MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464
SHA3-384 hash: 43e61fa629c6c4ca53dc6184bbea009be98f6c32504dacc3c7da5310ace38f214da67ad957b04124a4a597d8c9b9fdc0
SHA1 hash: 663ffffa9eb6eb5b5796795e7e667f60967b9745
MD5 hash: 206c6d907a2da777106866f71154c54c
humanhash: virginia-carolina-violet-berlin
File name:msPC0SC.exe
Download: download sample
File size:18'432 bytes
First seen:2025-09-17 12:53:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:e5pzoIDgDS4+dGc5kYfq+82lvZwC9ha8kOEU59L0M8H1Sqt86qQdVQol:eaSnVxfqS9sk59L0MUSqtRdKol
TLSH T175820906B3FD8218F1FF4B756D7A47000775FA57AA32C60E0AD9845D1A71B609EA0BB3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 15:33:55 UTC
Tags:
lumma stealer auto redline amadey unlocker-eject tool arch-exec botnet loader evasion telegram gcleaner auto-reg themida auto-startup coinminer miner stealc vidar exfiltration ms-smartcard rdp ims-api generic
Link:
https://app.any.run/tasks/70deb728-ca12-49ac-b66e-7d5ef9e21a06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27923/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68caaf9c88b9544392473922
Tags:
shell micro sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a service
Launching a process
Loading a system driver
Launching the process to change the firewall settings
Searching for synchronization primitives
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-16T13:57:00Z UTC
Last seen:
2025-09-16T13:57:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e4b3ebf1-2688-4e3a-8eeb-3611b50f7ba6
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779242
Signature
Adds a new user with administrator rights
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Disables Windows Defender (via service or powershell)
Enables remote desktop connection
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the windows firewall
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Add User to Remote Desktop Users Group
Suricata IDS alerts for network traffic
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779242 Sample: msPC0SC.exe Startdate: 17/09/2025 Architecture: WINDOWS Score: 100 47 api.telegram.org 2->47 49 ip-api.com 2->49 51 api.ipify.org 2->51 61 Suricata IDS alerts for network traffic 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Contains functionality to start a terminal service 2->65 69 4 other signatures 2->69 8 msPC0SC.exe 14 5 2->8         started        13 svchost.exe 1 1 2->13         started        15 rdpdr.sys 8 2->15         started        17 3 other processes 2->17 signatures3 67 Uses the Telegram API (likely for C&C communication) 47->67 process4 dnsIp5 53 ip-api.com 208.95.112.1, 49692, 80 TUT-ASUS United States 8->53 55 api.telegram.org 149.154.167.220, 443, 49693, 49696 TELEGRAMRU United Kingdom 8->55 57 api.ipify.org 172.67.74.152, 443, 49689 CLOUDFLARENETUS United States 8->57 45 C:\Users\user\AppData\...\msPC0SC.exe.log, CSV 8->45 dropped 75 Contains functionality to start a terminal service 8->75 77 Self deletion via cmd or bat file 8->77 79 Bypasses PowerShell execution policy 8->79 81 7 other signatures 8->81 19 net.exe 8->19         started        22 powershell.exe 32 8->22         started        24 powershell.exe 23 8->24         started        26 11 other processes 8->26 59 127.0.0.1 unknown unknown 13->59 file6 signatures7 process8 signatures9 71 Contains functionality to start a terminal service 19->71 28 net1.exe 19->28         started        31 conhost.exe 19->31         started        73 Loading BitLocker PowerShell Module 22->73 33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 conhost.exe 26->39         started        41 conhost.exe 26->41         started        43 13 other processes 26->43 process10 signatures11 83 Contains functionality to start a terminal service 28->83
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/206c6d907a2da777106866f71154c54c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-09-16 17:21:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncmja2wbt2qalqfeq2ablznqaopydxu25yl6lkk6b3er7uybersa._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution lateral_movement persistence privilege_escalation
Link:
https://tria.ge/reports/250917-p6j7paztby/
Behaviour
Delays execution with timeout.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
Hide Artifacts: Ignore Process Interrupts
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Modifies RDP port number used by Windows
Modifies Windows Firewall
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a09a6713-ed82-4dc9-b179-bd3759116259
Unpacked files
SH256 hash:
6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464
MD5 hash:
206c6d907a2da777106866f71154c54c
SHA1 hash:
663ffffa9eb6eb5b5796795e7e667f60967b9745
Link:
https://www.unpac.me/results/5eebdd3c-bcb4-4305-9664-e1ea7788eaaa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6898906ac19e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6898906ac19ea005c0a4868015e5b0039f81de9aee17e5a95e0ec91fd3012464

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3625156/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27923/

Comments