MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 11 File information Comments

SHA256 hash:	d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4
SHA3-384 hash:	393fed05662ab3525553c6f906feb78266fb3b8125d416821ed0ed039b3be98f6e9410506e6d212873862ac73f761fd3
SHA1 hash:	c901a4eac0944d16590ebb9d5d60af11e809f610
MD5 hash:	daa46b833b44e542c385ae5487efd482
humanhash:	johnny-double-five-whiskey
File name:	wEWj37T.exe
Download:	download sample
File size:	1'431'552 bytes
First seen:	2025-09-17 18:04:02 UTC
Last seen:	2025-10-10 06:45:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	24576:+jzkiJJZ6eQiba/d3dilHQyYtZhoe7WrW0Li8qsWa3e9Bnoh5rS5aaq8mT7a253:2z/7QICswylVrW7Hnqeadu9mvv5
TLSH	T1E365336337E446A4F8594BBA9076015409B9BBD325C3CBBECCE9E0131E266971BF448F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	mazznrz
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

random.exe

Verdict:

Malicious activity

Analysis date:

2025-09-17 15:01:53 UTC

Tags:

lumma stealer amadey unlocker-eject tool auto redline botnet arch-exec telegram loader themida generic stealc auto-reg anti-evasion gcleaner rhadamanthys vidar coinminer miner rdp auto-startup

Link:

https://app.any.run/tasks/72e73280-c5b7-4213-8ff7-d8418a613456

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27984/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68caf83488b9544392475918

Tags:

autorun androm sage msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Launching a process

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

Creating a window

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

net_reactor obfuscated obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68caf8390d1238ff0aadfd66/reports/369ae873-46d4-4006-b429-9bce0836f284/overview

Verdict:

Malicious

Labled as:

MSIL.Androm.Generic

Link:

https://www.hybrid-analysis.com/sample/d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-17T11:27:00Z UTC

Last seen:

2025-09-17T11:27:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.PureLogs.sb Trojan.MSIL.Dnoper.sb Trojan.MSIL.Agent.sb HEUR:Trojan.Win32.Generic VHO:Backdoor.Win32.Androm.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agentb.sb Trojan.MSIL.Inject.sb

Link:

https://opentip.kaspersky.com/d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7c1abdbb-41b9-454f-a4c8-b26ce34216b7

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.88 Win 32 Exe x86

Link:

https://app.malva.re/file/daa46b833b44e542c385ae5487efd482

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4/

Verdict:

Malicious

Threat:

Family.ZGRAT

Link:

https://tip.neiki.dev/file/d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2025-09-17 15:55:14 UTC

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2wj53p7ghw7sw44ptjsgdh53oih2xh3z7lg65xbewldjmajbwgsa._file

Verdict:

malicious

Label(s):

purecrypter

Similar samples:

error

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/250917-wnwlbstxh1/

Behaviour

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Drops startup file

Executes dropped EXE

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/24c06a27-0fbe-425c-ad14-7e1d245aeca2

Unpacked files

SH256 hash:

d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4

MD5 hash:

daa46b833b44e542c385ae5487efd482

SHA1 hash:

c901a4eac0944d16590ebb9d5d60af11e809f610

Link:

https://www.unpac.me/results/9cf90939-4c42-45f0-bcd6-e61a41acadea/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d593ddbfe63d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d593ddbfe63dbf2b738f9a64619fbb720fab9f79facdeedc24b2c6960121b1a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TH_Generic_MassHunt_Webshells_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025
Reference:	https://cyfare.net/