MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e
SHA3-384 hash: eabf590c39053e51957d3884268c88fb3c56dc12a6b85cc6d07708b108181457bbbc0fa7521d47c498e98c90ab0bb306
SHA1 hash: 5152280de73d109982fa461b45f25fb268c70331
MD5 hash: 4cc6daa19942b8c82305ddda8b0d76e3
humanhash: oregon-california-london-double
File name:Combo Essentials v1.2 - Coded By MR.ViPeR.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:6'174'208 bytes
First seen:2025-05-29 14:06:19 UTC
Last seen:2025-05-29 14:13:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 223f8057932cb61043b0989210626737 (6 x Amadey, 4 x SVCStealer, 4 x RedLineStealer)
ssdeep 98304:Pi2lXLLLi3f7acRfWjygg3mM8DWwsCfRIRYL5N7U+uIm/So:PVl7q3DBWyz8DWwsCJIRYLv7U+bm/S
Threatray 342 similar samples on MalwareBazaar
TLSH T1CF56E0117A6280B8D0579574854A5E6ADB71BC564F70AADF0BE0C63E3FB32E11E3E720
TrID 42.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
18.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
12.6% (.WLX) Total Commander Lister extension (plugin) (21500/1/6)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
5.8% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika pebin
dhash icon 4cc8e8687008280c (1 x Amadey)
Reporter aachum
Tags:Amadey b8c4ef exe


Avatar
iamaachum
Amadey Botnet: b8c4ef
Amadey C2: http://185.156.72.8/rob75u9v/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
441
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ComboEssentialsv1.2-CodedByMR.ViPeR.exe
Verdict:
Malicious activity
Analysis date:
2025-05-19 17:58:36 UTC
Tags:
amadey botnet stealer loader rust netreactor rdp
Link:
https://app.any.run/tasks/16db99bd-425d-4ba5-8db8-9ead15fc25ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6194/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682b714b375681df7c1ab420
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Creating a file
Searching for synchronization primitives
Creating a process with a hidden window
Searching for the window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the system32 directory
Enabling the 'hidden' option for recently created files
Creating a file in the Windows directory
Unauthorized injection to a recently created process
Connection attempt to an infection source
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm base64 clipbanker fingerprint lolbin microsoft_visual_cc netsh obfuscated packed packed packer_detected redline wmic
Link:
https://www.filescan.io/uploads/683869e8171e01f95930ad46/reports/769e34f8-d6b6-456c-bc86-45e57dcc952a/overview
Verdict:
Malicious
Labled as:
Dropper.Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfeb9be9-9ef1-4f4d-af26-4d6bee48094e
Result
Threat name:
Amadey, MicroClip, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1701556
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Detected generic credential text file
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1701556 Sample: Combo Essentials v1.2 - Cod... Startdate: 29/05/2025 Architecture: WINDOWS Score: 100 160 Suricata IDS alerts for network traffic 2->160 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 15 other signatures 2->166 14 Combo Essentials v1.2 - Coded By MR.ViPeR.exe 6 2->14         started        18 nudwee.exe 2->18         started        20 svchost.exe 2->20         started        23 regsvr32.exe 2->23         started        process3 dnsIp4 146 C:\Users\user\AppData\Roaming\vxcvxcvcx.exe, PE32+ 14->146 dropped 148 C:\Users\user\AppData\...\fsdfsdfsdf.exe, PE32 14->148 dropped 150 C:\Users\user\AppData\...\erezrzerze.exe, PE32+ 14->150 dropped 152 2 other malicious files 14->152 dropped 212 Contains functionality to start a terminal service 14->212 25 fsdfsdfsdf.exe 2 14->25         started        28 erezrzerze.exe 88 14->28         started        32 cxwcwxs.exe 4 14->32         started        34 2 other processes 14->34 214 Multi AV Scanner detection for dropped file 18->214 154 127.0.0.1 unknown unknown 20->154 file5 signatures6 process7 dnsIp8 118 C:\Users\user\AppData\...\fsdfsdfsdf.tmp, PE32 25->118 dropped 36 fsdfsdfsdf.tmp 3 5 25->36         started        156 185.156.72.8, 49686, 49687, 49694 ITDELUXE-ASRU Russian Federation 28->156 158 62.60.226.191, 49691, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 28->158 120 C:\Users\user\AppData\Local\...\temp_630.exe, PE32+ 28->120 dropped 122 C:\Users\user\AppData\Local\...\temp_620.exe, PE32+ 28->122 dropped 124 C:\Users\user\AppData\Local\...\temp_610.exe, PE32+ 28->124 dropped 128 8 other malicious files 28->128 dropped 202 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->202 204 Tries to steal Crypto Currency Wallets 28->204 206 Detected generic credential text file 28->206 39 temp_620.exe 28->39         started        41 temp_607.exe 28->41         started        44 temp_610.exe 28->44         started        48 3 other processes 28->48 126 C:\Users\user\AppData\Local\...\nudwee.exe, PE32 32->126 dropped 208 Contains functionality to start a terminal service 32->208 210 Contains functionality to inject code into remote processes 32->210 46 nudwee.exe 32->46         started        file9 signatures10 process11 file12 100 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 36->100 dropped 102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->102 dropped 50 fsdfsdfsdf.exe 2 36->50         started        104 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 39->104 dropped 106 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 39->106 dropped 116 48 other malicious files 39->116 dropped 53 temp_620.exe 39->53         started        108 C:\Windows\sysrtlcw.exe, PE32+ 41->108 dropped 110 C:\Windows\System32\sysmanger.exe, PE32+ 41->110 dropped 112 C:\Users\user\AppData\...\sysmrdrv.exe, PE32+ 41->112 dropped 180 Creates multiple autostart registry keys 41->180 182 Creates an autostart registry key pointing to binary in C:\Windows 41->182 184 Found direct / indirect Syscall (likely to bypass EDR) 41->184 55 sysmanger.exe 41->55         started        114 C:\ProgramData\...\System_Info.txt, data 44->114 dropped 186 Tries to harvest and steal browser information (history, passwords, etc) 44->186 188 Tries to steal Crypto Currency Wallets 44->188 190 Detected generic credential text file 44->190 192 Contains functionality to start a terminal service 46->192 194 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->194 196 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->196 signatures13 process14 file15 90 C:\Users\user\AppData\...\fsdfsdfsdf.tmp, PE32 50->90 dropped 58 fsdfsdfsdf.tmp 5 50->58         started        176 Changes the view of files in windows explorer (hidden files and folders) 55->176 178 Found direct / indirect Syscall (likely to bypass EDR) 55->178 signatures16 process17 file18 130 C:\Users\...\2XamlDiagnostics_3.pfx (copy), PE32+ 58->130 dropped 132 C:\Users\user\AppData\...\is-5GT8A.tmp, PE32+ 58->132 dropped 134 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 58->134 dropped 136 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->136 dropped 61 regsvr32.exe 58->61         started        process19 process20 63 regsvr32.exe 61->63         started        signatures21 216 Suspicious powershell command line found 63->216 218 Injects code into the Windows Explorer (explorer.exe) 63->218 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 63->220 222 4 other signatures 63->222 66 explorer.exe 63->66 injected 70 powershell.exe 63->70         started        72 powershell.exe 63->72         started        process22 file23 92 C:\Users\user\AppData\Local\...\F977.tmp.exe, PE32+ 66->92 dropped 94 C:\Users\user\AppData\Local\...7D5.tmp.exe, PE32+ 66->94 dropped 96 C:\Users\user\AppData\Local\...\D301.tmp.exe, PE32+ 66->96 dropped 98 2 other malicious files 66->98 dropped 168 System process connects to network (likely due to code injection or exploit) 66->168 170 Benign windows process drops PE files 66->170 172 Drops executables to the windows directory (C:\Windows) and starts them 66->172 74 F977.tmp.exe 66->74         started        78 987B.tmp.exe 66->78         started        80 E7D5.tmp.exe 66->80         started        86 4 other processes 66->86 174 Loading BitLocker PowerShell Module 70->174 82 conhost.exe 70->82         started        84 conhost.exe 72->84         started        signatures24 process25 file26 138 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 74->138 dropped 140 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 74->140 dropped 142 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 74->142 dropped 144 47 other malicious files 74->144 dropped 198 Multi AV Scanner detection for dropped file 74->198 200 Drops executables to the windows directory (C:\Windows) and starts them 78->200 88 sysmanger.exe 78->88         started        signatures27 process28
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e
Threat name:
Win64.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 17:58:37 UTC
File Type:
PE+ (Exe)
Extracted files:
60
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjrjbwiqxtm4xbokrpaxfspylcpxmwlzjkbe2mh4zv6kfichuopa._file
Verdict:
malicious
Label(s):
fantomcrypt
Create hunting rule
amadey
Create hunting rule
Similar samples:
0531385e6e2b3db7e69c70008ef57a7f584c8c96ae7cc2afb40346b908737734
Amadey
080784c30b5680a3fefbbe6ae23e2466e60904c0b3ae379643ba7b697989eff0
Amadey
2106190991efc4291f4211dd54ddb7444e7bf51503842a1380a4a1d902d888b6
Amadey
2e3a5dfa44d59681a60d78b8b08a1af3878d8e270c02d7e31a0876a85eb42a7e
Amadey
7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6
Amadey
8544c6f789db47dc9b0b9033bef41857b054069ad6e492983f0fa3d2ccfdeb9a
Amadey
c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96
Amadey
+ 332 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:svcstealer botnet:b8c4ef botnet:ppvv discovery downloader execution infostealer persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/250529-relybacp91/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Amadey
Amadey family
Detects SvcStealer Payload
RedLine
RedLine payload
Redline family
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://185.156.72.8
176.113.115.149
185.81.68.156
62.60.226.191:1912
Verdict:
Malicious
Tags:
Win.Malware.Midie-10044502-0
YARA:
n/a
Link:
https://app.threat.zone/submission/7f51f7d9-e99d-4bbe-b27f-12a6b8ea94ed
Unpacked files
SH256 hash:
326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e
MD5 hash:
4cc6daa19942b8c82305ddda8b0d76e3
SHA1 hash:
5152280de73d109982fa461b45f25fb268c70331
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/e24c5ca7-32dc-4762-b1a9-fde8622d9e10/
SH256 hash:
2106190991efc4291f4211dd54ddb7444e7bf51503842a1380a4a1d902d888b6
MD5 hash:
b672fbd389b94bf5449ceafe32346037
SHA1 hash:
5380630e67ed935a0e0aca94dc88eceecd0bdc38
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/e24c5ca7-32dc-4762-b1a9-fde8622d9e10/
Parent samples :
2106190991efc4291f4211dd54ddb7444e7bf51503842a1380a4a1d902d888b6
edb41f444b0bb876741c3bcfc7d08a7481566220009a015ea5c2d53349f72d0b
cd9b74c85f02364423c5a0f06238682ba860552620d5aff0d0693237c1b02a37
3aa57cd00e4a4096942c3b108934e697d2e3a485b0204f973fca5d80ee38f449
326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e
e677a9da84b5b1a612abb286c046b17dd32f1dda2892a16a82e6ef4605156a12
998af1240e8dcef09b2dbdc663cbf26e4403e73a3fe9f847b7167e332eab28e5
9c229564691ebd851120d13df429aca83c9cd6b3293f2c85751af826555d77b8
SH256 hash:
7d2c8e1b1a418d5cb0227edf0801302af1a2e8bbde1983f23b2b63f3f5f0a222
MD5 hash:
5ac225744987cca608539942658f00f8
SHA1 hash:
88e06ef7cacfeb34f4d635286a7df798f3bd2217
Link:
https://www.unpac.me/results/e24c5ca7-32dc-4762-b1a9-fde8622d9e10/
SH256 hash:
921dbd2fda49677c25ee0dbe0b5c646dd2b31d973161b148707ebf5aa78db570
MD5 hash:
3e06e418f438f814525c2bad5bb80028
SHA1 hash:
1dee58057566de624a545c2848ddd1687dbb844a
Link:
https://www.unpac.me/results/e24c5ca7-32dc-4762-b1a9-fde8622d9e10/
SH256 hash:
03fd56b3c21ca1a9d2b9e01af869301f2b7f680b5703b4b954c37e07f743adf4
MD5 hash:
62d461aa116f96c84f945cb93d6b0b7a
SHA1 hash:
fd490d7093d92748e99360e4845b283d6dec452c
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e24c5ca7-32dc-4762-b1a9-fde8622d9e10/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/326290d910bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:svc_stealer
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:SVC Stealer Payload
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 326290d910bcd9cb85ca8bc172c9f8589f7659794a824d30fccd7ca2a047a39e

(this sample)

Executable exe e30e917bed4d1e224aa3c9caa020139c8c00d21e2bfa038484f5aa02323fea2b

  
Link
https://tria.ge/250529-py47wssjs2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6194/
  
Dropping
SHA256 e30e917bed4d1e224aa3c9caa020139c8c00d21e2bfa038484f5aa02323fea2b
  
Dropping
MD5 561a57c0634114b1d8da137de543d622

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments