MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 42 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9
SHA3-384 hash: 9c7535ca6f4d0deaf22c2ae06a6bcf0154b9c0cc26246e9839f403c5b0f4f4f5f020ed395da71c8ca986834e9a14c621
SHA1 hash: 169b718664c2d91e9c7772f8c52f96756d010d49
MD5 hash: 8742b2458284e4d0b66f22648ffd68f3
humanhash: carbon-fish-east-uniform
File name:file
Download: download sample
File size:18'205'696 bytes
First seen:2026-03-28 14:57:54 UTC
Last seen:2026-03-28 15:06:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (235 x Vidar, 92 x Rhadamanthys, 89 x Stealc)
ssdeep 196608:xMqAMybEAM+bIJd2AVUVY/UJB0HXZYZ5fmXq4kBYuItlscEhxR:xMqAMyb1pIb2Al/S7ufyYLt+cEhxR
TLSH T1B3079E47E8A106E9C0AED175CA669153BB717C884F3063D72B90FB292F76BD06E79700
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://85.239.147.6/files/7359455182/S5AKPxu.exe

Intelligence

File Origin
# of uploads :
14
# of downloads :
116
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9.exe
Verdict:
Malicious activity
Analysis date:
2026-03-28 15:00:37 UTC
Tags:
remotex rat evasion websocket auto-reg stealer chromelevator golang ip-check
Link:
https://app.any.run/tasks/69c61da6-d4fe-43b2-aaa2-e913c5f4e85e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Ransomware.Crinal-10056425-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c7ec8e635680513cf501e2
Tags:
infosteal lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Сreating synchronization primitives
Creating a service
Launching a service
Restart of the analyzed sample
Launching the process to change network settings
Creating a file
Launching the process to change the firewall settings
Creating a process with a hidden window
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto golang overlay packed packed
Link:
https://www.filescan.io/uploads/69c7ec89972c219c8d70af41/reports/1e4106ff-7d45-4b93-8364-1267144b9694/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-03-28T12:05:00Z UTC
Last seen:
2026-03-28T13:53:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.Agent.gen Trojan-Spy.Stealer.TCP.C&C Backdoor.Win32.Androm.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.Win32.Agent.sb Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Coins.sb Trojan-PSW.Coins.HTTP.C&C Trojan.Win64.Agent.sb Trojan.Win32.Agent.sb HackTool.Win64.BroHack.sb Trojan-Spy.Win32.SpyEyes
Link:
https://opentip.kaspersky.com/d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.BroHack
Link:
https://tip.neiki.dev/file/d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2026-03-28 14:58:22 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3e34lzdc6qnv3m4vjlbsei3lqnlpnibtqws5v4isuswacsug5hmq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/260328-scab6sbz8s/
Behaviour
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Time Discovery
Drops file in Windows directory
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Reads user/profile data of web browsers
Modifies Windows Firewall
Uses browser remote debugging
Unpacked files
SH256 hash:
d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9
MD5 hash:
8742b2458284e4d0b66f22648ffd68f3
SHA1 hash:
169b718664c2d91e9c7772f8c52f96756d010d49
Link:
https://www.unpac.me/results/b10618eb-b4d9-4f92-b568-8e7b8b7a1dad/
SH256 hash:
e857298fd2f8d1c7d48780769433f33e7b3ceaae5ea5a74c13ce8c10bcc7b690
MD5 hash:
1d04536714bb22a3e909525a7dd627f0
SHA1 hash:
affc166fa1874ff3ec0e42646e008cec972b76ab
Link:
https://www.unpac.me/results/b10618eb-b4d9-4f92-b568-8e7b8b7a1dad/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d937c5e462f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AIX binary
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d937c5e462f41b5db3954ac322236b8356f6a03385a5daf112a4ac014a86e9d9

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/59611/

Comments