MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 19 File information Comments

SHA256 hash:	1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2
SHA3-384 hash:	5ff86eb7789e144fa0a7e353065f5ff04ca46c35ebe3b6451feb5c78fcbd637f396a2ebfe72bc3df440559aa91a0fc31
SHA1 hash:	5772e7f7b90f2b0c44914d6ba328f161b0a8384b
MD5 hash:	e2cf10569c7078d5702c2492427dc4d4
humanhash:	south-green-minnesota-harry
File name:	5zV0Qk1.exe
Download:	download sample
File size:	2'193'240 bytes
First seen:	2025-09-16 13:30:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep	24576:kLv5uAwZuVdzGfHr1auuxcq/GHoDs9a7Z18WTHIFXKoE8g9Awv4cBMmz7p:Gv5uA4UiBuw9a7Ze7Dg9A0NMmz
Threatray	11 similar samples on MalwareBazaar
TLSH	T1BBA57B47B8E08069E4E693304AB59191E635BC572B3363DF6B00B1BEEE372D45EB9350
gimphash	05e73dcc44c84e5d5a4a784d2908908e3f3874e3bea355ca54284452088ae6ea
TrID	37.3% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5zV0Qk1.exe

Verdict:

Malicious activity

Analysis date:

2025-09-16 13:32:57 UTC

Tags:

golang

Link:

https://app.any.run/tasks/1856c2b0-a40c-4db5-9d8a-b151488893d1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27729/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c966bdd49ea3f1e4b66b0b

Tags:

injection emotet obfusc virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

explorer golang lolbin mingw obfuscated remote threat

Link:

https://www.filescan.io/uploads/68c966be0d1238ff0aacf6dc/reports/e6dddc52-7242-410c-bb28-7070bf17e369/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-16T08:47:00Z UTC

Last seen:

2025-09-16T08:47:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fef4be4f-427e-4211-8d15-046da12a68ff

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1778527

Signature

Antivirus detection for URL or domain

Creates a thread in another existing process (thread injection)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/e2cf10569c7078d5702c2492427dc4d4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2/

Threat name:

Win64.Trojan.Amadey

Status:

Malicious

First seen:

2025-09-16 11:38:44 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cacqmwaqvy6anzeouqxhsb3vxuadiuniv2twujjtds7juvpxahza._file

Verdict:

malicious

Label(s):

aurastealer

5634306e445a5a62c5cb81dba6663a5c1d7eb8e562b8c1430dfa6c8242e75f5d

6444a99e021b7e3296e824a673bac7057ca9e1197ea7187532b52f548d88f6dc

7a96989dad3e9c90ef7dd009289c8f5f1ba830e42e24f75e6f0c4ea8f813894d

error

+ 1 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250916-qsln2adj3x/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2ff0d4db-3c29-4819-9a27-d70c9c80daea

Unpacked files

SH256 hash:

cb34fa2b31e9b03464a75edf9b0b4cf93aea851fa74c6f02b084149c528866be

MD5 hash:

98ce6c53c01d25e9abfeff03e2bc24fe

SHA1 hash:

92a61e15c98b7a53af6af958aefb5902de989353

Link:

https://www.unpac.me/results/c54d3960-3861-49a8-9e3c-dda296a5e07b/

SH256 hash:

1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2

MD5 hash:

e2cf10569c7078d5702c2492427dc4d4

SHA1 hash:

5772e7f7b90f2b0c44914d6ba328f161b0a8384b

Link:

https://www.unpac.me/results/c54d3960-3861-49a8-9e3c-dda296a5e07b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1005065810ae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 1005065810ae3c06e48ea42e790775bd003451a8aea76a25331cbe9a55f701f2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3625089/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/27729/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample