MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8
SHA3-384 hash:	749aa94436e7bc714b45c540a478af3532a17d743ea624db02a3e549efa04d04868e745f7640f26b6e8d9fec11094b81
SHA1 hash:	b459fd40295d72d9019bba8f135643e6801c4d36
MD5 hash:	52b9b31cad484a20c7df6fa88159de15
humanhash:	william-white-march-spring
File name:	file
Download:	download sample
File size:	1'872'416 bytes
First seen:	2026-02-01 18:28:37 UTC
Last seen:	2026-02-01 18:31:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f98e3d572331a677243d588c4f23184f
ssdeep	24576:KcRTacOL4MKDlnFSkr2twW29ggkzfYt7+uLLGU87J9PVDomxpfdEqm9W7jYRpaGH:KJACSmPouf2gypLh
TLSH	T1BC85236231DE30F1E0A3D1B94D1503D9DB3178B2DABA976F06914A094F678B04F7AB4E
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: http://130.12.180.43/files/7782139129/bZl8Zv3.exe

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-02-01 18:29:56 UTC

Tags:

stealer wallstealer auto-reg auto-startup

Link:

https://app.any.run/tasks/75fc6306-f7e8-4982-a29b-1c004d9cf70d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697f9b82d93e7233498c65ab

Tags:

phishing autorun cobalt

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

microsoft_visual_cc

Link:

https://www.filescan.io/uploads/697f9b802ffccda097656930/reports/b3fc1159-b9f0-47b6-bcd4-7dcba5d7b4d5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8

Result

Gathering data

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/736830b4-938d-4d87-95ec-f157d7aaca06

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/52b9b31cad484a20c7df6fa88159de15

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8/

Verdict:

Malicious

Threat:

Family.WALLSTEALER

Link:

https://tip.neiki.dev/file/c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8

Threat name:

Win64.Backdoor.Androm

Status:

Suspicious

First seen:

2026-02-01 18:29:35 UTC

File Type:

PE+ (Exe)

AV detection:

6 of 36 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ygfjgxtly6oehgy4mt5l4lxure6areevppogy6laronw5msuylua._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/260201-w42ghsct9g/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Time Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Executes dropped EXE

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8

MD5 hash:

52b9b31cad484a20c7df6fa88159de15

SHA1 hash:

b459fd40295d72d9019bba8f135643e6801c4d36

Link:

https://www.unpac.me/results/ed1c7f01-fe28-499c-886e-71484cd90f91/

Malware family:

WallStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c18a935e6bc7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe c18a935e6bc79c439b1c64fabe2ef4893c0890957bdc6c79608b9b6eb254c2e8

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3767373/

Cape

https://www.capesandbox.com/analysis/51121/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample