MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398
SHA3-384 hash:	1e5b23452ee6b7b8f5053d05c5b61d18b4000a788bec5dc68c2ed884630552af68bf7ed74d979c130f307c0f8f5d6b1d
SHA1 hash:	6ec99c6f733402a93a498b8c7a5f8fd30e3034e7
MD5 hash:	3311eaab171ab340c31c4648d2c6a1d0
humanhash:	wolfram-island-mike-early
File name:	file
Download:	download sample
File size:	540'164 bytes
First seen:	2025-09-04 11:14:35 UTC
Last seen:	2025-09-04 11:14:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8b9f259ac496902883e094dacec772f9
ssdeep	12288:zri0wElNpkHW2vzVu00h6aCLw6AiH/Rmc:60lPUNXhw6AiH/8c
TLSH	T135B47C11B586D032C95715B15AB9DFB99A7DFC704FA064CB73C41FBA8E202C26B31B1A
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe

Bitsight

url: http://178.16.55.189/files/1540890878/VqMidaQ.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-09-04 10:57:28 UTC

Tags:

ims-api generic

Link:

https://app.any.run/tasks/d5dadd09-2c9f-42f4-878b-7047d4802428

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/25029/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b97502eb163e0ec18450e8

Tags:

injection virus zusy

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm base64 crypto fingerprint hacktool microsoft_visual_cc overlay overlay threat

Link:

https://www.filescan.io/uploads/68b974f4564e61a821550d7c/reports/8cedfc49-c58c-46a5-910f-21eaa9de7550/overview

Verdict:

Malicious

Labled as:

Fragtor.Generic

Link:

https://www.hybrid-analysis.com/sample/595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-04T09:34:00Z UTC

Last seen:

2025-09-04T09:34:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.Win32.Agent.xydjjf Trojan-Downloader.Win32.Agent Trojan-Downloader.Agent.TCP.C&C Trojan-Downloader.Agent.HTTP.C&C Trojan-Dropper.Win32.Dapato.sfjc Trojan-Downloader.Win32.Agent.xydjiu PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/779428d2-b15b-4148-851d-65c6f59d9328

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/3311eaab171ab340c31c4648d2c6a1d0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398/

Verdict:

Malicious

Threat:

Win32.Ransomware.Heuristic

Link:

https://tip.neiki.dev/file/595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2025-09-04 10:57:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lfiarkslit52mv3sh3kdihrovqcn4lp6af6jg3m3brnqvvt5yoma._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/250904-nc4tkat1ay/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks computer location settings

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/23edff9c-1e41-48be-b54a-943f2d0c9353

Unpacked files

SH256 hash:

595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398

MD5 hash:

3311eaab171ab340c31c4648d2c6a1d0

SHA1 hash:

6ec99c6f733402a93a498b8c7a5f8fd30e3034e7

Link:

https://www.unpac.me/results/73d8fff2-80dc-4cb2-baed-4f7ccab38686/

SH256 hash:

26bd8ce72a5e0377a57cdce240a006c3b2a7a04bc6a250b9b609d2c9613ea45d

MD5 hash:

89a014fec8e2a43ae5a857b54dbbe712

SHA1 hash:

7e7db4345b278dbf7e079293fcdd1e9903992d6f

Link:

https://www.unpac.me/results/73d8fff2-80dc-4cb2-baed-4f7ccab38686/

SH256 hash:

c8ae1e4b0a8b4a19cbe9c6dd5c4a82a41d6fea6305c3d9bd6d6b7594249b02b7

MD5 hash:

d9209c0a2693ed0eeac95d46fe8b4e09

SHA1 hash:

61644fd46348b2a72a85aa90695fa464e5f863c1

Link:

https://www.unpac.me/results/73d8fff2-80dc-4cb2-baed-4f7ccab38686/

SH256 hash:

41981aed607fff042cd20c3414a30e997e9db510f24b2c95eae1b40c5cebbf65

MD5 hash:

6a8ccf1e33574823d4b2d622bc04a1ee

SHA1 hash:

5d1c698b94e104bd895644f27ac2ee302c4f12bc

Link:

https://www.unpac.me/results/73d8fff2-80dc-4cb2-baed-4f7ccab38686/

SH256 hash:

c7c7fd2c14a950c7f84800bb4f388b83aff46c2c46d9f9690eb48abaacadcb5d

MD5 hash:

759094ff62f21bb2b1f0cb3581204433

SHA1 hash:

5e8f127eded48aa76ff53a722d95dc628386498b

Link:

https://www.unpac.me/results/73d8fff2-80dc-4cb2-baed-4f7ccab38686/

SH256 hash:

20c498d55bda589253a5d6a21d0ed3a0eb00f5b490d132deb4234750dab92d2e

MD5 hash:

b1b90c9fec6bcb527f8212f18a3d0b93

SHA1 hash:

bdcb89519e0d630c55e6004c82e1d561e92da364

Link:

https://www.unpac.me/results/73d8fff2-80dc-4cb2-baed-4f7ccab38686/

SH256 hash:

1f615b3b50061e1946f1b88a5cac9e41119c37dc690e5e8457b180d320075210

MD5 hash:

10ca55752b07daa58c6d74565b96eb30

SHA1 hash:

ee9c2cfe1e9d285dca78c50886cfbdd9cc26b821

Link:

https://www.unpac.me/results/73d8fff2-80dc-4cb2-baed-4f7ccab38686/

SH256 hash:

613813eb542bd797199be730fba92b4dd93affa5727cba5758390995fa2ca3c0

MD5 hash:

3203d4f5baf76d6bc89989d5b29466b4

SHA1 hash:

86e4ec499d2f6da5748b13da90737082f229c3ba

Link:

https://www.unpac.me/results/73d8fff2-80dc-4cb2-baed-4f7ccab38686/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 595008aa4b44fba657723ed4341e2eac04de2dfe017c936d9b0c5b0ad67dc398

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3617221/

URLhaus

https://urlhaus.abuse.ch/url/3617224/

Cape

https://www.capesandbox.com/analysis/25029/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample