MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7
SHA3-384 hash:	76be250acedbdcd6554fe85c30b005320e6afad70eb8f9571d314918cf146a6fb3cc3549f725ab335f587a65606725d3
SHA1 hash:	d2922617c25c375580e427ea8da98651fb9ec38d
MD5 hash:	cafdf7807836a7f285bdc85f47efd657
humanhash:	louisiana-east-maine-florida
File name:	file
Download:	download sample
File size:	420'664 bytes
First seen:	2025-11-13 22:12:56 UTC
Last seen:	2025-11-14 02:28:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	eaed6c102723330cc21072da5f916b52
ssdeep	6144:PUDuubOlSndLNGrVOPD6E76O8UWZfqfnusdCZYCjU:ruuUG4PGEGO8QPHMJjU
Threatray	1'585 similar samples on MalwareBazaar
TLSH	T1B5947D22F7955CF9D05BC07483528572AA72B8CA0B21E9EF03A842252F66BF15F3DF15
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 signed

Code Signing Certificate

Organisation:	XEcNqI5B
Issuer:	XEcNqI5B
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-11-13T18:08:53Z
Valid to:	2026-11-13T18:18:53Z
Serial number:	32f66f1211bd048c438704171102933b
Thumbprint Algorithm:	SHA256
Thumbprint:	c66313f907ec403c3d6bbc5f3bb51724de781cc3d0422d026e42f5657b08d818
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Bitsight

url: http://178.16.54.200/files/6437444697/HGkGL9M.exe

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7.exe

Verdict:

Malicious activity

Analysis date:

2025-11-13 22:13:59 UTC

Tags:

anti-evasion

Link:

https://app.any.run/tasks/b5fa85a9-6617-4d34-a628-26c61c7a2a61

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38154/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.28287627.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69165802bdb0ec3a9dc110ba

Tags:

obfuscate xtreme keylog

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Setting a global event handler

Setting a global event handler for the keyboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm fingerprint keylogger microsoft_visual_cc packed signed

Link:

https://www.filescan.io/uploads/691657fecaa454a592de2616/reports/6bef93ea-19e4-4e96-b75e-5c770a355713/overview

Verdict:

Malicious

Labled as:

Win64/Agent.HED trojan

Link:

https://www.hybrid-analysis.com/sample/fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-13T19:27:00Z UTC

Last seen:

2025-11-14T10:24:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8d5d2459-e4f2-4dd7-97cb-117f7b4bf7a2

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/cafdf7807836a7f285bdc85f47efd657

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7/

Verdict:

Malicious

Threat:

Win64.Malware.Generic

Link:

https://tip.neiki.dev/file/fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-11-13 22:13:22 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7vk7iiqa77psgxegwq3egckcnar6fcy4fydshxpzwnpkzadcy7lq._file

Verdict:

malicious

Label(s):

donutloader

1826267238e6d603aa8c6db5c6d968da2cb2e6d522e6b92382170cbb6e098e28

22ae13fc1d21ebc4318bd2877ffb4d0c8c059c4bc854cc00c6cbeac802effa6e

2b335a385b69f1ffff16b7d7524e3c7364d3ee92f75df381ac8d8d61982460e2

2fe4e0a7ee928ab312637f4734a3b66038f12fb48415e5675c345431fac3c021

3a57f82d02aaa3c531f6efa0aa848695a144279edc3bce4cb9f162e42d5f85e3

5cb824080cc6e21d39b6605ea6238ec3c723c7043fbb1af3379ba198586ff088

888356a703073d1533a01199c352ed4bbea51116af640f7f6f381bd89a97c888

e8b05b6c791084833dfefa39c4bdde806c64e0a4ece9e9658caf6f74651606b2

error

+ 1'575 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

defense_evasion

Link:

https://tria.ge/reports/251113-148m2sxmer/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks for VMWare drivers on disk

Enumerates VirtualBox DLL files

Looks for VirtualBox drivers on disk

Looks for VirtualBox executables on disk

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fa8e0827-14e0-477e-b6fa-0339055811c0

Unpacked files

SH256 hash:

fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7

MD5 hash:

cafdf7807836a7f285bdc85f47efd657

SHA1 hash:

d2922617c25c375580e427ea8da98651fb9ec38d

Link:

https://www.unpac.me/results/aa6e0007-259a-470e-9b8f-d80f84e837e4/

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fd55f42200ff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3704773/

Cape

https://www.capesandbox.com/analysis/38154/

URLhaus

https://urlhaus.abuse.ch/url/3704842/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample