MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04c6ab57035d2f19ba8a00dfec1836e88d03bf8bf153819d751260e13fa269f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04c6ab57035d2f19ba8a00dfec1836e88d03bf8bf153819d751260e13fa269f3
SHA3-384 hash: a7aa0f738d7ae77e403ec465ad512157a1f4ae0b7f47d51fa5510f7143183970c1fef15e1b34672b7aba4940d77ca46d
SHA1 hash: 43794a8ee7348ca5088292c8d1c0199cb044f891
MD5 hash: 97558949f8311c80823bca9f802be6e0
humanhash: green-sierra-alpha-triple
File name:file
Download: download sample
File size:90'429'440 bytes
First seen:2026-02-15 08:51:05 UTC
Last seen:2026-02-15 16:54:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bf3f5698d1c8e5d8bbe8d194ac5d544
ssdeep 786432:fAZqtFi3zQzwBs6vNtcZY5Dfw3pgPVlcmXW8:fAZui3zQz2jOZKft
TLSH T17E187D03B3A705D5E8F7DA3196E65223A932BC066F3085DF324C17262F73AE05A76B51
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: https://www.directfiles.link/U6730J7SU/cherry387.exe

Intelligence

File Origin
# of uploads :
26
# of downloads :
2'109
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d0844f73-f3a3-4f86-80c3-47c60f4d5bac/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2026-02-15 08:53:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/22f0f95e-7a14-40ec-bd11-baa0f6a884ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699189272715406c6479bcbc
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Connection attempt to an infection source
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Moving a recently created file
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a window
Running batch commands
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint microsoft_visual_cc
Link:
https://www.filescan.io/uploads/69918911981ff1d38a566460/reports/411054e8-e1fc-4e1b-8dc5-faddc6553d74/overview
Verdict:
Malicious
Labled as:
W64/Loader.M.gen
Link:
https://www.hybrid-analysis.com/sample/04c6ab57035d2f19ba8a00dfec1836e88d03bf8bf153819d751260e13fa269f3
Verdict:
Malicious
File Type:
exe x64
Detections:
HEUR:Trojan-Downloader.Script.Agent.gen
Link:
https://opentip.kaspersky.com/04c6ab57035d2f19ba8a00dfec1836e88d03bf8bf153819d751260e13fa269f3/results?tab=lookup
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/04c6ab57035d2f19ba8a00dfec1836e88d03bf8bf153819d751260e13fa269f3
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/04c6ab57035d2f19ba8a00dfec1836e88d03bf8bf153819d751260e13fa269f3
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atdkwvydluxrtoukadp6ygbw5cgqhp4l6fjydhlvcjqocp5cnhzq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/260215-ksemtsgy3f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 04c6ab57035d2f19ba8a00dfec1836e88d03bf8bf153819d751260e13fa269f3

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3778243/
  
URLhaus
https://urlhaus.abuse.ch/url/3778364/

Comments