MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b5c10f6101a90728b135abfd9879da78400b7939f0dbd2c851b30ef51c8276d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b5c10f6101a90728b135abfd9879da78400b7939f0dbd2c851b30ef51c8276d
SHA3-384 hash: 2043cf7abb3950e73ec60a720d3be030c393c3f556573649076f91e674f3cd2b3f60d9600145e08dc392e5f50dc00601
SHA1 hash: d868df5acfb021e3ed468b1b23de88ae4724d971
MD5 hash: 372324decd80c9985e06b8a4b66bfdfa
humanhash: floor-bluebird-oklahoma-montana
File name:file
Download: download sample
File size:297'472 bytes
First seen:2026-02-24 00:33:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b31da0971f03ad8d978723cd8ca7b5a0
ssdeep 6144:r5tTACTcSFHR+2noN9jxsTXqmTKo28LX/bh+27:rnldAxsFTh+
Threatray 123 similar samples on MalwareBazaar
TLSH T165544B4A73A440F5D8A79139C9A38A46E7B2B855077193CF43A443B95F3B7D09E3E322
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:a3dacb dropped-by-amadey exe


Avatar
Bitsight
url: http://196.251.107.130/Loader.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/455aa22f-77db-44aa-a120-50b498310ff7/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
cf67866057ad54d90e24f0c702003d8a01e7d2cc066478ec7bd0afee69bdfa51.exe
Verdict:
Malicious activity
Analysis date:
2026-02-22 11:30:18 UTC
Tags:
amadey botnet stealer auto generic stealc auto-reg auto-sch python
Link:
https://app.any.run/tasks/4e82951b-e3da-4e84-8520-0315650f6bae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54349/
Detection(s):
Win.Trojan.Lazy-10059292-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699cf20c8fffa866e3b15c1f
Tags:
clipbanker autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Restart of the analyzed sample
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug clipbanker exploit explorer lolbin microsoft_visual_cc schtasks unsafe
Link:
https://www.filescan.io/uploads/699cf20b10e80629d4ef41a9/reports/36b1a86f-c70e-4bb4-b4af-6ed32eef355e/overview
Verdict:
Malicious
Labled as:
Trojan.Loader.Marte.6.Generic
Link:
https://www.hybrid-analysis.com/sample/1b5c10f6101a90728b135abfd9879da78400b7939f0dbd2c851b30ef51c8276d
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Link:
https://opentip.kaspersky.com/1b5c10f6101a90728b135abfd9879da78400b7939f0dbd2c851b30ef51c8276d/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/89e4830b-8d56-4151-91f5-240579fadd05
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1b5c10f6101a90728b135abfd9879da78400b7939f0dbd2c851b30ef51c8276d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b5c10f6101a90728b135abfd9879da78400b7939f0dbd2c851b30ef51c8276d/
Threat name:
Win64.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2026-02-22 11:30:12 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dnobb5qqdkihfcytlk75tb45u6cabn4tt4g32lefdmyo6uoie5wq._file
Verdict:
malicious
Label(s):
unc_loader_073
Create hunting rule
Similar samples:
1586e6f714547d9ec024c9aeff1df7024d37a867d543de418b0af65c530c6738
2af5b20be78d166ff38cd23466548334f767fa22a58620dd049975ac1288caf6
312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da
3232706a6824a99e09588cbd5b4528632c0d2f8cf905e92fc1dad9d57152d390
b815b0a5c28c5d6314354bb3b0e898d80b2ee62763579d28c709c8c977b7be3d
dfa531e1ac9cb7c6ca7cd7cd052c5a33af615cc4f8b1a8cf8a0cc85a1064c3dd
error
+ 113 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260224-awxbyagw3h/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
1b5c10f6101a90728b135abfd9879da78400b7939f0dbd2c851b30ef51c8276d
MD5 hash:
372324decd80c9985e06b8a4b66bfdfa
SHA1 hash:
d868df5acfb021e3ed468b1b23de88ae4724d971
Link:
https://www.unpac.me/results/9096b679-2d91-425e-99c2-7653c9a6be0b/
SH256 hash:
74aa987d1ed04fe78cdf9905c3af6181836be77a09fa790590aa8ca155c4b56b
MD5 hash:
83440ce1c930c3f74ec3b57909b5002b
SHA1 hash:
a85d8cfc0518e72f26c264698302b93599bf145c
Detections:
ReflectiveLoader
Create hunting rule
INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/9096b679-2d91-425e-99c2-7653c9a6be0b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b5c10f6101a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1b5c10f6101a90728b135abfd9879da78400b7939f0dbd2c851b30ef51c8276d

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/54349/
  
URLhaus
https://urlhaus.abuse.ch/url/3767348/

Comments