MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fuery


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2
SHA3-384 hash: 94155e2d843ad22c8b5f2e1ca22230870879041e121b1353daa113765298c940265a2e0546fed2c70c8acaa385c8d919
SHA1 hash: 21d46ff27b0e9ac6c3910b091e6529eb335ece0c
MD5 hash: 9920bcf33cfa8118680e801c248c8bb9
humanhash: india-nitrogen-oklahoma-timing
File name:file
Download: download sample
Signature Fuery
Create hunting rule
File size:749'568 bytes
First seen:2025-09-20 04:01:50 UTC
Last seen:2025-09-22 04:01:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:N0Mg1UyAbaETkKCquvx3LW4sob1liARqeROoguvRHcP2Ynw7VIso:N0Mv1baETsqulfliAYEM2qwiso
Threatray 1'161 similar samples on MalwareBazaar
TLSH T198F4F15523AAEA01E5F65FF40871D3700BB57E9DB922D3060EEAACEF7835B405921393
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Fuery


Avatar
Bitsight
url: http://178.16.54.200/files/8233900432/XaUfT3G.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
75
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-19 14:11:16 UTC
Tags:
lumma stealer amadey botnet unlocker-eject tool themida loader arch-exec auto telegram auto-reg gcleaner auto-startup miner rdp vidar coinminer stealc susp-powershell upx salatstealer golang ms-smartcard github anti-evasion winring0-sys vuln-driver
Link:
https://app.any.run/tasks/95a5a7cd-d2f8-49b4-8b4a-1129accc3ba2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28410/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ce2766246a2631bd317020
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68ce2771254431b688d64d93/reports/7d689828-dc2c-47e5-b381-b52d1cbcd54c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-19T10:57:00Z UTC
Last seen:
2025-09-19T10:57:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cad5e35f-2055-4292-a358-2fb8e7b1f1a8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.42 Win 32 Exe x86
Link:
https://app.malva.re/file/9920bcf33cfa8118680e801c248c8bb9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-09-19 14:50:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqgxv35lvp3jdxnr5gutez4uodevei6o4m4734wwl3biszg5hcra._file
Verdict:
malicious
Label(s):
cryptinfinite
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
222472758402b62d15b12987ba1f0564b57131ecac2c3aff09c58533b9381b0a
Fuery
4b6dcc799cd2d6c6b6ddcef43e8e29bf6fa4ddd676959bd713f093b7143c0b8b
Fuery
8f217d94322c29d45433f6a4d59fb09d2876a2b09bee3097b0047b7522a5df74
Fuery
e5736df87221b67a2e2a614374e1d6353043b95e08448ea9260e103ab18a5c8d
Fuery
+ 1'151 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250920-ema5kacn8v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6ffd150e-0421-46f4-ba0b-8b1e6a5dd161
Unpacked files
SH256 hash:
9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2
MD5 hash:
9920bcf33cfa8118680e801c248c8bb9
SHA1 hash:
21d46ff27b0e9ac6c3910b091e6529eb335ece0c
Link:
https://www.unpac.me/results/767c8f3f-6e93-4750-996c-0163d9891447/
SH256 hash:
1041b538ccbc7d66e59247ef7551cde9b6c282843541585e9190a8e2e3943b12
MD5 hash:
e870d1e8f3791ccc141f85f40fd2972b
SHA1 hash:
150919ee289cffa6feb40ab8261f620dd7e26aac
Link:
https://www.unpac.me/results/767c8f3f-6e93-4750-996c-0163d9891447/
SH256 hash:
b40bae4cc7d016b93f1c06939855bd8110398d63fc97d280a62b3273952ca915
MD5 hash:
3c3a9eafdd151df63e49b448950bbacc
SHA1 hash:
497e7f86bfb0c5682b7f5e1260492a50af87996b
Link:
https://www.unpac.me/results/767c8f3f-6e93-4750-996c-0163d9891447/
SH256 hash:
87686bb93f636888b1bdb6645107e53db6cb33e09a8e11c3f7318bab7b44ef15
MD5 hash:
2414785bac1a55c75bfb28b161778b28
SHA1 hash:
8e234b1198be5d689a15b71c71170bd9aac33dd5
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/767c8f3f-6e93-4750-996c-0163d9891447/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fuery

Executable exe 9c0d7aefababf691ddb1e9a932679470c95223cee339fdf2d65ec28964dd38a2

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3625187/
Cape
Cape
https://www.capesandbox.com/analysis/28410/

Comments