MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GoProxy


Vendor detections: 12


Intelligence 12 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea
SHA3-384 hash: c0067ead82702fdd3a1beac43a91a0aa66771fd0704ff17f763eaeb90889dcd92f5e5ee12b81752af19705ad4e3e729c
SHA1 hash: e21211f9bf3532c10f326737e9f407d148153e4d
MD5 hash: f2b46eb3abe81bd5edc4ef8b5f39eeed
humanhash: alabama-green-chicken-two
File name:SecuriteInfo.com.W32.PossibleThreat.31171.25754
Download: download sample
Signature GoProxy
Create hunting rule
File size:6'517'248 bytes
First seen:2025-06-09 14:24:02 UTC
Last seen:2025-06-09 15:33:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 60 x Vidar, 41 x LummaStealer)
ssdeep 49152:24/BQ4wP7WiuyHs4eBBIzCE81WoHPVubUSObOSftoPuNUjHoWi7wKeK9KtA5JlH1:28kS9Kz+1HtuiieP6MJ/EI
TLSH T1D7665B03EC9565E9C1EEE2308A629162BA717C485B3123D73F50F7382F76BD06AB9714
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe GoProxy

Intelligence

File Origin
# of uploads :
2
# of downloads :
430
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9bd46b1371d0897f7b8f5afe6360eabd.exe
Verdict:
Malicious activity
Analysis date:
2025-06-09 11:13:05 UTC
Tags:
lumma stealer themida loader amadey botnet auto-reg rdp ip-check golang nodejs gcleaner winring0x64-sys vuln-driver arch-exec xmrig auto coinminer miner
Link:
https://app.any.run/tasks/387122c4-afc1-4ac2-a488-ca5a70decba4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8105/
Detection(s):
SecuriteInfo.com.W32.PossibleThreat.31171.25754.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6846efa38bd5d68a12e714f5
Tags:
spam lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Restart of the analyzed sample
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Enabling autorun by creating a file
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/03dcbd57-5cbe-47e5-b55e-96a62cbdcaef
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad.troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1709753
Signature
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Send many emails (e-Mail Spam)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1709753 Sample: SecuriteInfo.com.W32.Possib... Startdate: 09/06/2025 Architecture: WINDOWS Score: 72 58 there58.xyz 2->58 60 mail.n5tmail.xyz 2->60 62 1008 other IPs or domains 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Send many emails (e-Mail Spam) 2->66 68 Joe Sandbox ML detected suspicious sample 2->68 8 SecuriteInfo.com.W32.PossibleThreat.31171.25754.exe 3 2->8         started        11 rlkservice.exe 1 2->11         started        signatures3 70 Performs DNS queries to domains with low reputation 60->70 process4 file5 50 C:\Users\user\AppData\...\rlkservice.exe, PE32+ 8->50 dropped 14 cmd.exe 1 8->14         started        16 SecuriteInfo.com.W32.PossibleThreat.31171.25754.exe 8->16         started        19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        72 Multi AV Scanner detection for dropped file 11->72 23 cmd.exe 1 11->23         started        25 cmd.exe 11->25         started        27 cmd.exe 11->27         started        29 rlkservice.exe 11->29         started        signatures6 process7 dnsIp8 31 WMIC.exe 1 14->31         started        34 conhost.exe 14->34         started        52 mx.zoho.com 204.141.43.44 ZOHO-ASUS United States 16->52 54 smtp.5jkl.dk 185.21.40.99 ZITCOMDK Denmark 16->54 56 320 other IPs or domains 16->56 44 2 other processes 19->44 46 2 other processes 21->46 36 WMIC.exe 1 23->36         started        38 conhost.exe 23->38         started        40 WMIC.exe 1 25->40         started        42 conhost.exe 25->42         started        48 2 other processes 27->48 process9 signatures10 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->74
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-09 12:58:33 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fn5amqmcqo2kec77r2ibaudctyvqpxvfjvgi57wbcotyd67j5dva._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/250609-rq6rvsztcw/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/78f9f554-5afb-4984-a4da-7ef157577545
Unpacked files
SH256 hash:
2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea
MD5 hash:
f2b46eb3abe81bd5edc4ef8b5f39eeed
SHA1 hash:
e21211f9bf3532c10f326737e9f407d148153e4d
Link:
https://www.unpac.me/results/fbee8ff4-0d8b-48ad-8641-42b63173ae01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GoProxy

Executable exe 2b7a06418283b4a20bff8e901050629e2b07dea54d4c8efec113a781fbe9e8ea

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/8105/
  
URLhaus
https://urlhaus.abuse.ch/url/3559800/
  
Delivery method
Distributed via web download

Comments