MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8ad2c1bc1a24fcb10b72e38b92e31e252c7398e057b2e211db24b9ef35a6ba7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	d8ad2c1bc1a24fcb10b72e38b92e31e252c7398e057b2e211db24b9ef35a6ba7
SHA3-384 hash:	a6e1c9592351a50c314f1a0432473f2ed2393e72a441110bbdd2838e47175724ec165c2d5c1f371605af16a4f968ea8c
SHA1 hash:	eb56cec141c602701b4961011c839fda3c766f5b
MD5 hash:	cc9c6eaa999ca8d1f605163b9f48ba21
humanhash:	orange-william-georgia-carbon
File name:	cc9c6eaa999ca8d1f605163b9f48ba21.exe
Download:	download sample
File size:	21'504 bytes
First seen:	2025-07-26 12:49:41 UTC
Last seen:	2025-07-29 15:24:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	384:KsJD37ANPNOkfGf7rK/xOvEzOGkSPwAeje1eOLR57zj9RNyvfNZ:NrENPNOkNf1kkkqR5T9cNZ
TLSH	T135A28D08FECDD923C6B94B7DC892A7014FA592369A67E7DFBC4471911E4B3B048163A3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe

Verdict:

Malicious activity

Analysis date:

2025-07-26 04:17:50 UTC

Tags:

amadey botnet stealer loader rdp github payload reverseloader ta558 apt stegocampaign crypto-regex pentagon lumma auto generic stealc evasion telegram golang vidar deerstealer qrcode xor-url arechclient2 rat backdoor themida purelogs purecrypter arch-doc rust gcleaner susp-powershell api-base64 xmrig

Link:

https://app.any.run/tasks/05533a10-e7c5-46d8-be4a-1da7fd23af48

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/16990/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6884cf250b4775fb21317c8a

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6884cf1813488cfd44d96ea2/reports/a26fa759-a877-4452-b7f6-ae4009d9e381/overview

Verdict:

Malicious

Labled as:

Cerbu.Generic

Link:

https://www.hybrid-analysis.com/sample/d8ad2c1bc1a24fcb10b72e38b92e31e252c7398e057b2e211db24b9ef35a6ba7

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b2225c87-0796-43ae-bbd8-1261c7150ba2

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1744627

Signature

Antivirus / Scanner detection for submitted sample

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d8ad2c1bc1a24fcb10b72e38b92e31e252c7398e057b2e211db24b9ef35a6ba7

Verdict:

inconclusive

YARA:

12 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.24 Win 32 Exe x86

Link:

https://app.malva.re/file/cc9c6eaa999ca8d1f605163b9f48ba21

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d8ad2c1bc1a24fcb10b72e38b92e31e252c7398e057b2e211db24b9ef35a6ba7/

Verdict:

Malicious

Threat:

ByteCode-MSIL.Malware.Heuristic

Link:

https://tip.neiki.dev/file/d8ad2c1bc1a24fcb10b72e38b92e31e252c7398e057b2e211db24b9ef35a6ba7

Threat name:

Win32.Trojan.Cerbu

Status:

Malicious

First seen:

2025-07-26 00:43:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3cwsyg6bujh4wefxfy4lslrr4jjmoomoav5s4ii5wjfz5422notq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250726-p27r7azshz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5e585e50-e502-40a0-9dfb-eaedc627d55e

Unpacked files

SH256 hash:

d8ad2c1bc1a24fcb10b72e38b92e31e252c7398e057b2e211db24b9ef35a6ba7

MD5 hash:

cc9c6eaa999ca8d1f605163b9f48ba21

SHA1 hash:

eb56cec141c602701b4961011c839fda3c766f5b

Link:

https://www.unpac.me/results/84ea713d-8d74-476c-b204-f53de8c6d56b/

SH256 hash:

53f0396bba422755cd217aa6cd72feee58a28e785239535596e307c1bd6fa1b7

MD5 hash:

1301fd92a776c74e800fa37bb8779753

SHA1 hash:

006d389e33e79ac90cae92cc2ce23bf971c3b67e

Link:

https://www.unpac.me/results/84ea713d-8d74-476c-b204-f53de8c6d56b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/d8ad2c1bc1a24fcb10b72e38b92e31e252c7398e057b2e211db24b9ef35a6ba7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/16990/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample