MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df1e09ca640b5ed14fd80cf8343529ff51e53ae4f16de84f1c5651f55a0c00cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Fuery


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash: df1e09ca640b5ed14fd80cf8343529ff51e53ae4f16de84f1c5651f55a0c00cb
SHA3-384 hash: 4b4b771f98c89c0ea9a45e12ae5bc41b9d3f7078ea8eed2080b7788bc513a1edcf1054c59d3226fc419c0bfc09c79ef7
SHA1 hash: 5ddeb07d0bbab7a8cfeb1898c1a6b7ba6ff9edc5
MD5 hash: 6b3ce695efb881fd013e596d8fa5644a
humanhash: twelve-purple-fruit-kitten
File name:file.exe
Download: download sample
Signature Fuery
File size:7'832'576 bytes
First seen:2026-05-19 02:16:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'097 x AgentTesla, 20'115 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 196608:AP0JJVFwVKR9VIaMaTl+IKvmjimkf2xP3hagV+:AP4JVCUVIajTlDM+UuxvhBV+
TLSH T1E9863319C2D8CE09E8AA37F984B5E2740BB96C49D015C2127FD97EEB386273D4705B1B
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter aachum
Tags:exe Fuery plugin smtp-module td2


Avatar
iamaachum
http://62.181.55.38:8000/td2 / http://laf.oahgsfwklg.top/td2

FUERY botnet plugin dropped by td. Uses process hollowing to execute a stripped Go 1.24.9 payload. Built with a dedicated SMTP stack (emersion/go-smtp, go-message, go-sasl) and a scalable worker pool, consistent with a mass mailing module. Receives tasks from C2 api.itsjusttesting.top (192.119.110.122:443, HOSTWINDS US).

Intelligence


File Origin
# of uploads :
1
# of downloads :
153
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dae.dll
Verdict:
No threats detected
Analysis date:
2026-05-19 01:44:05 UTC
Tags:
golang

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
phishing micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed tracker
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-18T23:23:00Z UTC
Last seen:
2026-05-20T18:46:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.MSIL.Crypt.gen
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1915372 Sample: file.exe Startdate: 19/05/2026 Architecture: WINDOWS Score: 72 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AntiVM3 2->23 25 2 other signatures 2->25 6 file.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 6->17 dropped 9 file.exe 6->9         started        11 file.exe 6->11         started        13 file.exe 6->13         started        15 2 other processes 6->15 process5
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2026-05-19 02:17:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
wannacryptor
Similar samples:
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
df1e09ca640b5ed14fd80cf8343529ff51e53ae4f16de84f1c5651f55a0c00cb
MD5 hash:
6b3ce695efb881fd013e596d8fa5644a
SHA1 hash:
5ddeb07d0bbab7a8cfeb1898c1a6b7ba6ff9edc5
SH256 hash:
a1b35695d40aadf6dfdd66d874d190cec4c8387e5f80c3027c674778ef6006aa
MD5 hash:
cdd42b965d8f53d4b6e788f2c7c64592
SHA1 hash:
35e3629ed7a2336e9f9ae0ec9a0777edbe16acbf
SH256 hash:
d81cf3bb5b3bb04ff3b1da53ff8734e6e0807731c0ac8c78da7907e97c34d458
MD5 hash:
a14be8c3d3cbda7fa82dcb1ccedcce38
SHA1 hash:
4615144224d691e30220745524f3cb1af6c7d71b
SH256 hash:
265710a4053dc7c993ca47e266c6b9c6808530186385a0e192fe747e0e903bfc
MD5 hash:
4ff8bbf69b087c8173d1548b6164ca02
SHA1 hash:
d7ba0745511bfc645fd1f13c956fa6aff5449e40
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fuery

Executable exe df1e09ca640b5ed14fd80cf8343529ff51e53ae4f16de84f1c5651f55a0c00cb

(this sample)

  
Dropped by
Fuery
  
Delivery method
Distributed via web download

Comments