MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1
SHA3-384 hash:	3cf61c4050dd31a5dcde08303d9cd14a03ec0f08cf9305c3c1793a0b7352575c72a53eb517e28dea62b9e6d15632889d
SHA1 hash:	217ed0d146809ebd181b396f805239775395f9e5
MD5 hash:	963d9bf94d8495bd2b4b5816d763031f
humanhash:	robin-salami-helium-delaware
File name:	file
Download:	download sample
File size:	6'939'136 bytes
First seen:	2026-01-08 17:19:16 UTC
Last seen:	2026-01-08 17:20:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	98304:k73Ey73Ln+pRJcJRLfxa7iR3OF5UP5iKptf2d990c9l++K15ksIlmZzI0Nx7NPLf:k73l/+M7a4elKX2d/N++K15ksIkjV
TLSH	T1706633A396EC5035E5F5B7B099F64B132A393C4105454EFB0958B857AC33C12FB23BA9
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10522/11/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: https://delibindas.top/TheoreticalBoolean.exe

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Archives AutoIt

Details

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Launching a process

Creating a process with a hidden window

Running batch commands

Launching cmd.exe command interpreter

Creating a process from a recently created file

Creating a window

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context autoit CAB expand explorer installer installer installer-heuristic lolbin microsoft_visual_cc packed rundll32 runonce sc sfx

Link:

https://www.filescan.io/uploads/695fe72107ef5fa68e8188d9/reports/25cc2d96-6fc0-4a15-b35f-b51436cb2624/overview

Verdict:

Suspicious

Labled as:

Malware_

Link:

https://www.hybrid-analysis.com/sample/933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-08T14:26:00Z UTC

Last seen:

2026-01-09T10:45:00Z UTC

Hits:

~10

Detections:

Backdoor.Win32.Agent.myxcnv Backdoor.Agent.UDP.C&C

Link:

https://opentip.kaspersky.com/933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f1fc44f6-a897-4417-8553-69b3cda5bf32

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1/

Verdict:

Malicious

Threat:

Family.WALLSTEALER

Link:

https://tip.neiki.dev/file/933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-01-08 17:19:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sm5f2d7hsvlgin45sxzcwxrsgu7xxphdcgdzwsqtrokrvvp3zhaq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/260108-vv34bacz3e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Launches sc.exe

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4ec54c76-fe13-43fe-a3fe-ce48abaa468b

Unpacked files

SH256 hash:

933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1

MD5 hash:

963d9bf94d8495bd2b4b5816d763031f

SHA1 hash:

217ed0d146809ebd181b396f805239775395f9e5

Link:

https://www.unpac.me/results/b6b9eafe-c7f4-4bd0-b8e2-a728d82b9807/

Malware family:

CypherIt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/933a5d0fe795/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 933a5d0fe7955664379d95f22b5e32353f7bbce311879b4a138b951ad5fbc9c1

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3753527/

Cape

https://www.capesandbox.com/analysis/48206/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample