MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef7afaf9efa5ce059b94764ee77a4ba3f83900b9b714edc04a13d7ce63fd2a48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 20 File information Comments

SHA256 hash:	ef7afaf9efa5ce059b94764ee77a4ba3f83900b9b714edc04a13d7ce63fd2a48
SHA3-384 hash:	52e053f7a0e843fd15e09c518adb100e96c177df7dc7f689a6093232f123bd5d9f37cff76539b58a825be69dfdd4006f
SHA1 hash:	de2e10ba79428b35b99e102b7d033cfa869058fb
MD5 hash:	2c80b3eb5740ecb30df11f1bca1d2cea
humanhash:	blossom-fanta-winner-romeo
File name:	bot.exe
Download:	download sample
File size:	7'931'904 bytes
First seen:	2025-03-29 13:49:35 UTC
Last seen:	2025-04-06 07:30:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (475 x Vidar, 96 x Stealc, 92 x Rhadamanthys)
ssdeep	98304:3NFazCM6aEsEByVLc1BTkA1keIWbgu+MdvB2rwNeH6:34n6a4VPTkA1CWJ9Bw6
TLSH	T1EB868C03FCA549E9C1ADD234C9A28253BA71BC494B3523D72B50F7382F76BD4AA79740
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	9288ce8c2a868f92 (89 x Tinba, 7 x AsyncRAT, 6 x Dridex)
Reporter	aachum
Tags:	exe

iamaachum

https://github.com/legendary99999/skdnfgkvdnskgfdf/releases/download/dfgvsdfbsdfbsfb/bot.exe

C2: gogo.fechrise.fun

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bot.exe

Verdict:

Suspicious activity

Analysis date:

2025-03-29 13:52:46 UTC

Tags:

golang

Link:

https://app.any.run/tasks/87616ba1-6f12-4f5c-90d8-e52e0b3b4007

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e7fb6a855e5ec524099c40

Tags:

dropper spawn virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Moving a file to the %AppData% subdirectory

Replacing files

Launching a process

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypto expand golang lolbin packed packed packer_detected redcap

Link:

https://www.filescan.io/uploads/67e7fa97631830704a8af2c9/reports/4266dfbd-45cf-4395-a8c1-f1f502399db9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/ef7afaf9efa5ce059b94764ee77a4ba3f83900b9b714edc04a13d7ce63fd2a48

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8b2ddd5c-1f60-4e78-a94d-922fba0b6219

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ef7afaf9efa5ce059b94764ee77a4ba3f83900b9b714edc04a13d7ce63fd2a48

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef7afaf9efa5ce059b94764ee77a4ba3f83900b9b714edc04a13d7ce63fd2a48/

Threat name:

Win64.Trojan.Amadey

Status:

Malicious

First seen:

2025-03-28 16:56:24 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=555pv6ppuxhalg4uozhoo6slup4dsafzw4ko3qckcpl44y75fjea._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution

Link:

https://tria.ge/reports/250329-q5bdtswmx2/

Behaviour

Modifies registry key

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

Creates a large amount of network flows

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9cb0181f-05d4-4b16-a631-e911b7fccdf4

Unpacked files

SH256 hash:

ef7afaf9efa5ce059b94764ee77a4ba3f83900b9b714edc04a13d7ce63fd2a48

MD5 hash:

2c80b3eb5740ecb30df11f1bca1d2cea

SHA1 hash:

de2e10ba79428b35b99e102b7d033cfa869058fb

Link:

https://www.unpac.me/results/02836989-eeb1-45a0-8562-18b869747a49/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef7afaf9efa5ce059b94764ee77a4ba3f83900b9b714edc04a13d7ce63fd2a48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ef7afaf9efa5ce059b94764ee77a4ba3f83900b9b714edc04a13d7ce63fd2a48

(this sample)

Link

https://tria.ge/250329-q1c2vsvsav/behavioral1

Dropped by

Amadey

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high

Reviews

ID	Capabilities	Evidence
DNS_METHODS	Performs DNS calls	vendor/golang.org/x/net/dns/dnsmessage.(nestedError).Error vendor/golang.org/x/net/dns/dnsmessage.(header).pack vendor/golang.org/x/net/dns/dnsmessage.(header).unpack vendor/golang.org/x/net/dns/dnsmessage.(Parser).Start vendor/golang.org/x/net/dns/dnsmessage.(Parser).resourceHeader vendor/golang.org/x/net/dns/dnsmessage.(Parser).skipResource vendor/golang.org/x/net/dns/dnsmessage.(Parser).Question vendor/golang.org/x/net/dns/dnsmessage.(Parser).SkipQuestion vendor/golang.org/x/net/dns/dnsmessage.(Parser).CNAMEResource vendor/golang.org/x/net/dns/dnsmessage.(Parser).AResource vendor/golang.org/x/net/dns/dnsmessage.(Parser).AAAAResource vendor/golang.org/x/net/dns/dnsmessage.NewBuilder vendor/golang.org/x/net/dns/dnsmessage.(Builder).Question vendor/golang.org/x/net/dns/dnsmessage.(Builder).OPTResource vendor/golang.org/x/net/dns/dnsmessage.(Builder).Finish vendor/golang.org/x/net/dns/dnsmessage.(ResourceHeader).pack vendor/golang.org/x/net/dns/dnsmessage.(ResourceHeader).unpack vendor/golang.org/x/net/dns/dnsmessage.skipResource vendor/golang.org/x/net/dns/dnsmessage.(Name).pack vendor/golang.org/x/net/dns/dnsmessage.(Name).unpack vendor/golang.org/x/net/dns/dnsmessage.(Question).pack vendor/golang.org/x/net/dns/dnsmessage.unpackCNAMEResource vendor/golang.org/x/net/dns/dnsmessage.init type:.eq.vendor/golang.org/x/net/dns/dnsmessage.nestedError vendor/golang.org/x/net/dns/dnsmessage::inittask vendor/golang.org/x/net/dns/dnsmessage.classNames vendor/golang.org/x/net/dns/dnsmessage.rCodeNames vendor/golang.org/x/net/dns/dnsmessage.ErrNotStarted vendor/golang.org/x/net/dns/dnsmessage.ErrSectionDone vendor/golang.org/x/net/dns/dnsmessage.errBaseLen vendor/golang.org/x/net/dns/dnsmessage.errCalcLen vendor/golang.org/x/net/dns/dnsmessage.errReserved vendor/golang.org/x/net/dns/dnsmessage.errTooManyPtr vendor/golang.org/x/net/dns/dnsmessage.errInvalidPtr vendor/golang.org/x/net/dns/dnsmessage.errInvalidName vendor/golang.org/x/net/dns/dnsmessage.errResourceLen vendor/golang.org/x/net/dns/dnsmessage.errSegTooLong vendor/golang.org/x/net/dns/dnsmessage.errNameTooLong vendor/golang.org/x/net/dns/dnsmessage.errZeroSegLen vendor/golang.org/x/net/dns/dnsmessage.errResTooLong vendor/golang.org/x/net/dns/dnsmessage.errTooManyQuestions vendor/golang.org/x/net/dns/dnsmessage.errTooManyAnswers vendor/golang.org/x/net/dns/dnsmessage.errTooManyAuthorities vendor/golang.org/x/net/dns/dnsmessage.errTooManyAdditionals vendor/golang.org/x/net/dns/dnsmessage.errNonCanonicalName vendor/golang.org/x/net/dns/dnsmessage.sectionNames go:itab.vendor/golang.org/x/net/dns/dnsmessage.nestedError error
EXEC_METHODS	Can Execute Commands	os.StartProcess os/exec.Command os/exec.Command.func1 syscall.StartProcess syscall.StartProcess.deferwrap3 syscall.StartProcess.deferwrap2 syscall.StartProcess.deferwrap1
FILE_IO_READ	Can Read Files	io.ReadAll os.ReadFile os.ReadFile.deferwrap1 os.OpenFile os.openFileNolog os.UserHomeDir
FILE_IO_WRITE	Can Create and Remove Files	os.Mkdir os.Mkdir.func1 os.MkdirAll os.Remove os.rename os.WriteFile
HTTP_CLIENT_METHODS	Invokes HTTP service	net/http.doubleCRLF net/http.Header.sortedKeyValues net/http.Header.writeSubset net/http.Header.sortedKeyValues.func1 net/http.headerNewlineToSpace net/http.headerSorterPool
HTTP_METHODS	Can run an HTTP server	vendor/golang.org/x/net/http2/hpack.init vendor/golang.org/x/net/http2/hpack.init.func1 vendor/golang.org/x/net/http2/hpack.NewEncoder vendor/golang.org/x/net/http2/hpack.(Encoder).WriteField vendor/golang.org/x/net/http2/hpack.(Encoder).searchTable vendor/golang.org/x/net/http2/hpack.(Encoder).SetMaxDynamicTableSize vendor/golang.org/x/net/http2/hpack.appendNewName vendor/golang.org/x/net/http2/hpack.appendIndexedName vendor/golang.org/x/net/http2/hpack.appendHpackString vendor/golang.org/x/net/http2/hpack.DecodingError.Error vendor/golang.org/x/net/http2/hpack.InvalidIndexError.Error vendor/golang.org/x/net/http2/hpack.HeaderField.String vendor/golang.org/x/net/http2/hpack.NewDecoder vendor/golang.org/x/net/http2/hpack.(Decoder).SetEmitFunc vendor/golang.org/x/net/http2/hpack.(dynamicTable).add vendor/golang.org/x/net/http2/hpack.(dynamicTable).evict vendor/golang.org/x/net/http2/hpack.(Decoder).Close vendor/golang.org/x/net/http2/hpack.(Decoder).Write vendor/golang.org/x/net/http2/hpack.(Decoder).parseHeaderFieldRepr vendor/golang.org/x/net/http2/hpack.(Decoder).parseFieldIndexed vendor/golang.org/x/net/http2/hpack.(Decoder).parseFieldLiteral vendor/golang.org/x/net/http2/hpack.(Decoder).callEmit vendor/golang.org/x/net/http2/hpack.(Decoder).parseDynamicTableSizeUpdate vendor/golang.org/x/net/http2/hpack.readVarInt vendor/golang.org/x/net/http2/hpack.(Decoder).readString vendor/golang.org/x/net/http2/hpack.(Decoder).decodeString vendor/golang.org/x/net/http2/hpack.huffmanDecode vendor/golang.org/x/net/http2/hpack.buildRootHuffmanNode vendor/golang.org/x/net/http2/hpack.AppendHuffmanString vendor/golang.org/x/net/http2/hpack.(headerFieldTable).evictOldest vendor/golang.org/x/net/http2/hpack.(headerFieldTable).search vendor/golang.org/x/net/http2/hpack.(headerFieldTable).idToIndex vendor/golang.org/x/net/http2/hpack.(DecodingError).Error vendor/golang.org/x/net/http2/hpack.(HeaderField).String vendor/golang.org/x/net/http2/hpack.(*InvalidIndexError).Error type:.eq.vendor/golang.org/x/net/http2/hpack.HeaderField type:.eq.vendor/golang.org/x/net/http2/hpack.pairNameValue type:.hash.vendor/golang.org/x/net/http2/hpack.pairNameValue vendor/golang.org/x/net/http2/hpack::inittask vendor/golang.org/x/net/http2/hpack.ErrStringLength vendor/golang.org/x/net/http2/hpack.errNeedMore vendor/golang.org/x/net/http2/hpack.errVarintOverflow vendor/golang.org/x/net/http2/hpack.bufPool vendor/golang.org/x/net/http2/hpack.ErrInvalidHuffman vendor/golang.org/x/net/http2/hpack.buildRootOnce vendor/golang.org/x/net/http2/hpack.lazyRootHuffmanNode vendor/golang.org/x/net/http2/hpack.staticTable vendor/golang.org/x/net/http2/hpack.huffmanCodes vendor/golang.org/x/net/http2/hpack.huffmanCodeLen go:itab.vendor/golang.org/x/net/http2/hpack.DecodingError error go:itab.vendor/golang.org/x/net/http2/hpack.InvalidIndexError error
NET_METHODS	Uses Network to send and receive data	syscall.Bind net.lookupPortMap net.lookupPortMapWithNetwork net.ParseCIDR net.DialTimeout net.DialUDP
OS_METHODS	Can Execute OS commands	os.Kill
SYSCALL_METHODS	Can perform system-level operations	syscall.Listen syscall.Mkdir syscall.Open
WEAK_CRYPTO	Uses Weak Cryptographic Algorithms	crypto/md5.init.0 crypto/md5.(digest).Reset crypto/md5.(digest).MarshalBinary crypto/md5.(digest).UnmarshalBinary crypto/md5.New crypto/md5.(digest).Size crypto/md5.(digest).BlockSize crypto/md5.(digest).Write crypto/md5.(digest).Sum crypto/md5.(digest).checkSum crypto/md5.block.abi0 crypto/md5::inittask go:itab.*crypto/md5.digest hash.Hash
ZIP_METHODS	Can perform Zip archive operations	compress/flate.NewReader

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample