MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fuery

Vendor detections: 11

Intelligence 11 IOCs YARA 20 File information Comments

SHA256 hash:	18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab
SHA3-384 hash:	17c528a825c50afbce8259d5e8ddcf99d1be682d98c7599586cbd7cc49301c566871c3cb30ca8c744aeb7f26a7000033
SHA1 hash:	045ecab4bf0b7a78ce0f445eb9f1f4e25a52a5c4
MD5 hash:	9ff305f437f337e6b56ce4269995e04c
humanhash:	johnny-potato-shade-louisiana
File name:	file
Download:	download sample
Signature	Fuery Create hunting rule
File size:	1'660'928 bytes
First seen:	2026-03-05 15:56:39 UTC
Last seen:	2026-03-06 12:33:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (62 x LummaStealer, 51 x Vidar, 49 x AuroraStealer)
ssdeep	24576:TYXzsJChigMNRBCdXurmjSG4kl55aUpgRpZ+wMgee5SpeeZdY7tkHN3EAK1eQ2T1:TtCd+r3lRS7LQEtEAKF2TEGf9YK1t
TLSH	T1A6757C41FDDB24B1EA02163248B762BF2734B9090B31AFC7D9446A7ABD736E40D32759
TrID	29.5% (.EXE) Win64 Executable (generic) (6522/11/2) 22.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 Fuery

Bitsight

url: http://130.12.180.43/files/8499672124/b1JNsvy.exe

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

vidar

ID:

File name:

bc32d3a3d8d4f809464fac47cc6e6c7d47f983b55c5190c646e9c8e6beebe69f.exe

Verdict:

Malicious activity

Analysis date:

2026-03-05 03:45:09 UTC

Tags:

auto generic gcleaner loader auto-startup etherhiding inno installer stealer stealc vidar delphi anti-evasion autoit trojan susp-powershell xor-url golang

Link:

https://app.any.run/tasks/a9417dd1-509d-4f4f-a237-2a0afa07fc0a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55722/

Detection(s):

SecuriteInfo.com.FileRepMalware.31561698.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a9a7fae1f958bf6683f53b

Tags:

malware

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab

Verdict:

Malicious

File Type:

exe x32

Detections:

Backdoor.Win32.Agima.a Trojan.Win64.Agent.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Agima.bl Backdoor.Agima.HTTP.C&C Backdoor.Win32.Agima.sb Backdoor.Win32.Agima.b

Link:

https://opentip.kaspersky.com/18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/de28df88-6e32-41fb-83b2-0837a2d3b560

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab/

Verdict:

Malicious

Threat:

Family.FUERY

Link:

https://tip.neiki.dev/file/18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ddu2rp5nijot76oavm6xdzujamqbmyjhxc67orqkp3otb5c34cvq._file

Result

Malware family:

fuery

Score:

10/10

Tags:

family:fuery discovery persistence trojan

Link:

https://tria.ge/reports/260305-td4g3se19z/

Behaviour

System Location Discovery: System Language Discovery

Adds Run key to start application

Downloads MZ/PE file

Fuery

Fuery family

Malware Config

C2 Extraction:

http://let.mebeyourfriend.digital/
http://if.youwannabemylover.life/
http://make.mydaymakemyday.info/
http://iahfi.visbxskagt.com/
http://laf.oahgsfwklg.top/
http://smachrie1.weinerbuyout.top/
http://sackless2.backspacersasine.sbs/
http://recondole3.compositesclosetful.xyz/
http://dietaries4.permeatedicelanders.today/
http://epanadiplosis5.misdateswampanoag.cyou/
http://invoke6.escrimesesquipedal.digital/
http://bordrage7.kafkaesquebozo.info/
http://stacher8.disequilibrationaproctous.top/
http://scoliidae9.

Unpacked files

SH256 hash:

18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab

MD5 hash:

9ff305f437f337e6b56ce4269995e04c

SHA1 hash:

045ecab4bf0b7a78ce0f445eb9f1f4e25a52a5c4

Link:

https://www.unpac.me/results/68d91fcd-0a98-4b7a-b4ed-cb023386c3b7/

SH256 hash:

49440442bb8d826446a399ec1ea9abd46fd6872d593e5b41039af53adade857d

MD5 hash:

3263f3be6bb0f34462edbd0922f6d07d

SHA1 hash:

db3c04b0dff26b283f543f62152592867b68a7bc

Link:

https://www.unpac.me/results/68d91fcd-0a98-4b7a-b4ed-cb023386c3b7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)