MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 13d5448b63b123ad6f01b845b98504e1e7b0a7e575d5201c468a5590dec9c6b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 12
| SHA256 hash: | 13d5448b63b123ad6f01b845b98504e1e7b0a7e575d5201c468a5590dec9c6b2 |
|---|---|
| SHA3-384 hash: | 9ed324528273c19f36264dde47494dcc19770418b2b1f5cf20a4ab2dadca4a27cfe9f1d145ecb52286d28b7566c82666 |
| SHA1 hash: | ad3d348939638fefb27413df16fdf15afae87fba |
| MD5 hash: | 76dcc058d56620f5435100bcc633cfb1 |
| humanhash: | golf-florida-michigan-jig |
| File name: | OLkGMsG.exe |
| Download: | download sample |
| File size: | 5'632'512 bytes |
| First seen: | 2025-07-29 19:12:00 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 553012f7304b2ea9ba200adb4c6e7297 |
| ssdeep | 49152:HpxN/s69kWZxWBE4tdrO4A33TJgLRWo7pZvxrclpBQihl8wiYMPsW+G3rPReDdGs:XWVrPR9p63dqsDdGTulO4H7 |
| TLSH | T1B546AD15A3E500A4E43BDA38CA65C333DA707C925734C64F0A98E6492F73AA19F7F725 |
| TrID | 48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1) |
| Magika | pebin |
| Reporter |  abuse_ch |
| Tags: | exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
24
Origin country :
SEVendor Threat Intelligence
Malware family:
amadey
ID:
1
File name:
_03ee33e361fac2cdfb9bf45bbaa5c7872f5fcb632867ca73b12bbfa982b4df4c.exe
Verdict:
Malicious activity
Analysis date:
2025-07-29 17:27:13 UTC
Tags:
amadey botnet stealer loader rdp stealc telegram python themida websocket asyncrat auto-reg evasion rhadamanthys golang vidar lumma upx susp-powershell salatstealer arch-doc auto-sch
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
99.9%
Tags:
virus
Result
Verdict:
Clean
Maliciousness:
Behaviour
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
anti-vm crypto fingerprint lolbin microsoft_visual_cc obfuscated remote
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Verdict:
Unknown
Result
Threat name:
n/a
Detection:
suspicious
Classification:
troj
Score:
27 / 100
Signature
Connects to a pastebin service (likely for C&C)
Behaviour
Behavior Graph:
Score:
83%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Threat name:
Win64.Trojan.Generic
Status:
Suspicious
First seen:
2025-07-29 16:51:08 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
6/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Verdict:
Suspicious
Tags:
IP_address_lookup_website
YARA:
n/a
Unpacked files
SH256 hash:
13d5448b63b123ad6f01b845b98504e1e7b0a7e575d5201c468a5590dec9c6b2
MD5 hash:
76dcc058d56620f5435100bcc633cfb1
SHA1 hash:
ad3d348939638fefb27413df16fdf15afae87fba
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Check_Debugger |
|---|
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__MemoryWorkingSet |
|---|---|
| Author: | Fernando Mercês |
| Description: | Anti-debug process memory working set size check |
| Reference: | http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/ |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__RemoteAPI |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_RawPaste_URL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables (downlaoders) containing URLs to raw contents of a paste |
| Rule name: | Jupyter_infostealer |
|---|---|
| Author: | CD_R0M_ |
| Description: | Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022 |
| Rule name: | Lumma_Stealer_Detection |
|---|---|
| Author: | ashizZz |
| Description: | Detects a specific Lumma Stealer malware sample using unique strings and behaviors |
| Reference: | https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/ |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
exe 13d5448b63b123ad6f01b845b98504e1e7b0a7e575d5201c468a5590dec9c6b2
(this sample)
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (GUARD_CF) | high |
| CHECK_TRUST_INFO | Requires Elevated Execution (level:requireAdministrator) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::RevertToSelf |
| NCRYPT_API | Uses NCrypt API | ncrypt.dll::NCryptImportKey ncrypt.dll::NCryptOpenKey |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::ImpersonateLoggedOnUser |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenThreadToken KERNEL32.dll::VirtualAllocExNuma KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::DeleteVolumeMountPointW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleOutputCP |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::GetSystemDirectoryW KERNEL32.dll::RemoveDirectoryW |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_BCRYPT_API | Can Encrypt Files | bcrypt.dll::BCryptCreateHash bcrypt.dll::BCryptDecrypt bcrypt.dll::BCryptDestroyHash bcrypt.dll::BCryptDestroyKey bcrypt.dll::BCryptEncrypt bcrypt.dll::BCryptExportKey |
| WIN_CRYPT_API | Uses Windows Crypt API | CRYPT32.dll::CertAddCertificateContextToStore CRYPT32.dll::CertAddCertificateLinkToStore CRYPT32.dll::CertCreateCertificateChainEngine CRYPT32.dll::CertDuplicateCertificateContext CRYPT32.dll::CertEnumCertificatesInStore CRYPT32.dll::CertFindCertificateInStore |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegNotifyChangeKeyValue ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW |
| WIN_SOCK_API | Uses Network to send and receive data | WS2_32.dll::FreeAddrInfoExW WS2_32.dll::FreeAddrInfoW WS2_32.dll::GetAddrInfoExW WS2_32.dll::GetAddrInfoW WS2_32.dll::GetNameInfoW WS2_32.dll::WSAConnect |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.