MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fuery


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c
SHA3-384 hash: d11c864d6d2ff065aaa05eb6365d88a4fd7a3402b92eddf2e5153b95161bed290c22358c578331902ebdc0ca49f04f9b
SHA1 hash: 3d72afe6e410c1380315dc5da1fb6e3ef4b7a18c
MD5 hash: 043eab0dd94c303a7776c4c0ea39d97c
humanhash: south-jig-diet-carbon
File name:0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8.exe
Download: download sample
Signature Fuery
Create hunting rule
File size:2'625'024 bytes
First seen:2025-09-17 09:25:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 49152:X/L8qKcmyGRGcPzYUHXv2U7lkHoT2PUiLD7a+QGdQG/x:X/vmr8PU3v2UxcNLP3QGT
Threatray 25 similar samples on MalwareBazaar
TLSH T1AFC5336D63EE70A8E0EF577D7EB1C80602B33212B666D52427D0D04EC8A763B94D7768
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe Fuery


Avatar
abuse_ch
Fuery C2:
107.189.23.136:7720

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.189.23.136:7720 https://threatfox.abuse.ch/ioc/1593283/

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c.exe
Verdict:
Malicious activity
Analysis date:
2025-09-17 05:57:47 UTC
Tags:
auto redline stealer amadey unlocker-eject tool arch-exec botnet rdp
Link:
https://app.any.run/tasks/6a3ea601-47bb-42ec-9af7-285883a66a1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27889/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ca4ddad49ea3f1e4b6c1c8
Tags:
dropper emotet trojan sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a service
Launching a service
Restart of the analyzed sample
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Creating a window
Searching for the window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin obfuscated obfuscated packed packed packer_detected schtasks
Link:
https://www.filescan.io/uploads/68ca7eb2dbc6f5a29c496fb8/reports/67b9037c-d5b4-466e-a6fa-746c6afb6045/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-17T03:04:00Z UTC
Last seen:
2025-09-17T03:04:00Z UTC
Hits:
~10
Detections:
BSS:Trojan.Win32.Generic BSS:Exploit.Win32.Generic VHO:Trojan-PSW.Win32.Lumma.gen Trojan-PSW.Lumma.HTTP.Download Trojan.Nymaim.HTTP.ServerRequest Trojan.BAT.Agent.cot VHO:Trojan-Downloader.Win32.Convagent.gen Trojan.Agentb.TCP.C&C PDM:Trojan.Win32.Generic Trojan-Downloader.Win32.Deyma.sb HEUR:Trojan-Downloader.Win32.Deyma.gen HEUR:Trojan-Downloader.MSIL.Deyma.gen
Link:
https://opentip.kaspersky.com/0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/527b6123-d2bb-41ab-9899-7d1a9f27aa1b
Result
Threat name:
Amadey, Kamasers Bot, LummaC Stealer, Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779114
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Drops executables to the windows directory (C:\Windows) and starts them
Drops password protected ZIP file
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Sigma detected: Suspicious New Service Creation
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Kamasers Bot
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779114 Sample: 0d95e636a7e133f2d04f8cdcc0e... Startdate: 17/09/2025 Architecture: WINDOWS Score: 100 89 rhusdniw.shop 2->89 91 www.google.com 2->91 93 4 other IPs or domains 2->93 103 Suricata IDS alerts for network traffic 2->103 105 Found malware configuration 2->105 107 Antivirus detection for URL or domain 2->107 109 19 other signatures 2->109 10 0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8.exe 7 2->10         started        14 0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8.exe 2->14         started        16 svchost.exe 51 116 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 81 C:\Windows\systemhelper.exe, PE32 10->81 dropped 83 C:\Windows\svchosthelper.exe, PE32 10->83 dropped 85 C:\Users\user\...\WindowsLogsHelper.xml, XML 10->85 dropped 87 0d95e636a7e133f2d0...a3172f6f5e8.exe.log, ASCII 10->87 dropped 127 Drops executables to the windows directory (C:\Windows) and starts them 10->127 21 svchosthelper.exe 1 49 10->21         started        26 systemhelper.exe 15 10->26         started        28 cmd.exe 1 10->28         started        36 2 other processes 10->36 129 Uses cmd line tools excessively to alter registry or file data 14->129 30 svchosthelper.exe 14->30         started        32 Conhost.exe 14->32         started        34 WerFault.exe 2 16->34         started        95 127.0.0.1 unknown unknown 18->95 131 Contains functionality to start a terminal service 18->131 133 Changes security center settings (notifications, updates, antivirus, firewall) 18->133 file6 signatures7 process8 dnsIp9 97 94.154.35.25, 49716, 49722, 49734 SELECTELRU Ukraine 21->97 99 178.16.54.200, 49726, 49735, 49746 DUSNET-ASDE Germany 21->99 101 178.16.55.70 DUSNET-ASDE Germany 21->101 65 C:\Users\user\AppData\Local\...\fCUE4cF.exe, PE32 21->65 dropped 67 C:\Users\user\AppData\Local\...67jtIeMV.exe, PE32+ 21->67 dropped 69 C:\Users\user\AppData\Local\...\ojjvpn1.exe, PE32 21->69 dropped 77 21 other malicious files 21->77 dropped 115 Contains functionality to start a terminal service 21->115 71 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 26->71 dropped 73 C:\Users\user\AppData\Local\...\cecho.exe, PE32 26->73 dropped 75 C:\Users\user\AppData\Local\...75SudoLG.exe, PE32+ 26->75 dropped 79 2 other malicious files 26->79 dropped 117 Multi AV Scanner detection for dropped file 26->117 38 cmd.exe 26->38         started        119 Uses cmd line tools excessively to alter registry or file data 28->119 121 Uses schtasks.exe or at.exe to add and modify task schedules 28->121 123 Uses the nircmd tool (NirSoft) 28->123 41 conhost.exe 28->41         started        43 schtasks.exe 1 28->43         started        125 Contains functionality to inject code into remote processes 30->125 45 WerFault.exe 30->45         started        47 conhost.exe 36->47         started        49 conhost.exe 36->49         started        file10 signatures11 process12 signatures13 111 Uses cmd line tools excessively to alter registry or file data 38->111 113 Drops executables to the windows directory (C:\Windows) and starts them 38->113 51 cmd.exe 38->51         started        53 reg.exe 38->53         started        55 conhost.exe 38->55         started        59 20 other processes 38->59 57 Conhost.exe 47->57         started        process14 process15 61 tasklist.exe 51->61         started        63 Conhost.exe 53->63         started       
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/043eab0dd94c303a7776c4c0ea39d97c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-09-17 05:57:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwk6mnvh4ez7fucprtombz7emyukgfzpn5pi4pzm52qbjsir7vga._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
admintool_nsudo
Create hunting rule
unc_loader_051
Create hunting rule
admintool_nircmd
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
0046ac156acfd377676b3b6a529e8dd7426d058f20a8ff445d47134b02e5c8c3
Fuery
2f994afc548d528e56a029cf4481d56a3459d438b46ec38403a977bc7d70dced
Fuery
3425243ae4b06fc1d2e6cc87f54e828f98a0409c30aecd628911d098e3d05903
Fuery
af15f7f5cd412700480ef871ce62286816fa9dd198573e13a766630b69eceba1
Fuery
bdb5e8fcf29470ec8dd9acf8774f0f44b3a36875864d5626d26735734a758466
Fuery
ca9930f9537efeb6b704634f528df22dd857a71fcc060308d73ee2ed1a5d8d3a
Fuery
e31c1d66840b1989f65e4b0810394c1d899606dcff927cf591c3847ec37a83f6
Fuery
error
Fuery
+ 15 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:fbf543 collection credential_access defense_evasion discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/250917-ld769sbl4v/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
http://94.154.35.25
https://t.me/romalabs4
https://consnbx.su/sawo
https://lexenorf.org/zdhs
https://sirhirssg.su/xzde
https://prebwle.su/xazd
https://rhussois.su/tatr
https://newflux75.xyz/xkzp
https://acrislegt.su/tazd
https://averiryvx.su/zadr
https://cerasatvf.su/qtpd
https://yunded.com/uwuz
https://todoexy.su/xqts
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ce8a0511-f72a-4a52-a94c-1e8c5ea9415a
Unpacked files
SH256 hash:
0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c
MD5 hash:
043eab0dd94c303a7776c4c0ea39d97c
SHA1 hash:
3d72afe6e410c1380315dc5da1fb6e3ef4b7a18c
Link:
https://www.unpac.me/results/5a7c0853-8f62-41eb-aba8-c1ecbfe31504/
SH256 hash:
adcfa6262a7ad6df342855c89221fa7a0846de4695614dfad41d0186ef80317b
MD5 hash:
b5097cbce2789f5c98ff542e8fccc9e8
SHA1 hash:
5318445b3aa3bbba88ddb6a8a7e8f625be0d9767
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/5a7c0853-8f62-41eb-aba8-c1ecbfe31504/
SH256 hash:
c33c7b0ac5e590babbf3dbe73e79bc2282736da4cb98c845443ef4705f41df06
MD5 hash:
3e4bd688d760888386a1c2321aa1d24f
SHA1 hash:
0d62f0e37a52284bb4c1f2a38dd43a3b4fd0801c
Link:
https://www.unpac.me/results/5a7c0853-8f62-41eb-aba8-c1ecbfe31504/
SH256 hash:
9e31453494c7db453d8f770dcc40c4777c03ca9ada0b3cb57f371393423ad62f
MD5 hash:
29fefbddf4bfa8e9b609651f7dedb761
SHA1 hash:
ea9b87c32c33d3a5d9cd0329b42cb523cf26b2c8
Link:
https://www.unpac.me/results/5a7c0853-8f62-41eb-aba8-c1ecbfe31504/
SH256 hash:
c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851
MD5 hash:
a7993e5a520b17fec65435fb4838a08f
SHA1 hash:
18fe6286473a03735e7b701d4bfaf61ad35da7ad
Link:
https://www.unpac.me/results/5a7c0853-8f62-41eb-aba8-c1ecbfe31504/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d95e636a7e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27889/

Comments