MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15
SHA3-384 hash: 7c10d1697df45b967ee7209f36968aa684bd7f3de0bb91a53abcbdfdf7f3bc8f3890e790b0fc3c76f6af5f2c60150ec9
SHA1 hash: abe7c993bd6b1a473d79bc6c58b791209bb9d594
MD5 hash: 7e5d2de0f8c3d5171a06a44ebc72483a
humanhash: michigan-robin-emma-mars
File name:file
Download: download sample
File size:2'028'032 bytes
First seen:2025-11-29 11:47:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e008615264ef3e8efa4c24dd01b8e9ac
ssdeep 24576:VRhs2C/dADWnlOCarW8lykH5bSiCbBrLurRiZUrSgXAYu+UJSnvsJHUVprhnX5zd:XG2Kd+WK5Ak1DiZUrSgVvlH1XlLzzl
TLSH T12A9533EF31B92B39E019B5FFD548648F4ED211BB74AFF9022C44526B984E9C9CD12782
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 UPX


Avatar
Bitsight
url: http://178.16.55.189/files/7992210799/En6p7uo.exe
File size (compressed) :2'028'032 bytes
File size (de-compressed) :6'156'800 bytes
Format:win64/pe
Unpacked file: 5c6da77a80b2f46d0761363d1b037676a6ba794b570ec4b0cce57dd5183d3e64

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-11-29 11:45:58 UTC
Tags:
stealer crypto-regex upx arch-doc
Link:
https://app.any.run/tasks/aa1303f9-1e33-48f4-ab50-66986521be71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41824/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692add486cb1dcd577825b79
Tags:
shell small sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Connection attempt to an infection source
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint hacktool packed packed packed packed upx
Link:
https://www.filescan.io/uploads/692add45d0d5e7288b50648d/reports/9717b2f4-50cd-44ea-9767-4cdb09121a96/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-PSW.Win64.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Coins.sb HEUR:Trojan-Banker.Win32.ClipBanker.gen HEUR:Trojan.PowerShell.Generic
Link:
https://opentip.kaspersky.com/0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af913523-4caf-4951-bc82-a47774c3d412
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/7e5d2de0f8c3d5171a06a44ebc72483a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Coins
Link:
https://tip.neiki.dev/file/0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-29 11:46:00 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
14 of 36 (38.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=buox4vk2tqlwg3j5qmzzz6nnsobldo4kvfylkue7bbk27ychlmkq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution spyware stealer upx
Link:
https://tria.ge/reports/251129-nxzqcagw7h/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Drops file in Windows directory
Enumerates processes with tasklist
UPX packed file
Indicator Removal: File Deletion
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15
MD5 hash:
7e5d2de0f8c3d5171a06a44ebc72483a
SHA1 hash:
abe7c993bd6b1a473d79bc6c58b791209bb9d594
Link:
https://www.unpac.me/results/6e8984f1-1b00-4500-a3ad-f262a28052f4/
SH256 hash:
e9248cbfbcf23ca7faabd0c3eadb9119b047296784c45d47f6c6f5bc306366bb
MD5 hash:
421c26bffb7b7641160a9d1cfb8d7aec
SHA1 hash:
156ef0b55686028957f3675f3cf76ab13a6c56b9
Link:
https://www.unpac.me/results/6e8984f1-1b00-4500-a3ad-f262a28052f4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d1d7e555a9c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0d1d7e555a9c17636d3d83339cf9ad9382b1bb8aa970b5509f0855afe0475b15

(this sample)

Executable exe 5c6da77a80b2f46d0761363d1b037676a6ba794b570ec4b0cce57dd5183d3e64

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3720306/
Cape
Cape
https://www.capesandbox.com/analysis/41824/
  
Dropping
SHA256 5c6da77a80b2f46d0761363d1b037676a6ba794b570ec4b0cce57dd5183d3e64
  
Dropping
MD5 22264642d66db431c42129e10577be1d

Comments