MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27
SHA3-384 hash: 1e91984d41ffdb5e740416e8ba9465c08e6356a189aab51efd8e77e549ffee5a043603f4d7b9431f14593f8051305064
SHA1 hash: 6b1052da2540db7ba59933bad76c6a4b7048ee77
MD5 hash: 81f085b4c164d0b6d303e0c762a9c9a1
humanhash: bacon-rugby-queen-hawaii
File name:file
Download: download sample
File size:11'093'504 bytes
First seen:2026-01-20 21:40:46 UTC
Last seen:2026-01-20 23:26:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:zwXkp+UqhFIZGpGq9Ts8+f0zzuQnKdm87PqvYocA+SnyX5emyoBLGnEBaxdk+otV:zwXkoUqhFFzXnQo48myrx8x5OS
TLSH T1C9B66B51F3B4C2A5C0268134A9A3A313F730B8594705A7CB5BD4AEA52FB73D06DAF316
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/7782139129/qw21IdW.exe

Intelligence

File Origin
# of uploads :
18
# of downloads :
197
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2026-01-20 21:42:00 UTC
Tags:
api-base64 wmi-base64
Link:
https://app.any.run/tasks/d9e5fc01-f6f6-4117-a115-f1fb42b5717a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49592/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696ff68af3cf908ba506cde0
Tags:
shellcode dropper virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 expired-cert expired-cert obfuscated packed packed
Link:
https://www.filescan.io/uploads/696ff6845db9ae47708ad26b/reports/9a1673d3-7ffa-423a-8eb8-c4d0031151c2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-20T19:15:00Z UTC
Last seen:
2026-01-21T18:21:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.MSIL.Agent.gen NetTool.GitHubGetUser.HTTP.C&C NetTool.GitHubGetRepo.HTTP.C&C
Link:
https://opentip.kaspersky.com/0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/153ddc2e-144a-4625-b494-814aa836e0aa
Score:
46%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.32 Win 64 Exe x64
Link:
https://app.malva.re/file/81f085b4c164d0b6d303e0c762a9c9a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjfowtoqvji53p235bu6axfjzu3hbvtnh3cdrcoeftzs26i7fqtq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/260120-1jy8wacv7h/
Behaviour
Suspicious use of AdjustPrivilegeToken
Contacts third-party web service commonly abused for C2
Unpacked files
SH256 hash:
0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27
MD5 hash:
81f085b4c164d0b6d303e0c762a9c9a1
SHA1 hash:
6b1052da2540db7ba59933bad76c6a4b7048ee77
Link:
https://www.unpac.me/results/7421a88d-9eee-4813-8230-f058358741bf/
SH256 hash:
cd123dddff9fc3371a545d6c862a18a88c36a6203adb8f11a3c0a37bf9158eca
MD5 hash:
9a437ddc04454232ca13702a2900116d
SHA1 hash:
f181a34f18403dab3ea7fbc0cc3a00262f28e5b7
Link:
https://www.unpac.me/results/7421a88d-9eee-4813-8230-f058358741bf/
SH256 hash:
96c2a80a7fa7670d323e584b956cc98f69f2a22e5329ce4a93269468b142de44
MD5 hash:
c4c2ed69b18ee1c60026877fcc470fa7
SHA1 hash:
59dc0272c4e376a2598dbd9a82dc07be32fbad78
Link:
https://www.unpac.me/results/7421a88d-9eee-4813-8230-f058358741bf/
SH256 hash:
f6d76890fad5da1fac7d89c89af6326f7795ce3947034626221f476dda41a4fe
MD5 hash:
bb5f9ff2bc9e3c59ffb951ebe770b533
SHA1 hash:
ded5892eba8fd31d0fed5f9d8d9716574e4f4af8
Link:
https://www.unpac.me/results/7421a88d-9eee-4813-8230-f058358741bf/
SH256 hash:
715fa6d4931324cca594c4fdfc60274ed29d296bb4592d102b36bc976c8b8ada
MD5 hash:
ae5d5439525b4a4cbf206058d493685d
SHA1 hash:
c7cbfc4b7140852fc907aa22a48815745fb2047c
Link:
https://www.unpac.me/results/7421a88d-9eee-4813-8230-f058358741bf/
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a4aeb4dd0aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0a4aeb4dd0aa51ddbf5be869e05ca9cd3670d66d3ec43889c42cf32d791f2c27

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3761047/
Cape
Cape
https://www.capesandbox.com/analysis/49592/

Comments