MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51
SHA3-384 hash: 242a6e0209a3f1459b392a3ba71f431222a7d3ebc3e5147aae5e42ab6281f58f9c39e5f55f7b633a51053639641f99bc
SHA1 hash: 92b47a5e5611d0616bdfc6fb44f92e261f138251
MD5 hash: 1d50c95627439b708a79fadcd37c4fa3
humanhash: vermont-carolina-sweet-happy
File name:enCvZXe.exe
Download: download sample
File size:1'625'088 bytes
First seen:2025-06-18 06:22:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 560b325af86221ca0e2edab33d472094 (6 x LummaStealer, 3 x Vidar, 2 x Stealc)
ssdeep 24576:RYqj5J3u4giqwbw7nWNVLRQelquVDmgbEb4Xw7nWNVLRQelquVDmgbEb4:RY+nLqYEnWNrR0KTUsEnWNrR0KTU
TLSH T172750165926163F5ED6B417A81516541F972782A8734AFFF43A0E2332F23BC21E3E325
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
422
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
250618-egntgabm3s.bin
Verdict:
Malicious activity
Analysis date:
2025-06-18 04:08:19 UTC
Tags:
amadey botnet stealer loader unlocker-eject tool lumma auto-reg rdp arch-exec evasion telegram auto stealc vidar themida smokeloader fileshare generic gcleaner autoit
Link:
https://app.any.run/tasks/c9c7b528-0e27-4458-8e6d-fb18d0900542

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9951/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1cc5d9e8-fa35-42c7-8102-7ab0a582f6b8
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1717113
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Silenttrinity Stager Msbuild Activity
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717113 Sample: enCvZXe.exe Startdate: 18/06/2025 Architecture: WINDOWS Score: 96 32 pki-goog.l.google.com 2->32 34 pixeldrain.com 2->34 36 6 other IPs or domains 2->36 50 Multi AV Scanner detection for submitted file 2->50 52 Joe Sandbox ML detected suspicious sample 2->52 54 Sigma detected: Silenttrinity Stager Msbuild Activity 2->54 56 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->56 9 enCvZXe.exe 1 2->9         started        signatures3 process4 signatures5 58 Writes to foreign memory regions 9->58 60 Allocates memory in foreign processes 9->60 62 Injects a PE file into a foreign processes 9->62 12 MSBuild.exe 15 4 9->12         started        16 MSBuild.exe 9->16         started        18 conhost.exe 9->18         started        process6 dnsIp7 40 144.172.91.41, 49692, 49727, 49728 HOSTFLYTE-NETWORKSCA United States 12->40 42 pixeldrain.com 160.202.167.163 DEDICATEDUS New Zealand 12->42 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->64 66 Tries to steal Mail credentials (via file / registry access) 12->66 68 Tries to harvest and steal browser information (history, passwords, etc) 12->68 72 5 other signatures 12->72 20 chrome.exe 1 12->20         started        23 chrome.exe 12->23 injected 25 chrome.exe 12->25 injected 27 4 other processes 12->27 70 Switches to a custom stack to bypass stack traces 16->70 signatures8 process9 dnsIp10 38 192.168.2.5, 443, 49675, 49691 unknown unknown 20->38 29 chrome.exe 20->29         started        process11 dnsIp12 44 142.250.80.33, 443, 49709 GOOGLEUS United States 29->44 46 www.google.com 142.250.81.228, 443, 49693, 49698 GOOGLEUS United States 29->46 48 6 other IPs or domains 29->48
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/1d50c95627439b708a79fadcd37c4fa3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51/
Threat name:
Win64.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-06-18 02:26:35 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3aewhj7fqa25zly2i5ahfqayf2hcqhfon4t4qybq4zwfrmqrjiq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/250618-g51t2sx1c1/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/97d00328-73b0-4aa5-b7d7-804d83ffbd82
Unpacked files
SH256 hash:
c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51
MD5 hash:
1d50c95627439b708a79fadcd37c4fa3
SHA1 hash:
92b47a5e5611d0616bdfc6fb44f92e261f138251
Link:
https://www.unpac.me/results/a2bb884c-bf89-4011-8a45-b9cdc476fdf6/
Malware family:
EddieStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6c04b1d3f2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3562967/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9951/
  
URLhaus
https://urlhaus.abuse.ch/url/3568128/

Comments