MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7433ed3022e4e54d0e81e352c18a2f96e3722dddcec3f1971a3f443ca6befd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7433ed3022e4e54d0e81e352c18a2f96e3722dddcec3f1971a3f443ca6befd0
SHA3-384 hash: f84271585cd4bc48121f957fe729ca64feecbb5257f8296f1c3c3734bff4f96a4566e47276bb2de0f6e27826d94a2a93
SHA1 hash: a50acb34a9ee758de5dfccaa097f3b8a5af7e5ba
MD5 hash: e71198c9d343ad99fce38b58056f3d67
humanhash: kansas-london-pizza-xray
File name:upx.bat
Download: download sample
File size:7'040'575 bytes
First seen:2025-11-09 03:50:58 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:+gf49T8MCkXd8OVRSZS0Mo5YVLHb/B3dHybHeOKX6xSnpTlur8ciNO3IOUw+YCUK:A
Threatray 1'567 similar samples on MalwareBazaar
TLSH T15E663303DFA91DAC4658172CB0BBDF1A2D740F90D44CB2DA16E860C9669A7C25D7FE2C
TrID 50.0% (.BIB/BIBTEX/TXT) BibTeX references (5500/1/2)
50.0% (.MSS) Scribe Markup (5500/1/2)
Magika batch
Reporter skocherhan
Tags:bat


Avatar
skocherhan
https://file.garden/ZyDs6MgY4ErpKIQ9/upx.bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_f7433ed3022e4e54d0e81e352c18a2f96e3722dddcec3f1971a3f443ca6befd0.txt
Verdict:
No threats detected
Analysis date:
2025-11-09 03:51:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03209d1c-da07-40cf-88bb-47a6ee0a7a6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36596/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69100fb43afb53888cc9f756
Tags:
obfuscate shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Running batch commands
Sending a custom TCP request
Creating a file
Delayed writing of the file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd lolbin obfuscated wmic
Link:
https://www.filescan.io/uploads/69100fae8938e2fe2217ecde/reports/6dcbc584-fce2-420c-866b-a0f76607e807/overview
Verdict:
Suspicious
Labled as:
Trojan/BAT.Runner
Link:
https://www.hybrid-analysis.com/sample/f7433ed3022e4e54d0e81e352c18a2f96e3722dddcec3f1971a3f443ca6befd0
Verdict:
Malicious
File Type:
unix shell
First seen:
2024-10-29T14:35:00Z UTC
Last seen:
2025-11-09T13:57:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic HEUR:Trojan-Dropper.BAT.Onimai.gen
Link:
https://opentip.kaspersky.com/f7433ed3022e4e54d0e81e352c18a2f96e3722dddcec3f1971a3f443ca6befd0/results?tab=lookup
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f7433ed3022e4e54d0e81e352c18a2f96e3722dddcec3f1971a3f443ca6befd0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7433ed3022e4e54d0e81e352c18a2f96e3722dddcec3f1971a3f443ca6befd0/
Verdict:
Malicious
Threat:
Trojan-Dropper.BAT.Onimai
Link:
https://tip.neiki.dev/file/f7433ed3022e4e54d0e81e352c18a2f96e3722dddcec3f1971a3f443ca6befd0
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-09 03:51:16 UTC
File Type:
Text (PowerShell)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=65bt5uycfzhfjuhidy2sygfc7fxdoiw53twd6glrup2ehstl57ia._file
Verdict:
malicious
Label(s):
r77rootkit
Create hunting rule
Similar samples:
16ac635a5a5e0188a2139e4712b397f7bb6e0c0771df937b566a01bcd64fa41c
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6
7cf4e952263f348a6cf37fc84468613af0311e6eb87ea7494e07204f149bbf0c
88db7224a27c32a9c8e5b12e7be3204d483d2e1dcdd7038ca2d9e553de4a397b
984dbd06c3a8ece43142e45d61b2aa3dfae7be270edc66153dc8d521f481d1ef
bde92e1dce25cae77e42162c51f9b176586675bf4f0df5fd077bfe675d4259f7
e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16
error
f8626f86d774c3d65f29ae1c31c77eae9101ebc135446989307754498fb15bfa
+ 1'557 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/251109-eelakabl8w/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36596/

Comments