MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b491c48b9be2a68202ac644589f0dfe57bbf00abef12ee4d57c7839e7933fcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Amadey


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments

SHA256 hash: 0b491c48b9be2a68202ac644589f0dfe57bbf00abef12ee4d57c7839e7933fcd
SHA3-384 hash: 7b533fefb93ea963fc0652173893d055d185024bcd6b87ae811dcfaca630d5adae9840fe51ea1a55f5459c9072a18a3f
SHA1 hash: 15eb7c26a04fdde1d7829c4df22e8db312c251e0
MD5 hash: c1908aa1d46e5e976a27d5c66378a6fb
humanhash: georgia-romeo-moon-jupiter
File name:file
Download: download sample
Signature Amadey
File size:1'595'392 bytes
First seen:2025-12-29 09:17:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:+9cVA6kxP2VV1eatHh48Q4XmWkXP34xDDKx0HPDPOI5OPUiby8Ca:+HHUG41W0Hr15OTy8C
TLSH T1B9756B057B9CD711C429033049BE8725E336AEB98293F74F1A88BEF46C7B394691E653
TrID 39.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.9% (.EXE) Win64 Executable (generic) (10522/11/4)
11.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
4.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 88e4b697f6cadaf2 (1 x Amadey)
Reporter Bitsight
Tags:Amadey dropped-by-gcleaner exe G US.file


Avatar
Bitsight
url: http://194.38.20.224/service

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://93.152.230.9/h8jfdmdWS/index.php https://threatfox.abuse.ch/ioc/1687957/

Intelligence


File Origin
# of uploads :
1
# of downloads :
238
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
SmartAssembly
Details
SmartAssembly
decrypted strings and a SmartAssembly version number
Malware family:
n/a
ID:
1
File name:
_0b491c48b9be2a68202ac644589f0dfe57bbf00abef12ee4d57c7839e7933fcd.exe
Verdict:
Suspicious activity
Analysis date:
2025-12-29 09:21:29 UTC
Tags:
github

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Tags:
virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 crypt expired-cert fingerprint obfuscated packed packed
Verdict:
Clean
File Type:
exe x64
First seen:
2025-12-29T06:32:00Z UTC
Last seen:
2025-12-29T06:51:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.38 Win 64 Exe x64
Threat name:
ByteCode-MSIL.Trojan.Amadey
Status:
Malicious
First seen:
2025-12-29 09:18:15 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
20
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
Suspicious use of AdjustPrivilegeToken
Legitimate hosting services abused for malware hosting/C2
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
0b491c48b9be2a68202ac644589f0dfe57bbf00abef12ee4d57c7839e7933fcd
MD5 hash:
c1908aa1d46e5e976a27d5c66378a6fb
SHA1 hash:
15eb7c26a04fdde1d7829c4df22e8db312c251e0
SH256 hash:
48c2ce16df967826945ac080a4405fff11733ae917be0c883a98015ac7183a7e
MD5 hash:
067b8e9fe70c0d819b96ba110a1d2304
SHA1 hash:
5fedf348b53d769b4217b0b7953bd5221d42bd56
SH256 hash:
62f67289d7ae00d89a76a3d8baf6882862f3e0043125aeba49eaa7988828ec01
MD5 hash:
6dc447896cacefae34b6484acb58fd7f
SHA1 hash:
314b0bbe2232178a1a20edeecedfcafea9e9576f
SH256 hash:
7d591609174dcf672e9c8e3426242a2b5feb1a00bbaf274a4470cf5a5520ba44
MD5 hash:
8518eeba7b6ad5bf63d1f63f85f5a3ae
SHA1 hash:
b95599b67e4ec0a0e11178822bd0844e02e655e5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 0b491c48b9be2a68202ac644589f0dfe57bbf00abef12ee4d57c7839e7933fcd

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download

Comments