MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a
SHA3-384 hash:	5fe0644881ab3d0f8cc70a1147aae96174886c7f7a80d8e87c957cd05cf903e0bdb2f3dada9229439d8556aeacb0f084
SHA1 hash:	ba5ee8779201633b45ef95e8d68279e3b50ce62c
MD5 hash:	155909267e7eb23b0045346a34170a6d
humanhash:	fish-london-blue-sixteen
File name:	SecuriteInfo.com.Win64.MalwareX-gen.62364341
Download:	download sample
File size:	2'594'816 bytes
First seen:	2025-10-22 06:26:07 UTC
Last seen:	2025-10-22 07:20:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	744b8668340c0780ea1865df1a6c1af5
ssdeep	49152:KYLpqCHFouBSS4kP+huNn7ubhsgKWygm2nPsj:M0Fou7LPZNn7ubnegBsj
Threatray	1'205 similar samples on MalwareBazaar
TLSH	T1F3C57CC16ED74092E5BDC3B091F2504EF12EBED84E2BC66B3318D468ECA6809D756376
TrID	33.4% (.EXE) OS/2 Executable (generic) (2029/13) 33.0% (.EXE) Generic Win/DOS Executable (2002/3) 33.0% (.EXE) DOS Executable Generic (2000/1) 0.4% (.VXD) VXD Driver (29/21)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ANcm15m.exe

Verdict:

Malicious activity

Analysis date:

2025-10-22 06:11:52 UTC

Tags:

rhadamanthys stealer anti-evasion

Link:

https://app.any.run/tasks/e7d7f8ac-3fb5-4c2b-b525-8f4227eb271d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/33700/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f875a83edd081eba40a0ae

Tags:

shellcode spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Detecting VM

Connection attempt

DNS request

Sending a UDP request

Reading critical registry keys

Searching for the window

Unauthorized injection to a system process

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

amadey anti-debug packed unsafe zero

Link:

https://www.filescan.io/uploads/68f87928c67f5a3f3d591083/reports/eb2c5989-919f-4f1f-aca6-4cb9d332ad5e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-21T05:12:00Z UTC

Last seen:

2025-10-23T23:48:00Z UTC

Hits:

~100

Detections:

VHO:Trojan-PSW.Win32.Crypt.gen Trojan.Win64.SBEscape.sb Trojan.Win64.SBEscape.bob Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan.Win32.Crypt.sb

Link:

https://opentip.kaspersky.com/6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d23ac3ac-b80e-4781-a1aa-9184909733fe

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/155909267e7eb23b0045346a34170a6d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a/

Verdict:

Malicious

Threat:

Family.RHADAMANTHYS

Link:

https://tip.neiki.dev/file/6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a

Threat name:

Win64.Trojan.Amadey

Status:

Suspicious

First seen:

2025-10-21 10:07:41 UTC

File Type:

PE+ (Exe)

AV detection:

23 of 37 (62.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=npslv7zfaohskvvsewvjt4gkwrryxgpyp2mzt3zchyi4szqvkqva._file

Verdict:

suspicious

Label(s):

rhadamanthys

415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07

6c0c809060dca43795f724aeae924802bc4cac170c48053a74f9c97d85460573

72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d

7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5

7f2b86e0352b6ceddfdbc7d74cd277cc1b084a673a6c9e6a1a4e0e341d6f0e36

9d76c0ca960c251fa95e9414b787f440382e6154773750994408fb9b5f2557d2

ebc55cc0e1d70ff4da31e7700b5fc34d089a9ff35e2fc6bbd592f5b687559ceb

error

+ 1'195 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/251022-g7h21shw4g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a

MD5 hash:

155909267e7eb23b0045346a34170a6d

SHA1 hash:

ba5ee8779201633b45ef95e8d68279e3b50ce62c

Link:

https://www.unpac.me/results/f81da7f9-9604-4d48-a004-19c8ca95482e/

Malware family:

GoInjector

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6be4baff2503/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	TeslaCryptPackedMalware Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 6be4baff25038f2556b225aa99f0cab4638b99f87e9999ef223e11c96615542a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3683563/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/33700/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample