MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 13

Intelligence 13 IOCs YARA 27 File information Comments

SHA256 hash:	924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c
SHA3-384 hash:	54411eda3784f4127016742df7b903d260dca4ad7afa3174f81090f4a17749781fc28f87815c92083966962bf7d55777
SHA1 hash:	6338aaa133a97bed77b35b98973e318e0f68b349
MD5 hash:	91fc722b2802baa21de11ca6060077f9
humanhash:	blue-east-jupiter-kilo
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	4'139'136 bytes
First seen:	2025-10-21 04:02:53 UTC
Last seen:	2025-10-24 07:20:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 69 x Vidar, 41 x LummaStealer)
ssdeep	49152:0Jdmi/Gdt0efuCsOXdFpjqI6rWLLP1pzRdHnPypZPYFhYV/SmUgmG8wQEFGJm+V:0NwePahYF7mAF4V
TLSH	T15B167C136C904A9CC4BEE27BA4A3918277BE7D904B3336D32B40B27D2E776C425B5749
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe vidar

Bitsight

url: http://178.16.55.189/files/6231240258/XnMxR27.exe

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

250925-dnhqcs1rx9_pw_infected.zip

Verdict:

Malicious activity

Analysis date:

2025-10-20 21:17:35 UTC

Tags:

arch-exec amadey auto redline stealer lumma botnet unlocker-eject tool loader socks5systemz proxybot stealc vidar gcleaner generic evasion autoit anti-evasion screenconnect rmm-tool remote rdp fuery phishing arch-doc upx rust xworm salatstealer miner ms-smartcard github winring0-sys vuln-driver

Link:

https://app.any.run/tasks/e74cd72d-39c0-4a65-a9ab-67fb2fdf7060

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/33549/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f705f83edd081eba403e06

Tags:

emotet cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Behavior that indicates a threat

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

golang invalid-signature obfuscated signed threat

Link:

https://www.filescan.io/uploads/68f7061d3a79800405ed79a4/reports/29ffc0df-c8a6-4bcb-bec5-89ba561631f7/overview

Verdict:

Malicious

Labled as:

WinGo/Kryptik_AGeneric.H trojan

Link:

https://www.hybrid-analysis.com/sample/924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-20T17:31:00Z UTC

Last seen:

2025-10-22T15:13:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Win64.Generic

Link:

https://opentip.kaspersky.com/924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ce3c3615-719c-4737-8ecd-d9a4432f355e

Score:

31%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/91fc722b2802baa21de11ca6060077f9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c

Threat name:

Win64.Trojan.Amadey

Status:

Malicious

First seen:

2025-10-21 00:05:10 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sjgayxwavoxfd2nd2qw7v3kk22vlbp5o5bkwho2ritb33rfodrwa._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/251021-empyqa1mhm/

Unpacked files

SH256 hash:

924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c

MD5 hash:

91fc722b2802baa21de11ca6060077f9

SHA1 hash:

6338aaa133a97bed77b35b98973e318e0f68b349

Link:

https://www.unpac.me/results/80eda18a-59e7-4c98-94d3-cb69b23fe7ee/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/924c0c5ec0ab/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/924c0c5ec0abae51e9a3d42dfaed4ad6aab0bfaee85563bb5144c3bdc4ae1c6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834