MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8
SHA3-384 hash: bcbb92f9d26be9e4c7e0d2fe74a8cc18d216b3ef318d3eda6d4a395bcc40f850bf444f9bd10793decd42ea0511d812e2
SHA1 hash: 9bbad84ae96e50fe9343b7b7861890749f309b56
MD5 hash: c9c5547a9187dbb15989a0da95b288e8
humanhash: leopard-green-missouri-angel
File name:c9c5547a9187dbb15989a0da95b288e8.exe
Download: download sample
File size:832'812 bytes
First seen:2025-08-17 08:08:36 UTC
Last seen:2025-08-18 02:15:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fa8296a065044c26d3fa25a2a7e8ea13
ssdeep 24576:2q/cXBB5nVXdmnQi0BZhN/W63SuVkCFFvexDPqFEAER:D/cxBbNMS/UuCusxDPqFEAER
TLSH T1C605D073AED14CD9C5AA52B0A6C7C6A27539FDA40273970B565012303F0BED06FDE6C6
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
41
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
d19c9bf47898e4c6e8a3cc86610c9817c8cb218a36a96907789260481f7a78e5.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-17 02:00:06 UTC
Tags:
gcleaner loader lumma stealer auto autoit amadey redline botnet telegram inno installer delphi stealc
Link:
https://app.any.run/tasks/47b7fa22-1fd6-45b6-a8a8-8f03682ef7c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21759/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop32.28928.14494.30855.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a162d7c2f5296a1a27bcf0
Tags:
injection obfusc spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a service
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun for a service
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29f0a735-bb99-4b17-abf0-a6845570ade1
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1758758
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contain functionality to detect virtual machines
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1758758 Sample: 3PMJril4tX.exe Startdate: 17/08/2025 Architecture: WINDOWS Score: 80 34 lingering-rice-5b65.itachimitarashi.workers.dev 2->34 40 Multi AV Scanner detection for submitted file 2->40 8 3PMJril4tX.exe 9 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 1 1 2->14         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 32 C:\Users\user\AppData\...\sysapp64.exe, PE32+ 8->32 dropped 50 Drops large PE files 8->50 19 sysapp64.exe 1 8->19         started        52 Changes security center settings (notifications, updates, antivirus, firewall) 12->52 23 MpCmdRun.exe 2 12->23         started        38 127.0.0.1 unknown unknown 14->38 file6 signatures7 process8 file9 30 C:\Users\user\AppData\...\xnovvdtpjzzq.tmp, PE32+ 19->30 dropped 42 Contain functionality to detect virtual machines 19->42 44 Writes to foreign memory regions 19->44 46 Modifies the context of a thread in another process (thread injection) 19->46 48 3 other signatures 19->48 25 dwm.exe 19->25         started        28 conhost.exe 23->28         started        signatures10 process11 dnsIp12 36 lingering-rice-5b65.itachimitarashi.workers.dev 104.21.112.1, 443, 49709 CLOUDFLARENETUS United States 25->36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/c9c5547a9187dbb15989a0da95b288e8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8/
Verdict:
Malicious
Threat:
PDM:Trojan.Win32
Link:
https://tip.neiki.dev/file/c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-17 02:02:38 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywsw7ls5k2oe4rwuwkqqokaf7xnr7dow6ja7swzv54n5xjonv7ma._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/250817-j2czxsck9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bc7a01fe-3085-4f73-ac07-9008786d6e2d
Unpacked files
SH256 hash:
c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8
MD5 hash:
c9c5547a9187dbb15989a0da95b288e8
SHA1 hash:
9bbad84ae96e50fe9343b7b7861890749f309b56
Link:
https://www.unpac.me/results/bb262627-bd92-4583-99a5-765bbdfd909b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c5a56fae5d569c4e46d4b2a1072805fddb1f8dd6f241f95b35ef1bdba5cdafd8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3605098/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21759/

Comments