MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b
SHA3-384 hash: 5555c14c2324fa0f6e7f7dc1cdad98574d14ca6f34ff66fcc5dd2d9b961d0e2b6ab13d6c761c2cdafd64da68b3a5248a
SHA1 hash: 3125134c050f7f646e4f682314e9c74c4ee3f732
MD5 hash: 1ef4d18de78ab1fafc37f4157c069b2c
humanhash: gee-montana-ink-aspen
File name:1ef4d18de78ab1fafc37f4157c069b2c.exe
Download: download sample
File size:477'696 bytes
First seen:2025-10-21 05:25:27 UTC
Last seen:2025-10-21 07:24:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4417249db25f76aa5ea9cf43e19a38de
ssdeep 6144:2TilB1lYQedB1lINIhom8X7jgLOp3k7CHhiH6cWrvRMEMxEyRJmNgLrP6kON:2Opg9IW8I2Hwad1Z8EBmP
TLSH T132A47D6AE6A500F9D1B7C27CCA538D02E771784543A1ABCF03A49A762F376D44E3E712
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
64
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
250925-dnhqcs1rx9_pw_infected.zip
Verdict:
Malicious activity
Analysis date:
2025-10-20 21:17:35 UTC
Tags:
arch-exec amadey auto redline stealer lumma botnet unlocker-eject tool loader socks5systemz proxybot stealc vidar gcleaner generic evasion autoit anti-evasion screenconnect rmm-tool remote rdp fuery phishing arch-doc upx rust xworm salatstealer miner ms-smartcard github winring0-sys vuln-driver
Link:
https://app.any.run/tasks/e74cd72d-39c0-4a65-a9ab-67fb2fdf7060

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33563/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f71863ad6ce0f5ad403824
Tags:
ransomware installer extens
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Loading a suspicious library
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Changing a file
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Connection attempt
Sending an HTTP GET request
Launching a file downloaded from the Internet
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey anti-debug fingerprint lolbin microsoft_visual_cc redcap rundll32 stealer stealer unsafe
Link:
https://www.filescan.io/uploads/68f719593a79800405ed8e5b/reports/5e8aa113-9c8a-47c0-a19d-05652d9d78ea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-20T11:21:00Z UTC
Last seen:
2025-10-21T11:16:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan-PSW.Win32.BroPass.gen VHO:Trojan-PSW.Win32.Agent.gen Trojan-Downloader.Win32.Inject.sb VHO:Trojan-PSW.Win32.Convagent.gen HEUR:Trojan-PSW.Win32.Disco.gen HEUR:Trojan-PSW.Python.Nuker.gen Trojan-Spy.Win32.Stealer.fnhi Trojan-Spy.Stealer.HTTP.C&C Trojan.Win64.Reflo.sb Trojan.Win32.Inject.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealer.sb HEUR:Trojan-PSW.Python.Agent.gen HEUR:Trojan-PSW.Multi.Disco.gen UDS:DangerousObject.Multi.Generic Trojan-PSW.Win32.Agent.sba PDM:Trojan.Win32.Generic Trojan-PSW.Win64.Coins.bjd Trojan-PSW.Win32.Coins.sb HEUR:Trojan-PSW.Python.HashBreaker.b Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Greedy.sb VHO:Trojan-PSW.Win64.Coins.bjd
Link:
https://opentip.kaspersky.com/4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f6f0c021-e7ab-4f11-a289-a7d97d23a582
Result
Threat name:
Chrome Injector
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798858
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Chrome Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798858 Sample: IWuyUEaBUU.exe Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 80 hellbrowellads.live 2->80 82 ip-api.com 2->82 84 icanhazip.com 2->84 106 Suricata IDS alerts for network traffic 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 Antivirus detection for URL or domain 2->110 112 6 other signatures 2->112 10 IWuyUEaBUU.exe 112 2->10         started        signatures3 process4 dnsIp5 92 hellbrowellads.live 176.46.152.87, 49681, 49700, 5858 ESTPAKEE Iran (ISLAMIC Republic Of) 10->92 54 C:\Users\user\AppData\...\screenshot[1].dll, PE32+ 10->54 dropped 56 C:\Users\user\AppData\...\my_new_dll[1].dll, PE32+ 10->56 dropped 58 C:\Users\user\...\chrome_inject[1].exe, PE32+ 10->58 dropped 60 32 other malicious files 10->60 dropped 116 Found many strings related to Crypto-Wallets (likely being stolen) 10->116 118 Tries to harvest and steal browser information (history, passwords, etc) 10->118 15 additional_tool.exe 10->15         started        19 another_tool.exe 10->19         started        21 extra_tool.exe 10->21         started        23 8 other processes 10->23 file6 signatures7 process8 dnsIp9 74 107 other malicious files 15->74 dropped 94 Antivirus detection for dropped file 15->94 96 Multi AV Scanner detection for dropped file 15->96 26 additional_tool.exe 15->26         started        62 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 19->62 dropped 64 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 19->64 dropped 76 103 other malicious files 19->76 dropped 29 another_tool.exe 19->29         started        66 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->66 dropped 68 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 21->68 dropped 70 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 21->70 dropped 78 52 other malicious files 21->78 dropped 31 extra_tool.exe 21->31         started        86 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 23->86 88 icanhazip.com 104.16.184.241, 49703, 80 CLOUDFLARENETUS United States 23->88 72 \Device\ConDrv, ASCII 23->72 dropped 98 System process connects to network (likely due to code injection or exploit) 23->98 100 Writes to foreign memory regions 23->100 102 Allocates memory in foreign processes 23->102 104 4 other signatures 23->104 33 msedge.exe 23->33         started        35 msedge.exe 23->35         started        37 chrome.exe 23->37         started        39 4 other processes 23->39 file10 signatures11 process12 dnsIp13 114 Tries to harvest and steal browser information (history, passwords, etc) 31->114 42 cmd.exe 31->42         started        44 WerFault.exe 1 16 33->44         started        46 WerFault.exe 16 35->46         started        48 WerFault.exe 16 37->48         started        90 127.0.0.1 unknown unknown 39->90 50 WerFault.exe 16 39->50         started        signatures14 process15 process16 52 conhost.exe 42->52         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/1ef4d18de78ab1fafc37f4157c069b2c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b/
Verdict:
Malicious
Threat:
VHO:Trojan-PSW.Win32.BroPass
Link:
https://tip.neiki.dev/file/4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-10-20 14:30:40 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnda2rtbcyfwqytew6wpqdahpqgtudiz3hvg6gtcvzxovb5ubr5q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/251021-f42jhsgn51/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
UPX packed file
Checks installed software on the system
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Downloads MZ/PE file
Unpacked files
SH256 hash:
4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b
MD5 hash:
1ef4d18de78ab1fafc37f4157c069b2c
SHA1 hash:
3125134c050f7f646e4f682314e9c74c4ee3f732
Link:
https://www.unpac.me/results/771abec3-c47b-4ac1-b441-9a91302214b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4b460d4661160b686264b7acf80c077c0d3a0d19d9ea6f1a62ae6eea87b40c7b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/33563/
  
URLhaus
https://urlhaus.abuse.ch/url/3682721/
  
Delivery method
Distributed via web download

Comments