MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5
SHA3-384 hash: cbdda9427e3490397dc76edcacbbdfe8836b236cb0ba2fa3e7816751309f5093e6febd54e7225f60e261bbbb44d29f04
SHA1 hash: ec7bc1304fa7914485f206353271b4a7d16101d2
MD5 hash: 8c36ccf9fa5b4ef1fcd223a36f9f082c
humanhash: fillet-helium-lamp-lemon
File name:8C36CCF9FA5B4EF1FCD223A36F9F082C.exe
Download: download sample
Signature Mirai
Create hunting rule
File size:4'963'840 bytes
First seen:2025-07-26 18:30:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:RtpeRG4qv2sW7WJlstwkuWE9rJgsR626rC5NmiCRjMKNVNZ04cB:RtpKG4qODWJlsTuWE9+8MC56PVNZhcB
TLSH T12936330BA38C0228F49456746A7303C31B7A7A91F7F1955711BB7A4F1DF25B4A230BEA
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe mirai XenoRAT


Avatar
abuse_ch
XenoRAT C2:
185.100.157.116:7930

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.100.157.116:7930 https://threatfox.abuse.ch/ioc/1560932/

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
_4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5.exe
Verdict:
Malicious activity
Analysis date:
2025-07-26 18:32:08 UTC
Tags:
lumma stealer amadey botnet rdp arch-exec
Link:
https://app.any.run/tasks/fbe81e2f-df0e-48bb-9168-a730e7238938

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17055/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-9942160-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68851ed20b4775fb2131a388
Tags:
autorun emotet autoit mint
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Sending an HTTP POST request
Launching a service
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm CAB explorer fingerprint installer lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/68851ed513488cfd44d9a47a/reports/fb3cb38c-a5ac-4643-af27-65882bb68345/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6d2d1e5-470b-4c9c-bd98-5b0420a911a6
Result
Threat name:
Amadey, LummaC Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1744754
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1744754 Sample: G8BSY4If0F.exe Startdate: 26/07/2025 Architecture: WINDOWS Score: 100 129 stfota.xyz 2->129 131 sparklfm.xyz 2->131 133 11 other IPs or domains 2->133 143 Suricata IDS alerts for network traffic 2->143 145 Found malware configuration 2->145 147 Antivirus detection for dropped file 2->147 151 16 other signatures 2->151 12 G8BSY4If0F.exe 1 4 2->12         started        15 ynKhPFPP.exe 2->15         started        18 svchost.exe 2->18         started        20 5 other processes 2->20 signatures3 149 Performs DNS queries to domains with low reputation 131->149 process4 file5 117 C:\Users\user\AppData\Local\...\2f0687.exe, PE32 12->117 dropped 119 C:\Users\user\AppData\Local\...\1K28q6.exe, PE32 12->119 dropped 22 2f0687.exe 7 12->22         started        26 1K28q6.exe 12->26         started        201 Binary is likely a compiled AutoIt script file 15->201 29 cmd.exe 15->29         started        31 C7rKVVKq.exe 15->31         started        33 cmd.exe 15->33         started        35 cmd.exe 15->35         started        203 Changes security center settings (notifications, updates, antivirus, firewall) 18->203 signatures6 process7 dnsIp8 103 C:\DPZDdbX\ynKhPFPP.exe, PE32 22->103 dropped 105 C:\DPZDdbX\aVmaW2L2.exe, PE32 22->105 dropped 107 C:\DPZDdbX\ATPfegQb.exe, PE32 22->107 dropped 169 Multi AV Scanner detection for dropped file 22->169 37 cmd.exe 1 22->37         started        135 steamcommunity.com 23.204.10.89, 443, 49715 AKAMAI-ASUS United States 26->135 171 Antivirus detection for dropped file 26->171 173 Detected unpacking (changes PE section rights) 26->173 175 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->175 181 4 other signatures 26->181 177 Suspicious powershell command line found 29->177 40 powershell.exe 29->40         started        42 conhost.exe 29->42         started        179 Contains functionality to start a terminal service 31->179 44 conhost.exe 33->44         started        46 ATPfegQb.exe 33->46         started        48 conhost.exe 35->48         started        50 schtasks.exe 35->50         started        file9 signatures10 process11 signatures12 159 Suspicious powershell command line found 37->159 161 Uses cmd line tools excessively to alter registry or file data 37->161 163 Bypasses PowerShell execution policy 37->163 167 2 other signatures 37->167 52 ynKhPFPP.exe 37->52         started        55 aVmaW2L2.exe 15 37->55         started        58 conhost.exe 37->58         started        165 Loading BitLocker PowerShell Module 40->165 process13 file14 153 Multi AV Scanner detection for dropped file 52->153 155 Binary is likely a compiled AutoIt script file 52->155 157 Found API chain indicative of sandbox detection 52->157 60 C7rKVVKq.exe 1 51 52->60         started        65 cmd.exe 52->65         started        67 cmd.exe 1 52->67         started        69 cmd.exe 52->69         started        109 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 55->109 dropped 111 C:\Users\user\AppData\Local\...\cecho.exe, PE32 55->111 dropped 113 C:\Users\user\AppData\Local\...113SudoLG.exe, PE32+ 55->113 dropped 115 2 other malicious files 55->115 dropped 71 cmd.exe 55->71         started        signatures15 process16 dnsIp17 137 94.154.35.25, 49716, 49717, 49727 SELECTELRU Ukraine 60->137 139 tv-garden.org 198.54.116.153, 443, 49820 NAMECHEAP-NETUS United States 60->139 141 2 other IPs or domains 60->141 121 C:\Users\user\AppData\Local\...\AK2mfNd.exe, PE32+ 60->121 dropped 123 C:\Users\user\AppData\Local\...\LXkGFUT.exe, PE32+ 60->123 dropped 125 C:\Users\user\AppData\Local\...\0jsyXSF.exe, PE32 60->125 dropped 127 19 other malicious files 60->127 dropped 193 Multi AV Scanner detection for dropped file 60->193 195 Contains functionality to start a terminal service 60->195 73 2274c324bf.exe 60->73         started        197 Suspicious powershell command line found 65->197 76 powershell.exe 65->76         started        78 conhost.exe 65->78         started        80 ATPfegQb.exe 2 67->80         started        83 conhost.exe 67->83         started        89 2 other processes 69->89 199 Uses cmd line tools excessively to alter registry or file data 71->199 85 cmd.exe 71->85         started        87 reg.exe 71->87         started        91 20 other processes 71->91 file18 signatures19 process20 file21 183 Multi AV Scanner detection for dropped file 73->183 185 Writes to foreign memory regions 73->185 187 Allocates memory in foreign processes 73->187 189 Injects a PE file into a foreign processes 73->189 191 Loading BitLocker PowerShell Module 76->191 93 Conhost.exe 78->93         started        101 C:\DPZDdbX\C7rKVVKq.exe, PE32 80->101 dropped 95 tasklist.exe 85->95         started        97 Conhost.exe 85->97         started        99 Conhost.exe 87->99         started        signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/8c36ccf9fa5b4ef1fcd223a36f9f082c
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.HTTP
Link:
https://tip.neiki.dev/file/4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 05:28:00 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
27 of 35 (77.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqiy55xb4bbceel2hziuheqiqelum74hh4eal3ikoinasdc352sq._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
admintool_nircmd
Create hunting rule
amadey
Create hunting rule
lummastealer
Create hunting rule
admintool_nsudo
Create hunting rule
Similar samples:
error
Mirai
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:salatstealer family:xenorat family:xmrig botnet:fbf543 defense_evasion discovery execution miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250726-w5sk1astew/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Embeds OpenSSL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
Detect SalatStealer payload
Detect XenoRat Payload
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Salatstealer family
XenorRat
Xenorat family
Xmrig family
salatstealer
xmrig
Malware Config
C2 Extraction:
https://delfxus.today/xjdz
https://stfota.xyz/toxz
https://mosaicia.top/zlap
https://jambnwz.top/gakh
https://ondcvxe.top/xkdz
https://keepnody.top/tiow
https://eartheea.life/itiz
https://glassma.live/alpz
https://sparklfm.xyz/xoit
https://boltex.net/xpao
https://molefkx.com/xalo
https://sponfht.com/xrie
https://runuxs.org/zpla
https://follcp.org/atnr
https://remotuw.org/xiza
https://detrewb.net/aqyw
https://berijng.net/otir
http://94.154.35.25
185.100.157.116
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/158d177f-e4ad-42b3-b64d-7e9a86b63be6
Unpacked files
SH256 hash:
4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5
MD5 hash:
8c36ccf9fa5b4ef1fcd223a36f9f082c
SHA1 hash:
ec7bc1304fa7914485f206353271b4a7d16101d2
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
SH256 hash:
def901717d1e15d9ec310a204947da1f8908bbfb1be3e2c33b09422aaef45242
MD5 hash:
58eab85e867b508fc2505087b19f2f00
SHA1 hash:
0fcfcdd8d7cbbf2d278414e6f9a8b677e1028876
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
SH256 hash:
b7c76a4394071aef590d7c80d1a15a05be9e00f89ba96fb74900ced26e15a940
MD5 hash:
f7f6fef8c3af927365d304d24693be67
SHA1 hash:
809c99ec4a4f32ee7bd792278924a029e3bd65c0
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
SH256 hash:
8fdcd5a1ea0fb914cb871fef70d89f6fb5b10fc49e9f9e1cc9d432877cd775a2
MD5 hash:
af5a40462b81418d9ccf329b96001523
SHA1 hash:
9e203d31f14eb841cc81c6c419db1260a6993f9c
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
SH256 hash:
9569d7a3f0a6d5f7fe1f5dddef2a5b518f378c74954a0bcc0c0c62171614d5ff
MD5 hash:
b725d819349145359db865b916b05a79
SHA1 hash:
2f4cff17dc9b2657e13548aa727af0252a5443ca
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
SH256 hash:
806e14c8bd693e858d74606284df0263c674144cb17806109e25ac91c85510f8
MD5 hash:
38457071d3faeea502c574a3f3ea5ba8
SHA1 hash:
8ef881f830787eb025c21051807ac341ce22a195
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
SH256 hash:
bce4435e8e6a63922c0911bb6ea86d73663f09319d30aefce7fe9c152c517bc0
MD5 hash:
cb944a77766ea615a00f6fac4025db31
SHA1 hash:
1df41ff85a9e1d5ec541c739ede2984bb41028e9
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
SH256 hash:
4e83b49ae3e9a95c4316dc6c78474369e9e382e9e11991c86b7cc79c44186215
MD5 hash:
2b2f425b0f8b11cdf09ad8e354340c55
SHA1 hash:
a84643004f9dcd679d9ee86981ab89aca7e2bb2d
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/0588a559-80a9-4768-aa6d-966bc56e89b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17055/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments