MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448
SHA3-384 hash:	c89e4b21a13b70d24f84c1a0146aad60644bfc877a62eb27fcb9f733ba2da4798e9b9cfc114626420fff63489bebde3a
SHA1 hash:	f4dcecb49899e85d3f44d887d4a8b97ed9a65df7
MD5 hash:	63de6874e298e17b5ddd87351e2ad843
humanhash:	river-east-lemon-white
File name:	file
Download:	download sample
File size:	85'504 bytes
First seen:	2026-01-02 19:38:22 UTC
Last seen:	2026-01-17 01:06:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3326b0ed8ca5d20f5013f8b3c04e7744 (2 x SVCStealer, 1 x XWorm)
ssdeep	1536:z148CrfdXNM840VhyGzirik7okuAhoB2y:z1zmM92yrCksB2y
TLSH	T150835901F250C035F0F700FACBB54B7A5EA9AF11536890DB57D855EAAB31AC1BA3235B
TrID	56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.1% (.EXE) Win32 Executable (generic) (4504/4/1) 3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	b80777 dropped-by-amadey exe

Bitsight

url: http://196.251.107.23/vz.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

ssd.exe

Verdict:

Suspicious activity

Analysis date:

2026-01-02 19:35:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c1da1b29-52fe-4d12-b839-1a5aad01ff33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46913/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69581ee2e148d42004de921b

Tags:

obfuscator autorun virus sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 lolbin microsoft_visual_cc packed schtasks

Link:

https://www.filescan.io/uploads/69581ee12fb7bb52ca853983/reports/0b2f5d37-887e-4304-92c3-e4d01efb7f7a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-02T16:49:00Z UTC

Last seen:

2026-01-04T17:20:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.Win32.Bazloader.hu Trojan-Downloader.Bazloader.HTTP.C&C PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic Trojan.Win64.Agent.sb Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448/results?tab=lookup

Malware family:

APT10

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f914cacf-6922-422d-b8b5-93ac6a33732f

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/63de6874e298e17b5ddd87351e2ad843

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448/

Verdict:

Malicious

Threat:

Trojan.Win32.Inject

Link:

https://tip.neiki.dev/file/8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448

Threat name:

Win32.Trojan.ExplorerHijack

Status:

Malicious

First seen:

2026-01-02 19:39:15 UTC

File Type:

PE (Exe)

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rvnv2lgybyj5xxcmnrgf6oaj4yskbs2a5dhm5eardz4tdp6aqrea._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution persistence

Link:

https://tria.ge/reports/260106-k8emrsyqdy/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a82fab0b-9dc9-4ff4-af38-4cac33a97c88

Unpacked files

SH256 hash:

8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448

MD5 hash:

63de6874e298e17b5ddd87351e2ad843

SHA1 hash:

f4dcecb49899e85d3f44d887d4a8b97ed9a65df7

Link:

https://www.unpac.me/results/f1ba381b-5711-42c8-9058-b40be1ea40ad/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8d5b5d2cd80e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 8d5b5d2cd80e13dbdc4c6c4c5f3809e624a0cb40e8cece90111e7931bfc08448

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3749260/

Cape

https://www.capesandbox.com/analysis/46913/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample