MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76
SHA3-384 hash: 97c6b8edf7ddb07424446641345d3a19aee4f4a1d6ff1e571f98f54005ec3c9e3707746528fd536fba8ff7bb1a9da76f
SHA1 hash: 2c10751c789a45b7e35ed8067c2fa706c77d00d8
MD5 hash: 4978b4432fe1ce6ffd72f0f021e0f03c
humanhash: blossom-three-pluto-washington
File name:uk.exe
Download: download sample
File size:835'584 bytes
First seen:2025-07-05 13:36:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21371b611d91188d602926b15db6bd48 (61 x Formbook, 23 x AgentTesla, 20 x RemcosRAT)
ssdeep 24576:6f+iN57Gtene34lVSL44NvBANcMCqUMpR:ULXKtene34lI8EBaUM
TLSH T1610523825AD1ACA1C5507330803A8C6594743C70EE07B26F876DF1ABAC752EBD557B2F
TrID 39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
11
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
main.exe
Verdict:
Malicious activity
Analysis date:
2025-07-04 15:33:12 UTC
Tags:
loader python github amadey phishing clickfix possible-phishing miner azorult neshta networm amus auto generic njrat metasploit bazaloader rat remcos dbatloader formbook stealer loki ransomware bladabindi asyncrat meterpreter backdoor payload phorpiex aurotunstealer younglotus purelogs purecrypter pyinstaller vidar arechclient2 redline stormkitty agenttesla remote xworm evasion metastealer aurotun telegram modiloader smokeloader storm1747 tycoon quasar sage botnet lumma koistealer koiloader koi
Link:
https://app.any.run/tasks/406b6342-05b1-44be-94ed-46f288318b04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12437/
Detection(s):
SecuriteInfo.com.Trojan.AutoIt.1678.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68692a98c9eb974737669990
Tags:
remo
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Restart of the analyzed sample
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4ef24327-5be1-401f-8493-c98b9def4cdc
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1729250
Signature
Binary is likely a compiled AutoIt script file
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1729250 Sample: uk.exe Startdate: 05/07/2025 Architecture: WINDOWS Score: 56 48 Multi AV Scanner detection for submitted file 2->48 50 Binary is likely a compiled AutoIt script file 2->50 52 Joe Sandbox ML detected suspicious sample 2->52 14 uk.exe 2 2->14         started        process3 signatures4 68 Binary is likely a compiled AutoIt script file 14->68 17 uk.exe 1 14->17         started        process5 signatures6 46 Binary is likely a compiled AutoIt script file 17->46 20 uk.exe 1 17->20         started        process7 signatures8 56 Binary is likely a compiled AutoIt script file 20->56 23 uk.exe 1 20->23         started        process9 signatures10 60 Binary is likely a compiled AutoIt script file 23->60 26 uk.exe 1 23->26         started        process11 signatures12 64 Binary is likely a compiled AutoIt script file 26->64 29 uk.exe 1 26->29         started        process13 signatures14 66 Binary is likely a compiled AutoIt script file 29->66 32 uk.exe 1 29->32         started        process15 signatures16 44 Binary is likely a compiled AutoIt script file 32->44 35 uk.exe 1 32->35         started        process17 signatures18 54 Binary is likely a compiled AutoIt script file 35->54 38 uk.exe 1 35->38         started        process19 signatures20 58 Binary is likely a compiled AutoIt script file 38->58 41 uk.exe 1 38->41         started        process21 signatures22 62 Binary is likely a compiled AutoIt script file 41->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76
Verdict:
Malware
YARA:
5 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/4978b4432fe1ce6ffd72f0f021e0f03c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76/
Verdict:
Malicious
Threat:
Win32.Trojan.AutoitInject
Link:
https://tip.neiki.dev/file/cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-07-04 14:45:26 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwcx3aafrw6jmeswdxjvqvgctovdstc3bajwyqtwnuycl3mi5r3a._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery upx
Link:
https://tria.ge/reports/250705-qwy4jayxhx/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/79b25470-8764-40bf-aa56-e4883a2d0536
Unpacked files
SH256 hash:
cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76
MD5 hash:
4978b4432fe1ce6ffd72f0f021e0f03c
SHA1 hash:
2c10751c789a45b7e35ed8067c2fa706c77d00d8
Link:
https://www.unpac.me/results/253b4757-4f90-4fe3-8837-cd93d9cc69c1/
SH256 hash:
08d6658f22a7f8bc674d14a4ec693663ca51d083ed36b346d38913cdc350aac4
MD5 hash:
380c35bdd8e8c273f0dbf7be1317cb57
SHA1 hash:
a24b100ea047e725dbbce8ab37d6dae6887cdace
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/253b4757-4f90-4fe3-8837-cd93d9cc69c1/
SH256 hash:
dbec4cfb44f182961f4ceae4fa86134d4bb6ecb05962c676af46fb7b567cf685
MD5 hash:
3ab678f0109228534255bbe579c36cf5
SHA1 hash:
6d69985f7f09610f9f13cf144ecf620be1bbd4d0
Link:
https://www.unpac.me/results/253b4757-4f90-4fe3-8837-cd93d9cc69c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cd857d80058dbc9612561dd35854c29baa394c5b08136c42766d3025ed88ec76

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3575620/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/12437/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments