MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a292c7db24da2bc92d342d34f4998fe79c56c8d486f6d46ed526d5a9b17a5bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a292c7db24da2bc92d342d34f4998fe79c56c8d486f6d46ed526d5a9b17a5bc
SHA3-384 hash: 4e111c5fce1c82677dd9416c0985e15e927480ee3d2bfefee21532e5a11c5e85cce6cb396d1296ee293037321abe7b4e
SHA1 hash: bcf0978c847c7ea8b0deed5d39f37c3ab8c6795f
MD5 hash: a1f568c1961bea57ad26ef28e266e67e
humanhash: seventeen-pizza-fruit-butter
File name:a1f568c1961bea57ad26ef28e266e67e.exe
Download: download sample
File size:682'536 bytes
First seen:2025-06-16 12:19:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8035424c0cddf72a240c7dfefe26c35f (14 x LummaStealer, 2 x ResolverRAT, 2 x Vidar)
ssdeep 12288:HvKvUn0m3udgxh2pVatrM/+T4laVRuFTb8jKfIdCs6REO:HvKvU0m3udgxhoVau/O4UVRuF0mfvt
TLSH T1C3E47C29925662DAFC6A40BB4561A154B9B2B922C7382FFF4390E3331E07BD81F3D754
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
http://185.156.72.2/testmine/random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-14 19:19:32 UTC
Tags:
loader amadey botnet stealer rdp remote xworm meduza purehvnc netreactor lumma telegram arch-exec auto github gcleaner crypto-regex evasion generic
Link:
https://app.any.run/tasks/9571e171-c823-4a5b-949b-4fd6a87d79a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9650/
Detection(s):
Win.Packed.Agen-10045323-0
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68500c148bd5d68a12e8d585
Tags:
clipbanker injection virus crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt fingerprint invalid-signature microsoft_visual_cc packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/68500c10fd02ed5e05ad3ce5/reports/581058e6-4563-4d35-b3b6-eabb01dd821a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5a292c7db24da2bc92d342d34f4998fe79c56c8d486f6d46ed526d5a9b17a5bc
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3622f11e-de1b-4065-ba71-d76106630985
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1715468
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1715468 Sample: 43i1QNB6IO.exe Startdate: 16/06/2025 Architecture: WINDOWS Score: 64 16 pki-goog.l.google.com 2->16 18 c.pki.goog 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Joe Sandbox ML detected suspicious sample 2->22 7 43i1QNB6IO.exe 1 2->7         started        signatures3 process4 signatures5 24 Writes to foreign memory regions 7->24 26 Allocates memory in foreign processes 7->26 28 Injects a PE file into a foreign processes 7->28 10 MSBuild.exe 7->10         started        12 conhost.exe 7->12         started        14 MSBuild.exe 7->14         started        process6
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5a292c7db24da2bc92d342d34f4998fe79c56c8d486f6d46ed526d5a9b17a5bc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a292c7db24da2bc92d342d34f4998fe79c56c8d486f6d46ed526d5a9b17a5bc/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-14 18:13:29 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=liusy7nsjwrlzewtilju6smy7z44k3enjbxw2rxnkjwvvgyxuw6a._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250616-phzbpsyyav/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
Win.Packed.Agen-10045323-0
YARA:
n/a
Link:
https://app.threat.zone/submission/b5c44ceb-547f-4cb6-b570-dd59a7309c44
Unpacked files
SH256 hash:
5a292c7db24da2bc92d342d34f4998fe79c56c8d486f6d46ed526d5a9b17a5bc
MD5 hash:
a1f568c1961bea57ad26ef28e266e67e
SHA1 hash:
bcf0978c847c7ea8b0deed5d39f37c3ab8c6795f
Link:
https://www.unpac.me/results/e1b29d9d-90bd-449b-8e4c-551587c41e02/
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a292c7db24d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/5a292c7db24da2bc92d342d34f4998fe79c56c8d486f6d46ed526d5a9b17a5bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9650/

Comments