MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16
SHA3-384 hash: 00df36ebf62c4f9e8ff78019f97a202bf21e51e135c7aff036b85cf9db121b888d41c42e339faea516619ddf5ee5b26c
SHA1 hash: d54cbd107b125ea6eb048652b91da4edc50538c3
MD5 hash: 3bb5b26d2da0640ba77190cffca226bd
humanhash: north-lithium-london-saturn
File name:file
Download: download sample
File size:7'209'472 bytes
First seen:2025-09-24 04:02:55 UTC
Last seen:2025-09-25 20:22:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ae78f5d04f58e9a0bc082ff5abb228c
ssdeep 98304:lvdXemSM5V80NiVfheuKv/TNP85mDhxX3rRJhmn+WYm0uVaU+NW:lQk800VfheuKv/TNP85mDhxX3rRLU
TLSH T1E6769EAAA6B800D9D4ABC17CC2465227D771B85513B057CF1AA09AFA1F63BE01F7F740
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe


Avatar
Bitsight
url: http://178.16.54.200/files/8070726592/a9x2HoW.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
75
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-23 19:48:50 UTC
Tags:
stealc stealer vidar amadey botnet unlocker-eject tool themida gcleaner loader aurotun rdp auto-reg auto phishing anti-evasion autoit lumma evasion pastebin auto-startup payload golang
Link:
https://app.any.run/tasks/188248e7-9d9e-45aa-9797-06fa22cc92dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28727/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.43439174.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d53cd1cc9425144151cb70
Tags:
infosteal autorun
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 cmd crypto evasive explorer findstr fingerprint hacktool lolbin microsoft_visual_cc netsh stealer wmic
Link:
https://www.filescan.io/uploads/68d36df44cfd312e5634ca7b/reports/eace62da-5af4-4ce2-b5a4-a1875aea8773/overview
Verdict:
Suspicious
Labled as:
TrojanSpy/Stealer.x
Link:
https://www.hybrid-analysis.com/sample/cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-23T11:40:00Z UTC
Last seen:
2025-09-23T11:40:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Greedy.sb VHO:Trojan-PSW.Win32.Greedy.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.BlackGuard.sb Trojan.Win32.Vimditator.sb Trojan.Win32.Agent.sb HEUR:Trojan-Ransom.Win32.Generic Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb
Link:
https://opentip.kaspersky.com/cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dff9f9c5-d001-4c1f-bc70-6c00b5ecd77a
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/3bb5b26d2da0640ba77190cffca226bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16/
Verdict:
Malicious
Threat:
VHO:Trojan-PSW.Win32.Greedy
Link:
https://tip.neiki.dev/file/cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-23 14:41:39 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwlrbzvv4jbsnooeok2milttlhp7tzchze7w4yo4s4v3s6f3zqla._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250924-enyx1s1why/
Behaviour
Checks processor information in registry
Gathers network information
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Enumerates processes with tasklist
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6be75177-5da2-47bb-9c72-86b0190e2e2f
Unpacked files
SH256 hash:
cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16
MD5 hash:
3bb5b26d2da0640ba77190cffca226bd
SHA1 hash:
d54cbd107b125ea6eb048652b91da4edc50538c3
Link:
https://www.unpac.me/results/e3acaf9a-4259-4b21-b949-ebfea13901f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackGuard_Rule
Create hunting rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:dgaaga
Create hunting rule
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cd9710e6b5e24326b9c472b4c42e7359dff9e447c93f6e61dc972bb978bbcc16

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3630791/
Cape
Cape
https://www.capesandbox.com/analysis/28727/
  
URLhaus
https://urlhaus.abuse.ch/url/3630966/

Comments