MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Neoreklami


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041
SHA3-384 hash: d227d559c99ecf1270dd62fa7ad716d0bbe491dde599013e6f6fd888473a1338eeb39c5c2a321dcf67d42e5b1e91833b
SHA1 hash: ca1ce1364d710423018dad89c2f7acf2b0f841a9
MD5 hash: a3e3656cb3338871cab8246632c297a4
humanhash: island-jig-pizza-delta
File name:file
Download: download sample
Signature Adware.Neoreklami
Create hunting rule
File size:7'767'087 bytes
First seen:2025-10-31 10:33:33 UTC
Last seen:2025-10-31 10:34:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3786a4cf8bfee8b4821db03449141df4 (2'102 x Adware.Neoreklami, 2 x RedLineStealer, 2 x Adware.MultiPlug)
ssdeep 196608:11ObE1i7KOOqpM4QGQeTHbk30mTghcsfjIAK1831ObHmTN8Qxl:/Obtd84QGQA7kk0gJjIAU8F8sN9D
TLSH T11276336139C5D8FEE4AA6073EF68AFD9B7E39A525C140867E764050C57B80C0C1FEA6C
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Bitsight
Tags:Adware.Neoreklami dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://178.16.55.189/files/unique3/random.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
125
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-31 10:31:10 UTC
Tags:
auto-sch stealer neoreklami adware xor-url generic
Link:
https://app.any.run/tasks/ba8830b7-3ad8-4830-882e-deee5b1ba7ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34892/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690490ba706befaf4ecaae1f
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Running batch commands
Launching a process
Launching cmd.exe command interpreter
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041
Verdict:
Adware
File Type:
exe x32
First seen:
2025-10-31T07:57:00Z UTC
Last seen:
2025-10-31T09:30:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Agent.sb HEUR:Trojan.Script.Alien.gen not-a-virus:HEUR:AdWare.Win32.Neoreklami.pef not-a-virus:AdWare.Win32.Neoreklami.sb
Link:
https://opentip.kaspersky.com/4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9b828c8-4821-4409-a2f5-87b53c330e3a
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041/
Verdict:
Malicious
Threat:
Win32.Malware.Heuristic
Link:
https://tip.neiki.dev/file/4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-10-31 10:31:14 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jl7wgu22xchy7lvatscv3ykeqw72xhqqrp2xmircgvzefdpzebaq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/251031-mmcbmaylaz/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Access Token Manipulation: Create Process with Token
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indirect Command Execution
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041
MD5 hash:
a3e3656cb3338871cab8246632c297a4
SHA1 hash:
ca1ce1364d710423018dad89c2f7acf2b0f841a9
Link:
https://www.unpac.me/results/6677f7f7-62ac-4b9e-a8fb-1acba24f7395/
SH256 hash:
f70bc993260acbbe93d974c724866b71c97535ee69c1fe9ca8726f4b06262dd4
MD5 hash:
0d401fadc148f60774d2f316bd6aba9d
SHA1 hash:
3e12ea72017d33b25aa39b13f04636d15febcc4f
Link:
https://www.unpac.me/results/6677f7f7-62ac-4b9e-a8fb-1acba24f7395/
SH256 hash:
6f6b45f5ca57798856933cdecd0e04af92288a527ba04fd3ee327460639d191d
MD5 hash:
203d2519a171a0b5a600f20cd4d0404a
SHA1 hash:
edd1b0661c354f3b5984c91fcfdcadc790aa3ddb
Link:
https://www.unpac.me/results/6677f7f7-62ac-4b9e-a8fb-1acba24f7395/
SH256 hash:
c0492742bd2b12bbbf35ba12e18986eefcdfd23b77d50f48ddc44bfd7f8a0485
MD5 hash:
9864b58c6121b19aa9056038f37fbd12
SHA1 hash:
f026778a6e35310559494a752be4253926360762
Link:
https://www.unpac.me/results/6677f7f7-62ac-4b9e-a8fb-1acba24f7395/
SH256 hash:
cfc91da0db64c69f67dd42562f1661b4821ca3d88815bfbad1736f525106cc6b
MD5 hash:
bd39098fbd186281cd3fe63110e4d126
SHA1 hash:
5ea3a0a1c5f06f4c259da93ca76a09d46a6c645e
Link:
https://www.unpac.me/results/6677f7f7-62ac-4b9e-a8fb-1acba24f7395/
SH256 hash:
198ec16e0ac645b61824b7c8f0b4d61381c727f4e5c37ef86a778c8e3834b839
MD5 hash:
0219b48d10deaced6671cb973fa17941
SHA1 hash:
e36b6312a0f51d89b14a12f7599a78ea416804c3
Link:
https://www.unpac.me/results/6677f7f7-62ac-4b9e-a8fb-1acba24f7395/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Neoreklami

Executable exe 4aff63535ab88f8faea09c855de14485bfab9e108bf57622223572428df92041

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34892/
  
URLhaus
https://urlhaus.abuse.ch/url/3687171/

Comments