorm.b Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8a3d6a43-3c04-4b4b-823c-190099cd0001
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/09b20ab098ed3a7e0a8ff215f3b99037
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb/
Verdict:
Malicious
Threat:
Trojan.MSIL.XWorm
Link:
https://tip.neiki.dev/file/f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 15:06:22 UTC
File Type:
PE+ (Dll)
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6sm6hbpuuqsj7ln6aataif6fdmtljs5tfk67sm5w45znn4rkns5q._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
xworm
Create hunting rule
Similar samples:
0cc33e0d5424574265f75f1b6dc03e8894cff26a14c555072a8d5bcbf6ed7a7a
0d14240f3f3fefdf4ea4f220c0282bbda14407b74f163a5c7fd1cfb17b5261a1
2112c64c29f78b91dc2570230fb8bdfabaae24f0271da65391a6d52a9047b877
2a3772d48ec43bf5e411894808e4cbce1955fafe6c8a26f3a03c5df96f9ca3a8
5dc1d76249b8a0af8fa96786356b7c5af4eed7a1df7e12800c11045fe47c0ff9
error
f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251104-sjgptsct2e/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c2fef239-7f2d-496c-a2fb-0ac9aed7f75d
Unpacked files
SH256 hash:
f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb
MD5 hash:
09b20ab098ed3a7e0a8ff215f3b99037
SHA1 hash:
8a05376bb8a28113df02cc84d8d57e4f0278551a
Link:
https://www.unpac.me/results/35eec670-4f5c-473b-9389-a3d285c3664e/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f499e385f4a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35313/

Comments