MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a
SHA3-384 hash:	41b84af7b21f2884397f29436d8f43cc959dae4af8f9d228a8c38e1c6e230e9ffb346547425c1fefc13f49fca3085779
SHA1 hash:	db06d2003e072fc655bd32dce52f13a63c667d87
MD5 hash:	64c77473e035e19869ea574c5ee7866c
humanhash:	three-oranges-mexico-stairway
File name:	file
Download:	download sample
File size:	859'648 bytes
First seen:	2025-10-13 04:02:32 UTC
Last seen:	2025-10-13 04:08:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fe0fb677ca3eed35ee7b177f8baab8bd (4 x Rhadamanthys, 1 x MaskGramStealer)
ssdeep	12288:sbOjMmgCx6m0Dvni28wXujHVTZ47bEWQfVknWM6nhKdSRfieE3x0lhBpHWSszere:sbKM+TbZVN9WAVoWbAeEhMpHeg7C
Threatray	714 similar samples on MalwareBazaar
TLSH	T11F05120572E580E7D5A782B48D911741F172B8219B306FEF03B08327EF666D4AD2F76A
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe

Bitsight

url: http://178.16.55.189/files/473316886/F8YSB8L.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

_65b8ad8462153cc12ae882c205fcb7908b1ced49beb79b171711db2917e35589.exe

Verdict:

Malicious activity

Analysis date:

2025-10-12 18:16:16 UTC

Tags:

auto amadey botnet lumma stealer redline unlocker-eject tool auto-sch loader arch-exec rdp evasion rustystealer telegram auto-startup gcleaner autoit anti-evasion rhadamanthys pastebin miner stealc vidar ms-smartcard generic phishing github winring0-sys vuln-driver qrcode ultravnc rmm-tool silentcryptominer

Link:

https://app.any.run/tasks/be0f376d-63cd-4987-b0bf-e6b85ae959fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32497/

Detection(s):

no reply from clamd

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ec79e4f2ca2f143e41e2bb

Tags:

cobalt spoof

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

microsoft_visual_cc obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68ec79e871883144ef3379da/reports/cc68cce3-f8ce-4b98-bd80-6768f0ceebca/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-12T15:15:00Z UTC

Last seen:

2025-10-14T11:10:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.Win32.Crypt.sz Trojan.Win64.SBEscape.sb Trojan.Win32.Crypt.sb

Link:

https://opentip.kaspersky.com/bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/eba63048-f87f-4181-b6c4-b668927a2cf9

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/64c77473e035e19869ea574c5ee7866c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a

Threat name:

Win64.Trojan.RadThief

Status:

Malicious

First seen:

2025-10-12 18:46:15 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x5j5llb7pi2dxqzokwwidhj7sgvluw4yxietfws4neofvkgl3ena._file

Verdict:

malicious

Label(s):

plugdisk

rhadamanthys

650b208d0e906556d2c926006f054e4f66e012397760d4235309580e977462c0

7605bf7fecc7116865f283368d33592bbf80042a05d221afe53d9c995bb65477

7f2b86e0352b6ceddfdbc7d74cd277cc1b084a673a6c9e6a1a4e0e341d6f0e36

9d76c0ca960c251fa95e9414b787f440382e6154773750994408fb9b5f2557d2

9e314f178d23c9744db79ab49653353f25adf6320b54cee801aab6776cf5ba74

d88dd4f687de3dd50b9c908ce2c9e16de028b9d67729ffc676304ad3465b1416

d8bb72218ec4b2009d131d75975f2e3741384d5e0e41928e5aebacf62f8d46f7

ee1e2f384670f934a2a3f57f5184bd2b1d943acc6c529255b88a6b9c51962803

error

f3fd89e09cfb05356f82d1b04ecaed18b78514ea23dcd983908887984d0c3e1d

+ 704 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251013-el8pfat1f1/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2053f529-28b1-40ff-b202-06de3bafc2f7

Unpacked files

SH256 hash:

bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a

MD5 hash:

64c77473e035e19869ea574c5ee7866c

SHA1 hash:

db06d2003e072fc655bd32dce52f13a63c667d87

Link:

https://www.unpac.me/results/82741db7-8dc5-4667-a0bf-67c45a44c9e2/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bf53d5ac3f7a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe bf53d5ac3f7a343bc32e55ac819d3f91aaba5b98ba0932da5c691c5aa8cbd91a

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3668637/

Cape

https://www.capesandbox.com/analysis/32497/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample