MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486
SHA3-384 hash: c1e25e789c4e4a077133c8718eb77c5489f2c5d8325f24ec6ed18fd306bbc1c9cb226b703f7864a38e083a5d5caf0ef6
SHA1 hash: 027da6f99d69f3c37feec2a9dc266d7908406393
MD5 hash: 7e104aa64d042fe09c080fe583d4a44e
humanhash: blue-mars-skylark-wyoming
File name:file
Download: download sample
File size:7'742'320 bytes
First seen:2026-02-05 12:59:33 UTC
Last seen:2026-02-05 13:31:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 196608:B+euj7ILxyqlXdUalxGr82Q8E807sge6gdebVbtzJL/RqTh:BijKyqJZd8E8xoggbLRRqTh
TLSH T131762313B2CBE03EF55A0B3B05B2A16894FBB6616823BD56D6F4849CCF290501E3E757
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/7103746036/o9hkwIZ.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
135
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/c74a2450-0dad-49b0-8910-c8ce5506ad37/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2026-02-05 13:00:47 UTC
Tags:
stealer upx
Link:
https://app.any.run/tasks/91758f2f-0f74-443e-9234-7f60b12a746a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51807/
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/69849469930564ff3c8cca77/reports/c896c5af-c628-4a19-8f98-adf36f52ac11/overview
Verdict:
Malicious
Labled as:
Trojan.DOMG
Link:
https://www.hybrid-analysis.com/sample/5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Gatak.sb Trojan.Win32.AntiAV.sb Trojan.Win32.DLLhijack.sb Trojan.Win32.DLLhijack.aedh Trojan-Spy.Win32.SpyEyes Trojan-PSW.Win32.Lumma.sb Trojan-PSW.Win32.Lumma.aawq Trojan.Win64.Reflo.sb Trojan.Win32.Mansabo.sb Trojan.Agent.UDP.ServerRequest
Link:
https://opentip.kaspersky.com/5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b3d904ad-9011-4f8b-8e68-87c0dac8c845
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7e104aa64d042fe09c080fe583d4a44e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lk4lr3ucbb2fezn7ofbhsoljitx6amplrttemm4rck7unkg2osda._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery installer privilege_escalation upx
Link:
https://tria.ge/reports/260205-p8ttxabs8a/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Access Token Manipulation: Create Process with Token
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486
MD5 hash:
7e104aa64d042fe09c080fe583d4a44e
SHA1 hash:
027da6f99d69f3c37feec2a9dc266d7908406393
Link:
https://www.unpac.me/results/f87ef6c7-d602-49be-bf32-0a2ffb1afd8d/
SH256 hash:
fbbe6c5046227219613e7d5722b5ca637dfd2244855a4bb9566f6dfd883b5c30
MD5 hash:
f1f6a99d2e78e2fbffc328ea42903756
SHA1 hash:
864165de93d298f99a0ed7190fb2b72c411c737b
Link:
https://www.unpac.me/results/f87ef6c7-d602-49be-bf32-0a2ffb1afd8d/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/f87ef6c7-d602-49be-bf32-0a2ffb1afd8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5ab8b8ee8208745265bf714279396944efe031eb8ce646339112bf46a8da7486

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3772472/
Cape
Cape
https://www.capesandbox.com/analysis/51807/

Comments