MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6
SHA3-384 hash: c2fcb4ef3522046ff55567d3f6a7fc127ba61e9443d72c08ea2e9c98f108a8b3562f846f6e3221c119b14e8aefe072f8
SHA1 hash: 67020f2f8e494bb2a56807e4a3354120b4077b8a
MD5 hash: f52f583c314702bbfe3b7d804469351c
humanhash: uncle-yankee-yellow-charlie
File name:file
Download: download sample
File size:2'955'948 bytes
First seen:2025-11-12 17:27:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (61 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:IgwRV8UhSoTsnfN9kA0K6zocCchjZcKCKPcYfhVT9Zns80Yoh7M17+PmOv4O3nu4:IgwRV8U6ffr6cCjdCwcyVbnxXoh7OSmw
Threatray 14 similar samples on MalwareBazaar
TLSH T195D5335377A900F4D6F316B0206653AA5D7F9FE12B2606D712883B0B5EF18C7923739A
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://178.16.54.200/files/8079848160/65DNQEL.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-11-12 17:28:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd24afce-6a20-4e5e-96ec-53a92c99c0a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37742/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6914c3b628ddbbca4d8d6e1a
Tags:
shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Creating a service
Launching a service
Сreating synchronization primitives
Creating a file
Moving a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer installer keylogger microsoft_visual_cc overlay overlay ransomware
Link:
https://www.filescan.io/uploads/6914c3b3cfdf6fd1e4d913f1/reports/78e4e704-2f17-4113-ac65-af6ee53f2419/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-12T14:33:00Z UTC
Last seen:
2025-11-14T00:52:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Ransom.Win32.Generic HEUR:Trojan.PowerShell.Generic HEUR:HackTool.Win64.NoDefender.a HEUR:HackTool.PowerShell.InvokeObfuscation.gen Trojan.PowerShell.Kriptik.sba BSS:HackTool.Win32.Yzon.a Trojan.PowerShell.Cobalt.sb
Link:
https://opentip.kaspersky.com/5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11b54243-4e73-4e09-87ab-a90ecd5ff60a
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6
Verdict:
Malware
YARA:
5 match(es)
Tags:
DeObfuscated Executable PE (Portable Executable) PE File Layout PowerShell SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/f52f583c314702bbfe3b7d804469351c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6/
Verdict:
Malicious
Threat:
HackTool.PowerShell.Yzon
Link:
https://tip.neiki.dev/file/5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6
Threat name:
Win32.Ransomware.Pay2Key
Create hunting rule
Status:
Suspicious
First seen:
2025-11-12 17:28:09 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=llpmgtn5jruhnh72lk63pqccjnon6vve7es6rod4kphuuuuuv7ta._file
Verdict:
malicious
Label(s):
hacktool_defendernot
Create hunting rule
Similar samples:
0d92e9fa4eebb8988f8c106499329a0ad0773d0cc1cc2ff254b1da592cc08afa
1c3f2530b2764754045039066d2c277dff4efabd4f15f2944e30b10e82f443c0
48d2a301620cb687294e291329c0e8d0d4a69f7278f87068c2e3c51203f11581
4c380b1c9202405487e7b5926d6c571d7aa2d2db94467aaef78e383f53a768ba
518e83f226c9a0ab4bfd27b3561331da201041c1c88c38e17b0dcdb4c8a7b742
5aa2c659740f083e73558cf2a6d85caf7b05918321cd6562c414d05b07223828
dd997344dce3d994e5699152d72ac88184929de709b0a9426f8570c8225627fb
error
+ 4 additional samples on MalwareBazaar
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d81e7fb0-654c-4b8b-ad67-1ee59cdbe784
Unpacked files
SH256 hash:
5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6
MD5 hash:
f52f583c314702bbfe3b7d804469351c
SHA1 hash:
67020f2f8e494bb2a56807e4a3354120b4077b8a
Link:
https://www.unpac.me/results/2e6f0889-9e54-4b50-977e-e33b61f9151a/
SH256 hash:
317f8866f1b5b832a70881662fe82ab2213e7f807f3ebad4f8f9f0092a2db1e1
MD5 hash:
3a7b536656264d2c98ea8fe1f232136e
SHA1 hash:
a4b6829550f91d88dcd13de393ab0e3530ed7639
Link:
https://www.unpac.me/results/2e6f0889-9e54-4b50-977e-e33b61f9151a/
SH256 hash:
b6301160d2cceb9df1bb2d0548d65c31ecc38b694fa5efe67899935f19870fce
MD5 hash:
46857dedd8ea45006ec3ebff24739f8b
SHA1 hash:
47bd7d9f2eb13d178327769b964043887258390e
Link:
https://www.unpac.me/results/2e6f0889-9e54-4b50-977e-e33b61f9151a/
SH256 hash:
f457b1cb1b146ab07117e34dc50881ef787946a0311467d82469fdaa3e54884c
MD5 hash:
52b7073101ce2f83c85ed698f1ee0445
SHA1 hash:
cd2f016c79de7d4bf20d1366cc9483b610b4ffc2
Link:
https://www.unpac.me/results/2e6f0889-9e54-4b50-977e-e33b61f9151a/
Malware family:
Mimic
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5adec34dbd4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/37742/
  
URLhaus
https://urlhaus.abuse.ch/url/3703846/

Comments