MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 11 File information Comments

SHA256 hash:	ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087
SHA3-384 hash:	a6a84a5f1f8b2264a0060af2d5f2b0c7125ef50439067b8fe56f3233b93aa8446a8414aa5c878ff378a590efbc83e1d3
SHA1 hash:	e6b96e0b9dcbd69972aeff8589917ffe4fbdc13d
MD5 hash:	93249c558cbd0fb5f750ad14470f5d1c
humanhash:	helium-one-black-coffee
File name:	file
Download:	download sample
File size:	389'632 bytes
First seen:	2025-11-30 05:46:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ac44f01609d5947cdb02277d63cfa5b6
ssdeep	6144:mU4l/yrpTSurkD5Zvs3/XO/WhG40Q/O4:+49eurp3fO/
TLSH	T1ED848E1EFB6414F9E1E7C178CE534906EB727C8947B0A69F23E44A961F232A09D3E711
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: http://178.16.55.189/files/8262475068/ditfNPx.exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2025-11-30 05:47:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c45a7ffc-4435-4aa9-9407-e26031196652

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41892/

Detection(s):

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692bda63f9fd2d5f941f2326

Tags:

vmdetect trickbot autorun

Result

Verdict:

Clean

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm evasive explorer fingerprint lolbin microsoft_visual_cc runonce schtasks wmic

Link:

https://www.filescan.io/uploads/692bda622cd29ea6300357c8/reports/d575208e-3aeb-447d-b6ec-7fa121e3a9bc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087

Result

Gathering data

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/03572a32-4a0a-4d2e-bc7c-297d4cdbfd2a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/93249c558cbd0fb5f750ad14470f5d1c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087/

Verdict:

Malicious

Threat:

Exploit.Win32.BypassUAC

Link:

https://tip.neiki.dev/file/ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zz6g7cbkbwm3os5hk7u7ay2kf6zzzsn3coowvl5vplmvolbn4cdq._file

Result

Malware family:

n/a

Score:

9/10

Tags:

defense_evasion

Link:

https://tria.ge/reports/251130-ggy1jssme1/

Behaviour

Suspicious behavior: EnumeratesProcesses

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a2fb1b70-9c20-44f3-82c3-501c83b7f642

Unpacked files

SH256 hash:

ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087

MD5 hash:

93249c558cbd0fb5f750ad14470f5d1c

SHA1 hash:

e6b96e0b9dcbd69972aeff8589917ffe4fbdc13d

Link:

https://www.unpac.me/results/c621b5bb-777d-4d0d-a60d-c8f81cbaf0c1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ce7c6f882a0d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	Check_VBox_Guest_Additions Create hunting rule

Rule name:	Check_VmTools Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ce7c6f882a0d99b74ba757e9f0634a2fb39cc9bb139d6aafb57ad9572c2de087

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3720908/

Cape

https://www.capesandbox.com/analysis/41892/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample