MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a00568b5157cc8ffad2d3cab029da7e93453ed806cfbbd23738402739dba703. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a00568b5157cc8ffad2d3cab029da7e93453ed806cfbbd23738402739dba703
SHA3-384 hash: 6f3355c54a8cb539364f7a5e3cd1a6b0552d12d0082aa3525d82619e66c3ca910cb804606080f26713afc7a7c061074a
SHA1 hash: e0c95fa71809c8e9d2aeeb3f49afd06b16d006d0
MD5 hash: cf5795934c458278611af9b94f0f7d39
humanhash: batman-aspen-mockingbird-cup
File name:cf5795934c458278611af9b94f0f7d39.exe
Download: download sample
File size:563'712 bytes
First seen:2025-05-23 15:50:43 UTC
Last seen:2025-05-26 01:42:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:UZO1j18K7gKftRzsNAfGBzg+3zBYO5gpR1KGXq4kSd0FoOT:n8K7gKfYu4zgAzSOm1Kk7d0Fo
TLSH T1FEC423AF63490120D0580BBF6961F281BCF930E31D6B6B6778BE4D4B4435B12E2EE657
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
435
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-22 08:13:37 UTC
Tags:
lumma stealer themida loader amadey botnet auto gcleaner arch-exec auto-sch telegram rdp evasion generic netreactor purehvnc miner
Link:
https://app.any.run/tasks/d84f31e7-94cd-4eb9-98b1-db474b8ff8e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3332.29232.9701.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68309ab844c3881e854c705d
Tags:
dropper virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68309980e336a33801dd4eb3/reports/8a1e3806-f404-4242-939c-8244bc44de4b/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/8a00568b5157cc8ffad2d3cab029da7e93453ed806cfbbd23738402739dba703
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38211bf3-8e42-4d2c-b1fa-db38409a6905
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698056
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a00568b5157cc8ffad2d3cab029da7e93453ed806cfbbd23738402739dba703
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a00568b5157cc8ffad2d3cab029da7e93453ed806cfbbd23738402739dba703/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-22 09:16:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=riafnc2rk7gi76ws2pflako2p2jukpwya3h3xurxhbacooo3u4bq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250523-tapjrafk4w/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bb3a85df-7ca6-459f-98cd-6b3342854887
Unpacked files
SH256 hash:
8a00568b5157cc8ffad2d3cab029da7e93453ed806cfbbd23738402739dba703
MD5 hash:
cf5795934c458278611af9b94f0f7d39
SHA1 hash:
e0c95fa71809c8e9d2aeeb3f49afd06b16d006d0
Link:
https://www.unpac.me/results/e82d0afe-a630-4ccc-8712-baaa955ab3da/
SH256 hash:
0a5b62475f22d34cd3bdaa527fca280044d3598dddf70e7b8815b7488ad2ec36
MD5 hash:
48b45be81a98478c7f395757d6eb5b17
SHA1 hash:
2aa0e0a52d9710aa3e0241c226bb70edd2373d83
Link:
https://www.unpac.me/results/e82d0afe-a630-4ccc-8712-baaa955ab3da/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a00568b5157/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a00568b5157cc8ffad2d3cab029da7e93453ed806cfbbd23738402739dba703

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8a00568b5157cc8ffad2d3cab029da7e93453ed806cfbbd23738402739dba703

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550905/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3550906/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments