MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19
SHA3-384 hash: c6f30d6603858efc23bd1d02d22cbd9fd198e2452ac760117430d6e106f86809f839078a4e413d049ed3150b74a38605
SHA1 hash: 6a3ff72c508fd988b8e4bf8e0ce702875e66c9a6
MD5 hash: e01385a5a35922814336b6c1d1288a2b
humanhash: carpet-minnesota-speaker-yankee
File name:file
Download: download sample
File size:151'552 bytes
First seen:2025-12-24 12:29:55 UTC
Last seen:2025-12-24 14:18:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 1536:Lrae78zjORCDGwfdCSog01313ps5gvhJh5tXBT9Y0wDHh:hahKyd2n3125q96Hh
Threatray 45 similar samples on MalwareBazaar
TLSH T175E3FA2677E4A0B6D4B6137889F6825396317CA15F7692FF3284B3BD1E326C1A431B07
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://178.16.55.189/files/5209749284/0kanweO.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
106
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/d1823d17-1967-47e7-833c-b881afa7dedd/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-12-24 12:32:29 UTC
Tags:
loader reverseloader ta558 apt payload stegocampaign stego auto-startup rat stealer netreactor purehvnc
Link:
https://app.any.run/tasks/df1ff27b-64bf-4f9d-8f65-b86f07472a45

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45974/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694bdcdc01c7b4a8fe5549c0
Tags:
autorun dropper shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context CAB cmd installer installer lolbin microsoft_visual_cc rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/694bdce1e126b9ff438fe11e/reports/86fb752e-3ef7-4bd0-9490-cf3b980d1d0a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19
Result
Gathering data
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/702ab5b8-4345-4245-88e1-23491e9ada58
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19
Verdict:
Malware
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX DeObfuscated Executable Obfuscated PDB Path PE (Portable Executable) PE File Layout T1059.005 VBScript Win 64 Exe WScript.Network WScript.Shell x64
Link:
https://app.malva.re/file/e01385a5a35922814336b6c1d1288a2b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.Cryptoload
Link:
https://tip.neiki.dev/file/a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-24 12:30:27 UTC
File Type:
PE+ (Exe)
Extracted files:
70
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udvlzbcq3oywvus6hrkde7tdibern6tg2ly5jzopzssesyxvtqmq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
29dcff0435e1179090af0ae8d13a91fcdc8779c5a440f1453a61e95ee950fafe
608ef5c488fed74516e7f17ce719f82b94e5b02df108073d33e95dccfd696fb1
83d03bb3a702b99487b1fe75725470eefac8e16cdf2bd2da496d28c21b9b50c3
9c2a2efdab4195801905c2f9224099f9a017075e773c9660e56bed3fad08b23e
a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37
e60864eafd3391c5a678067089a399c939839d272b2258f77a9879c57aa6a0a5
error
+ 35 additional samples on MalwareBazaar
Gathering data
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c3244c2f-db7b-4a90-afd4-323898a010c0
Unpacked files
SH256 hash:
a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19
MD5 hash:
e01385a5a35922814336b6c1d1288a2b
SHA1 hash:
6a3ff72c508fd988b8e4bf8e0ce702875e66c9a6
Link:
https://www.unpac.me/results/0d5c92d3-54be-438b-b4a0-943f3ddc89d6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a0eabc8450db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a0eabc8450dbb16ad25e3c54327e63404916fa66d2f1d4e5cfcca44962f59c19

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45974/
  
URLhaus
https://urlhaus.abuse.ch/url/3742282/

Comments