MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e
SHA3-384 hash: ce57beb8f27f93d56575086af4c6f5120a25afb444bb27f14ea2dd6f8523a1463e2d65eb35f0f4b5aac4f1741977498c
SHA1 hash: fc3298a9d68214ae7e031f3f9b3b1954e57fa56a
MD5 hash: 77b65bd0ad4912d259b995fb8d739d59
humanhash: king-florida-echo-london
File name:file
Download: download sample
File size:3'953'152 bytes
First seen:2025-09-28 04:05:53 UTC
Last seen:2025-09-30 04:07:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:ybomj+8bUWeTvzA8deeD9z1KEJKg8te02wzCzEmmdGKKNm5xkbjdJ:ybomjnxG3GEJ4mwTsbM
Threatray 52 similar samples on MalwareBazaar
TLSH T19D064C53EB8B5AA2D2407B7EC6FB48136370E543A313D72B7A4A635D980B7A71F08153
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe


Avatar
Bitsight
url: http://178.16.55.189/files/7777332283/JZgLiJg.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
88
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-27 21:44:55 UTC
Tags:
amadey auto redline stealer botnet auto-reg loader unlocker-eject tool vidar themida generic rdp stealc arch-exec gcleaner auto-startup ultravnc rmm-tool screenconnect autoit lumma phishing anti-evasion rhadamanthys
Link:
https://app.any.run/tasks/1673fce5-2d10-45c3-b528-20ad9ea2d14c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29307/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d8b44dfb8bc5050e4f1fd2
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey anti-vm base64 fingerprint net_reactor obfuscated packed purelogs unsafe
Link:
https://www.filescan.io/uploads/68d8b44f74e5a28989966a42/reports/094866ab-ade8-4857-90c7-06054e12fc5e/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-27T19:04:00Z UTC
Last seen:
2025-09-27T19:04:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/354d3a3d-f876-4ecb-a154-8764220595f9
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e
Verdict:
Malware
YARA:
12 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/77b65bd0ad4912d259b995fb8d739d59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-09-27 22:59:15 UTC
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zxxyeknthvladwq6mlvr6y4z4u3gt2mpo7re5u2q4dq7noyrkha._file
Verdict:
malicious
Label(s):
katzstealer
Create hunting rule
Similar samples:
1b4a27465a2fc0ec65d36590d7a4c7b94dabb9152e2a8fa9e6aa83a9d7e340b0
252adea6ee9da3c00b53667295d5ce774e827f3c5d5f300d223c71c202d18c16
49da831fdd4b8116e9ba67cf872f49593e35d05b6b9a8c8f6e12afe6157b80fb
6286cf6a7653c3bd92c6cf8f159324abda4a33cd9df6cd9c44813afdcaba96f4
901d6191e8bf99cf1a2a6b770519d18b82875294e95a55d1e87e42ef8bad213a
a1638a6e9d55a06c4fe43c738950b84a01f43f7883f1bd06bb2cbb60f02c87d2
error
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250928-epk3jswxay/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/da67ee6a-f601-44bc-bdae-cab4daea8d7b
Unpacked files
SH256 hash:
fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e
MD5 hash:
77b65bd0ad4912d259b995fb8d739d59
SHA1 hash:
fc3298a9d68214ae7e031f3f9b3b1954e57fa56a
Link:
https://www.unpac.me/results/45a8e090-92bb-4e8a-9911-1c934d358970/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fe6f7c114d99eab00ed0f31758fb1ccf29b34f4c7bbf12769a87070fb5d88a8e

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3633070/
Cape
Cape
https://www.capesandbox.com/analysis/29307/

Comments