MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941
SHA3-384 hash: 47ded2116b2ff1a83ecd754004d734c5ae8b29927030c75fa9fcdaba3aa2f7bf926ecc99c7f9c4f55ab4709295e73fdf
SHA1 hash: 93560fbbcae204277058eb2dff02a6ae5d15be71
MD5 hash: 24c558c8dd46d4726c671074f7fb77fa
humanhash: may-beer-red-twelve
File name:file
Download: download sample
File size:1'072'128 bytes
First seen:2025-09-08 04:01:26 UTC
Last seen:2025-09-08 04:05:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1deeab33a3db0d2c20caa9f7afb33436 (6 x Rhadamanthys)
ssdeep 24576:G+SzPLJ8qwnF7Cf3l/i8gtvuLhEG4sWY2qHFqg9SfLMbY:dWzJGFw3l/KuLhr/WfgFTSfLMU
Threatray 425 similar samples on MalwareBazaar
TLSH T143350242F0F390A3FA93E0F03A39D654582DE6739B244DEB2148E5746A69DD3077272B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe


Avatar
Bitsight
url: http://178.16.54.200/files/174733404/PsCMIRi.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
69
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9d5ea48279ab3ab9acae516528429d2b54d30aba2a78c9924746219d2b9d9808.exe
Verdict:
Malicious activity
Analysis date:
2025-09-07 18:24:39 UTC
Tags:
auto redline stealer amadey botnet loader auto-reg lumma rdp stealc telegram purelogs vidar anti-evasion themida autoit auto-sch gcleaner emmenhtal ddr auto-startup
Link:
https://app.any.run/tasks/8dd5050a-bcbc-49bc-ba5d-9f06156abcdf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26191/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68be5531b20052598878e338
Tags:
cobalt xpaj
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context crypto microsoft_visual_cc obfuscated packed packed packer_detected similar-threat
Link:
https://www.filescan.io/uploads/68be553e20d0ee406d99c907/reports/18b64247-571d-404c-8ebf-76dbb0761a29/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-07T11:10:00Z UTC
Last seen:
2025-09-07T11:10:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb
Link:
https://opentip.kaspersky.com/d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5878ac84-5f04-4b2d-a5ad-78d57a43b03c
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/24c558c8dd46d4726c671074f7fb77fa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-07 13:51:52 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xi2gnrp4ttdxssa7ks4biqbuvwhntjhyhheycyru26bhq7btfaq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
155f53209e7e4aacf1efb3c929a2aaa659f98f9dd3ff703d0eed9ff7379a7da3
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
7908c78041ece2129127d26500321b09f094e41c66f535454884bb4d79573b9b
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
a00f9b69f8250c86d0852c61a936f96372bd8c71fde6ddea492e3e2b8006ddea
bad586a884eb7b1edcafc832a9ecf192e85b084d0e9b77423b9e5494ed7d44e2
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
error
f5bc4cd08a3e95935a848c97c435a0fc41b3a118c45a5baf3e50e6e69a109aff
+ 415 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250908-elwpwaep2s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/21d59ecd-50b4-42f0-ad83-b628ed55d5d5
Unpacked files
SH256 hash:
d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941
MD5 hash:
24c558c8dd46d4726c671074f7fb77fa
SHA1 hash:
93560fbbcae204277058eb2dff02a6ae5d15be71
Link:
https://www.unpac.me/results/1e2963e5-22b6-498f-9cb3-97486567722f/
SH256 hash:
8855a86d2276a92e2dc38f1ce3ae709b93caba530ce75f31808c6cb0589c6395
MD5 hash:
329d6f6c5ac81e4b5d59f5ce0428e04e
SHA1 hash:
61494e8baf3cfcc7b81fc0f95e37653f4afa5b48
Link:
https://www.unpac.me/results/1e2963e5-22b6-498f-9cb3-97486567722f/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5d1a3362fe4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3617786/
Cape
Cape
https://www.capesandbox.com/analysis/26191/

Comments