MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e
SHA3-384 hash:	0bc1a6e089b9b530e235a17ed13ba5de0bb186b0aec512e9d60dcc40c17a4cf356d55a54a3d43d4246ec16be1dda6098
SHA1 hash:	0e91613d4f9463ec48793bf6334dcb7914b3ec62
MD5 hash:	9611a48d53f25ae38d4890a9bf233773
humanhash:	kilo-fish-music-stairway
File name:	SecuriteInfo.com.Win64.MalwareX-gen.76437913
Download:	download sample
File size:	87'040 bytes
First seen:	2025-09-01 07:19:28 UTC
Last seen:	2025-09-03 12:50:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	94db902678e9cc8be9117c6371afca30
ssdeep	1536:1S/ccnYADD5FTl76Lvj+P6CUPlctIgKwmtEMvftY+/mP039x6wO8P:1SEcnYaD5FTlWzifUPlc2/GM3tY+/Pxh
TLSH	T181834A4A72E510F8C0B6813988E16A1AF7B2F4B6537157CF46B4439A1F633E09E3D722
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

a.exe

Verdict:

Malicious activity

Analysis date:

2025-09-01 07:12:27 UTC

Tags:

golang auto-reg amadey botnet stealer rdp loader stealc python telegram lumma

Link:

https://app.any.run/tasks/0f2f1dfd-d322-47b6-808a-0dfdd54360b7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/24427/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.76437913.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b5495beb163e0ec183e773

Tags:

ransomware dropper emotet virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

explorer lolbin microsoft_visual_cc obfuscated

Link:

https://www.filescan.io/uploads/68b549546212e2f742669dd0/reports/fb7e9918-75c3-4213-8fc4-545418bcfae9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-08-31T17:54:00Z UTC

Last seen:

2025-08-31T17:54:00Z UTC

Hits:

~100

Detections:

Trojan-Banker.Win32.ClipBanker.sb Backdoor.Win32.Androm VHO:Backdoor.Win32.Androm.gen Trojan-Banker.Win32.ClipBanker.aeyb PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Agent.sb HEUR:HackTool.Win32.Inject.heur Trojan-Banker.Win32.ClipBanker.sba MEM:Trojan.Win32.Cometer.gen Backdoor.Win32.Zegost.sb

Link:

https://opentip.kaspersky.com/e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c1fa3af1-e411-4fb8-9aeb-328a266fa0f8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/9611a48d53f25ae38d4890a9bf233773

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e/

Verdict:

Malicious

Threat:

VHO:Backdoor.Win32.Androm

Link:

https://tip.neiki.dev/file/e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-08-31 21:55:36 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4duqcogbcze57vi3zdh6m2u5t3xpcixsv3wuewdgrek5rftbpb7a._file

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/250901-h5xcascn4v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Adds Run key to start application

Executes dropped EXE

Downloads MZ/PE file

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/617be74a-5505-4067-970e-ddb8bcff989f

Unpacked files

SH256 hash:

e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e

MD5 hash:

9611a48d53f25ae38d4890a9bf233773

SHA1 hash:

0e91613d4f9463ec48793bf6334dcb7914b3ec62

Link:

https://www.unpac.me/results/0eefb312-7043-4b6b-9ea4-61f21b63cbc0/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e0e90138c116/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe e0e90138c11649dfd51bc8cfe66a9d9eeef122f2aeed4258668915d89661787e

(this sample)

Cape

https://www.capesandbox.com/analysis/24427/

URLhaus

https://urlhaus.abuse.ch/url/3615073/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample