MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37
SHA3-384 hash:	5490a63d1399a0a02a17cdeac2a2c687d7cc41e2fea96fc57b2d7d200daafa21df21ab9819ea1ecd59733605600d8bb5
SHA1 hash:	0c2864835fd8a5d9155ed475edbf59d8fe7b64c9
MD5 hash:	2a7d9e076c1760833e1af817a8052cf7
humanhash:	juliet-video-glucose-lactose
File name:	file
Download:	download sample
File size:	678'912 bytes
First seen:	2025-12-04 00:21:39 UTC
Last seen:	2025-12-04 02:32:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (103 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep	6144:YahOhKe5v0bURyWKV0VC3QZd05Pp9HfZu5PIImWyJyw:YijNbURpKVuC3SdgpRBuuW4yw
Threatray	2'757 similar samples on MalwareBazaar
TLSH	T103E42940B689DEA9E9160230886AD2F31915BCB9D751214F39D8BF3FFA73748101DE6B
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	f0c4824ccecef4f8 (9 x AsyncRAT, 5 x XWorm, 4 x MetaStealer)
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: http://178.16.55.189/files/454503574/V7LjqKy.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Details

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Connection attempt to an infection source

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context cmd installer installer installer-heuristic lolbin microsoft_visual_cc rundll32 runonce sfx unsafe

Link:

https://www.filescan.io/uploads/6930d437ff25e40750d2a5ee/reports/fa339c4d-f43c-4e49-b7fc-f7c4cf0b0d84/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-12-03T21:50:00Z UTC

Last seen:

2025-12-04T01:20:00Z UTC

Hits:

~100

Detections:

Trojan.VBS.SAgent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Startup.gen HEUR:Trojan.Script.Generic VHO:Trojan-Downloader.Win32.Convagent.gen Trojan-Downloader.SLoad.TCP.ServerRequest Trojan.Agentb.TCP.C&C Trojan-Downloader.PowerShell.NanoShield.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.MSIL.Agentc.a Trojan.JS.SAgent.sb HEUR:Trojan.Multi.Stego.gen

Link:

https://opentip.kaspersky.com/a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ac3b2144-3a3a-4c16-8b29-8e0e1336ba64

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37

Verdict:

Malware

YARA:

5 match(es)

Tags:

CAB:COMPRESSION:LZX DeObfuscated Executable Obfuscated PDB Path PE (Portable Executable) PE File Layout Scripting.FileSystemObject T1059.005 VBScript Win 64 Exe WScript.Network WScript.Shell x64

Link:

https://app.malva.re/file/2a7d9e076c1760833e1af817a8052cf7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37/

Verdict:

Malicious

Threat:

Family.ZGRAT

Link:

https://tip.neiki.dev/file/a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-12-04 00:22:19 UTC

File Type:

PE+ (Exe)

Extracted files:

237

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ug7rm7nof5dn4b76l6ljg2hizu6hu2udu4xmpnkle7jff2nk5q3q._file

Verdict:

malicious

Label(s):

unc_loader_078

0faf7067e45c2a3289cc58532cc1e31c976d84ea943bbe613f7c95bbc7d715f6

10f9ffb34e6972429a1208cf6e23b0e27953b6c1738e84f614233a3990a2cbfe

55cb8cda5e4adbe6f2c9d3f85ca302636e558591f0436a0b0c394ad40123fb5e

81722dbf0c06cec0d305b28e7df8ac667b929d9a93789e7f2dd77ae8d32f0cfe

c5b354aaab3d4ea94aeabe412b09b9b9ec6ce0a76462cab89eeb27539bef00e9

error

f2798987ff79bfd4a9cf2b5877ae520d4ed823912f5338e9bf3c4735c70859e2

fc419e370bb65df9e49a1607f646c597b0ea31ad578303b6b18de515398dd960

+ 2'747 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/251204-an2axswqbp/

Behaviour

Kills process with taskkill

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9acd9e32-9caa-463f-91e7-c5493cef1091

Unpacked files

SH256 hash:

a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37

MD5 hash:

2a7d9e076c1760833e1af817a8052cf7

SHA1 hash:

0c2864835fd8a5d9155ed475edbf59d8fe7b64c9

Link:

https://www.unpac.me/results/f1b9a4e8-5803-4ccd-bbf9-0b1acff9b770/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a1bf167dae2f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe a1bf167dae2f46de07fe5f969368e8cd3c7a6a83a72ec7b54b27d252e9aaec37

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/42388/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample