MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10
SHA3-384 hash: d2a7044ca3259f62bc236c59925ab5ba29ec4ee8ff7d8487a830d70ec1209906001e947dca60ede16054ebfba985124b
SHA1 hash: b069733cc6c673764b4d98747ba33e2dd14db4b0
MD5 hash: 61b0a2d09047c562cb5bd1d29cae6f3e
humanhash: carbon-east-mirror-fix
File name:file
Download: download sample
File size:1'507'840 bytes
First seen:2025-09-15 04:42:46 UTC
Last seen:2025-09-15 05:28:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 44d8a197c84278da32b54956d7f26e65 (6 x LummaStealer, 1 x StormKitty, 1 x Vidar)
ssdeep 24576:96Nq2dPX+LafWxzXmiPuFfCcsFOOHbTgY3XK6+xuIvs9Gj2V9ppyFM:IVtWxzBiCPbl3XT+SjppMM
Threatray 372 similar samples on MalwareBazaar
TLSH T1DC65F129E87590D6FCD74470A7559111E9327D378B282AEB41E8C7A0365BEFD0B3E322
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe


Avatar
Bitsight
url: http://158.94.208.102/1.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-09-15 04:45:55 UTC
Tags:
anti-evasion lumma stealer rhadamanthys diamotrix clipper auto-reg python loader
Link:
https://app.any.run/tasks/7f14083f-50b0-41a0-99df-6e5ce247af49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27448/
Detection(s):
Win.Packed.Lazy-10057857-0
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c79978e579c633a4b54b82
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Searching for the window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68c79973c62f69962389a5a5/reports/4e97cc23-f72b-4496-b145-26d0b41240ae/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-14T09:47:00Z UTC
Last seen:
2025-09-14T09:47:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c34f296f-464c-4ba9-abcd-7e891404822f
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/61b0a2d09047c562cb5bd1d29cae6f3e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-14 14:43:46 UTC
File Type:
PE+ (Exe)
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6nzha54wm52r3uhpccjvb46a474mbpodqnkkjontqhyexwxh5qia._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
5a68af44b9399b0bf6e41e5d60b994251dedb610c700dcfd81198b67a0518d0e
629c324c37ac630713373e8f4573c5e0992e0a38f9b1e0b2fc6e6f7135ece39c
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5
b4fd170f2d56421678f4743cba758fb69779b4bfd0f77202dbfc760d8ed1c8e5
dc741d4bbde8bd12093efd37aac1d9aeb09242ebbfc745b2f44db2a47f3bca21
error
fe7ba9fdcc449190123cc2c60ef77c04912c442a3c15ef2b88d26fe41c18c6a8
+ 362 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/250915-fcfgzavscv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0d555468-729e-4271-b9b6-6f4460264b87
Unpacked files
SH256 hash:
f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10
MD5 hash:
61b0a2d09047c562cb5bd1d29cae6f3e
SHA1 hash:
b069733cc6c673764b4d98747ba33e2dd14db4b0
Link:
https://www.unpac.me/results/203f7226-987c-497c-9d59-061eb7883373/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f37270779667/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3624255/
Cape
Cape
https://www.capesandbox.com/analysis/27448/

Comments