MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ffb180a561363cbac4b2e512039b58e3dcee36d7a22409cbfa315c343ed7295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ffb180a561363cbac4b2e512039b58e3dcee36d7a22409cbfa315c343ed7295
SHA3-384 hash: 0542509fb9e93c3f08fcad4de1bde1813c70856cac14128dc65d76e96a8e65233c116063afc5e792a346a7b043aeb07b
SHA1 hash: 57a1708e4169ba49d374485fb2a6d080941987a7
MD5 hash: 839bcd58ef0bbdccbc0e0a96eed6234e
humanhash: football-robert-wolfram-march
File name:839bcd58ef0bbdccbc0e0a96eed6234e.exe
Download: download sample
File size:9'467'408 bytes
First seen:2025-06-01 17:24:23 UTC
Last seen:2025-06-02 06:24:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a27c1b1bab0fbd6878da04b8d3715f84
ssdeep 196608:V7Bh7IdhOhAxv4rTcNhVDb7vAXzxvgOvjlt:V1h78hOhA9HVb7oD1gOLlt
TLSH T19A96F12276E2C036D8735A70D52DD2F991B9BC60DB32848BA3D47F1E3B309819639B57
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 0f17734d35926133
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
378
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-31 18:02:21 UTC
Tags:
amadey botnet stealer loader rdp github auto-reg ultravnc rmm-tool telegram lumma arch-doc vidar stealc delphi gcleaner purecrypter netreactor redline evasion sectoprat arechclient2 rat autoit auto generic arch-exec advancedinstaller
Link:
https://app.any.run/tasks/4f4f4a6f-ac4e-47b1-be4e-152ee24595d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6713/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.76535269.603.25480.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683c8e9aacf88f5815eac9da
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm base64 evasive explorer fingerprint fingerprint keylogger keylogger lolbin microsoft_visual_cc msiexec overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/683c8d48171e01f95932be8e/reports/0b09ba41-171b-4c32-8b2a-93fefec3e224/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4ffb180a561363cbac4b2e512039b58e3dcee36d7a22409cbfa315c343ed7295
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2d1d51f3-3fa4-48ac-a638-be49af4778f2
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703447
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Drops password protected ZIP file
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Self deletion via cmd or bat file
Sigma detected: HackTool - Covenant PowerShell Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703447 Sample: zLaDz1lChj.exe Startdate: 01/06/2025 Architecture: WINDOWS Score: 100 58 down.temp-xy.com 2->58 60 dkliltrf1f1vb.cloudfront.net 2->60 66 Drops password protected ZIP file 2->66 68 Joe Sandbox ML detected suspicious sample 2->68 70 Sigma detected: HackTool - Covenant PowerShell Launcher 2->70 72 3 other signatures 2->72 9 zLaDz1lChj.exe 11 2->9         started        signatures3 process4 dnsIp5 62 dkliltrf1f1vb.cloudfront.net 3.167.246.54, 443, 49693, 49696 AMAZON-02US United States 9->62 40 C:\Users\user\AppData\Local\...\tmp236.bat, ASCII 9->40 dropped 76 Self deletion via cmd or bat file 9->76 78 Bypasses PowerShell execution policy 9->78 80 Contains functionality to detect sleep reduction / modifications 9->80 14 powershell.exe 283 9->14         started        18 svpy.exe 73 9->18         started        20 cmd.exe 9->20         started        file6 signatures7 process8 file9 42 C:\Users\user\AppData\Local\...\winsound.pyd, PE32 14->42 dropped 44 C:\Users\user\AppData\...\vcruntime140.dll, PE32 14->44 dropped 46 C:\Users\user\AppData\...\unicodedata.pyd, PE32 14->46 dropped 56 95 other files (27 malicious) 14->56 dropped 82 Loading BitLocker PowerShell Module 14->82 84 Powershell drops PE file 14->84 22 conhost.exe 14->22         started        48 C:\Users\user\AppData\...\OneDrivePatcher.exe, PE32+ 18->48 dropped 50 C:\Users\user\AppData\...\msvcp140_1_app.dll, PE32+ 18->50 dropped 52 C:\...\api-ms-win-crt-process-l1-1-0.dll, PE32+ 18->52 dropped 54 C:\Users\user\...\UpdateRingSettings.dll, PE32+ 18->54 dropped 86 Suspicious powershell command line found 18->86 88 Adds a directory exclusion to Windows Defender 18->88 24 powershell.exe 18->24         started        27 powershell.exe 23 18->27         started        90 Uses ping.exe to sleep 20->90 92 Uses ping.exe to check the status of other devices and networks 20->92 29 PING.EXE 20->29         started        32 conhost.exe 20->32         started        signatures10 process11 dnsIp12 74 Loading BitLocker PowerShell Module 24->74 34 conhost.exe 24->34         started        36 WmiPrvSE.exe 24->36         started        38 conhost.exe 27->38         started        64 127.0.0.1 unknown unknown 29->64 signatures13 process14
Score:
31%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/4ffb180a561363cbac4b2e512039b58e3dcee36d7a22409cbfa315c343ed7295
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ffb180a561363cbac4b2e512039b58e3dcee36d7a22409cbfa315c343ed7295/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-30 18:52:58 UTC
File Type:
PE (Exe)
Extracted files:
223
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j75rqcswcnr4xlclfzisaonvry645y3npirebhf7umk4gq7nokkq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250601-vzvbzazxft/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/11fa00f1-b19e-4797-89b9-a8fca79b226c
Unpacked files
SH256 hash:
4ffb180a561363cbac4b2e512039b58e3dcee36d7a22409cbfa315c343ed7295
MD5 hash:
839bcd58ef0bbdccbc0e0a96eed6234e
SHA1 hash:
57a1708e4169ba49d374485fb2a6d080941987a7
Link:
https://www.unpac.me/results/0f8d3d91-386b-4359-a4ed-8cb4e649a10a/
SH256 hash:
64cfae7b224d31f179f01ccef6bd152f621105a581a5df8bd00aa73371b57aba
MD5 hash:
242d4e45afc3ec41f4aeb6c6dd0f0e36
SHA1 hash:
0820b8029faf4740464b16933eb9c34ab5ca42c7
Link:
https://www.unpac.me/results/0f8d3d91-386b-4359-a4ed-8cb4e649a10a/
SH256 hash:
dc3516c65036e305964105e11f6865e1d5a3b171d8d2f765fde18c8f36bf727c
MD5 hash:
317d2dfc6244a981ef100b8312f579a9
SHA1 hash:
e35dc1a7316c8bcba4cea481daf27b36ea3cc383
Link:
https://www.unpac.me/results/0f8d3d91-386b-4359-a4ed-8cb4e649a10a/
SH256 hash:
282af92d86475416194cebe4ceb1195fbf11627a55922ff4cbeed8ec08ee3cd8
MD5 hash:
e55eb9b476813090dca22e3060cf07fe
SHA1 hash:
1b2f0ba3aaee20705de1609471012bf74fa7f77e
Link:
https://www.unpac.me/results/0f8d3d91-386b-4359-a4ed-8cb4e649a10a/
SH256 hash:
c64cccff11d9228d2ea2feccf38ae23cee9fd9e4efc8761c3789007bd930739d
MD5 hash:
a53a34ea057bccecda6f9f2f72001170
SHA1 hash:
e409203478e2d9dc89c51a96b709594d5348bb7a
Link:
https://www.unpac.me/results/0f8d3d91-386b-4359-a4ed-8cb4e649a10a/
SH256 hash:
1481879949d2dd39d29c6fc7bfa29978298a537e406678493bd70a479e8128c2
MD5 hash:
e5d626d1a58b3a93f548d010b3b59a78
SHA1 hash:
b79c9f31d7c4c7cd40e7cf7bd233107bf5bcafe0
Link:
https://www.unpac.me/results/0f8d3d91-386b-4359-a4ed-8cb4e649a10a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ffb180a561363cbac4b2e512039b58e3dcee36d7a22409cbfa315c343ed7295

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:possible_UAC0050_or_STICKYWEREWOLF_files
Create hunting rule
Author:rjones
Description:possible_UAC0050_or_STICKYWEREWOLF_files
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4ffb180a561363cbac4b2e512039b58e3dcee36d7a22409cbfa315c343ed7295

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3556142/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6713/

Comments