MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 14 File information Comments

SHA256 hash:	edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6
SHA3-384 hash:	19dc125f8764427515b5f980adbc7f847b8e952d1e85e9a8ecb25cb9b5b94f9afaeecfe015f16a30491e786556f7bbc3
SHA1 hash:	045ac6658340c2b3f4dfc57d42d6788ddd75f782
MD5 hash:	4ada08508dd3b58dac7d6c33a1921074
humanhash:	neptune-ten-music-violet
File name:	file
Download:	download sample
File size:	2'029'608 bytes
First seen:	2025-10-17 04:03:40 UTC
Last seen:	2025-10-20 04:10:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	596c731a06a10a876820fa1b72d1669e (5 x Vidar, 2 x StormKitty, 2 x Rhadamanthys)
ssdeep	49152:HUm05bltTUADAnO8D+fueqDPEK8L2csMW3UDW:A5bltTmO8D+mKK8jsD35
TLSH	T11195022A9095A2EFF19640B29A056550F833B86747391EEF43F8D7351A0FAE40F7E325
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe

Bitsight

url: http://178.16.55.189/files/1129026890/KOCe0UJ.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

251001-xmjqtavnx3_pw_infected.zip

Verdict:

Malicious activity

Analysis date:

2025-10-16 19:08:20 UTC

Tags:

auto lumma stealer arch-exec amadey redline botnet unlocker-eject tool loader autoit generic github gcleaner remote xworm rdp ms-smartcard miner stealc anti-evasion rhadamanthys themida auto-sch-xml websocket winscp rmm-tool amsi-bypass silentcryptominer winring0-sys vuln-driver darkvision crypto-regex evasion rat njrat bladabindi hijackloader phishing pureminer netreactor upx salatstealer susp-powershell golang

Link:

https://app.any.run/tasks/f1641ffc-43f1-42fa-bf70-ae25cfdf0860

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/33144/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f1c0530cffb3244298a226

Tags:

xtreme virus sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a window

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Delayed writing of the file

Searching for the window

Creating a file

Query of malicious DNS domain

Launching a tool to kill processes

Forced shutdown of a browser

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

amadey crypt fingerprint invalid-signature microsoft_visual_cc packed signed unsafe

Link:

https://www.filescan.io/uploads/68f1c063df5cb32bf1f09748/reports/2bdfaf9a-96d9-4592-8038-69fe770b786d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-16T15:13:00Z UTC

Last seen:

2025-10-17T10:09:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Injuke.pdqg NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C

Link:

https://opentip.kaspersky.com/edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c7c82ebc-c272-4690-99c5-9dfee5afeb75

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/4ada08508dd3b58dac7d6c33a1921074

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6/

Verdict:

Malicious

Threat:

NetTool.Win32.HTTP

Link:

https://tip.neiki.dev/file/edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5w3horrylqslfzwgttb2mm5vqweql4d4e466szixigqgtxghzwta._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution spyware stealer

Link:

https://tria.ge/reports/251017-ena6ysxkz8/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Indicator Removal: File Deletion

Executes dropped EXE

Reads user/profile data of web browsers

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3d02ec1b-7c24-43b6-b6de-de443cdbe0c6

Unpacked files

SH256 hash:

edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6

MD5 hash:

4ada08508dd3b58dac7d6c33a1921074

SHA1 hash:

045ac6658340c2b3f4dfc57d42d6788ddd75f782

Link:

https://www.unpac.me/results/919982b7-0d16-468a-8345-9f54ee572517/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Shutdown Create hunting rule
Author:	adm1n_usa32

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaaga Create hunting rule
Author:	Harshit
Description:	Detects suspicious PowerShell or registry activity

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	WIN_ClickFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:	ClickFix social engineering and malicious PowerShell commands

Rule name:	win_sidetwist_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.sidetwist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe edb67746385c24b2e6c69cc3a633b5858905f07c273de9651741a069dcc7cda6

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3679645/

Cape

https://www.capesandbox.com/analysis/33144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample