MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2
SHA3-384 hash: cde025eac4195b3fca4708df3bc76e17fd12b141b8eaf98174396ee121be0911debb95f98bee6553e27c8173480a3fd7
SHA1 hash: 19a3a8b122817fc1ef7f09e98d080dc28fc82414
MD5 hash: 5a4986d664e5088868835d0f137fcfcf
humanhash: mexico-salami-golf-mountain
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'899'008 bytes
First seen:2025-01-29 14:37:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:sye536u8PMh0miz2H4Acs/OSLR+VHYztHWlgDPhGi3Zf1k:sye53MPMmzJAcsm+eHAt2laJfG
Threatray 1 similar samples on MalwareBazaar
TLSH T1F295333713439891C22CB9F7A69C593D73FB870AA60DB1568B658048EE37ED1322FC25
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:9c9aa5 Amadey exe


Avatar
iamaachum
185.215.113.16/mine/random.exe

Amadey Botnet: 9c9aa5
Amadey C2: http://185.215.113.43/Zu7JuNko/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
http://185.215.113.16/soka/random.exe
Verdict:
Malicious activity
Analysis date:
2025-01-29 13:50:33 UTC
Tags:
amadey botnet stealer loader stealc cryptbot themida lumma gcleaner evasion github purecrypter credentialflusher auto generic rat quasar remote antivm xworm autoit telegram asyncrat
Link:
https://app.any.run/tasks/ee5ab28a-0424-4631-bf8e-80836003ce04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.9988.12530.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679a3f8e39cd5095f12b53e9
Tags:
vmdetect autorun emotet spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/679a3fd3c1babde84464a039/reports/eeadab49-d95d-4d35-9d3e-9f76c9b64d51/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/54947b15-97ae-43ae-bf77-09a679b33448
Result
Threat name:
Amadey, LummaC Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1602215
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Powershell launch regsvr32
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses Register-ScheduledTask to add task schedules
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1602215 Sample: random.exe Startdate: 29/01/2025 Architecture: WINDOWS Score: 100 180 www.youtube.com 2->180 182 www.wikipedia.org 2->182 184 64 other IPs or domains 2->184 216 Suricata IDS alerts for network traffic 2->216 218 Found malware configuration 2->218 220 Antivirus detection for URL or domain 2->220 222 35 other signatures 2->222 14 skotes.exe 2 45 2->14         started        19 random.exe 5 2->19         started        21 f77543ff11.exe 2->21         started        23 7 other processes 2->23 signatures3 process4 dnsIp5 188 185.215.113.16, 51035, 51043, 51049 WHOLESALECONNECTIONSNL Portugal 14->188 190 185.215.113.43, 51019, 51020, 51022 WHOLESALECONNECTIONSNL Portugal 14->190 192 2 other IPs or domains 14->192 164 C:\Users\user\AppData\...\a095d3f2be.exe, PE32 14->164 dropped 166 C:\Users\user\AppData\...\f06b66484e.exe, PE32 14->166 dropped 168 C:\Users\user\AppData\...\b8d900ea50.exe, PE32+ 14->168 dropped 176 23 other malicious files 14->176 dropped 194 Creates multiple autostart registry keys 14->194 196 Hides threads from debuggers 14->196 198 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->198 25 f77543ff11.exe 14->25         started        29 BjOFAcx.exe 14->29         started        31 infinity.exe 2 14->31         started        43 5 other processes 14->43 170 C:\Users\user\AppData\Local\...\skotes.exe, PE32 19->170 dropped 172 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 19->172 dropped 200 Detected unpacking (changes PE section rights) 19->200 202 Tries to evade debugger and weak emulator (self modifying code) 19->202 204 Tries to detect virtualization through RDTSC time measurements 19->204 33 skotes.exe 19->33         started        174 C:\Users\user\AppData\Local\...\tvL39XaN6.hta, HTML 21->174 dropped 206 Binary is likely a compiled AutoIt script file 21->206 208 Creates HTA files 21->208 35 mshta.exe 21->35         started        37 cmd.exe 21->37         started        210 Suspicious powershell command line found 23->210 212 Tries to download and execute files (via powershell) 23->212 214 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 23->214 39 powershell.exe 23->39         started        41 WerFault.exe 23->41         started        file6 signatures7 process8 dnsIp9 146 C:\Users\user\AppData\Local\...\6d7HYLtgg.hta, HTML 25->146 dropped 242 Multi AV Scanner detection for dropped file 25->242 244 Binary is likely a compiled AutoIt script file 25->244 246 Creates HTA files 25->246 46 mshta.exe 25->46         started        49 cmd.exe 25->49         started        148 C:\Users\user\AppData\Local\...\BjOFAcx.tmp, PE32 29->148 dropped 51 BjOFAcx.tmp 29->51         started        150 C:\Users\user\AppData\Local\...\infinity.tmp, PE32 31->150 dropped 54 infinity.tmp 18 26 31->54         started        248 Detected unpacking (changes PE section rights) 33->248 250 Tries to evade debugger and weak emulator (self modifying code) 33->250 252 Hides threads from debuggers 33->252 264 2 other signatures 33->264 254 Suspicious powershell command line found 35->254 256 Tries to download and execute files (via powershell) 35->256 56 powershell.exe 35->56         started        62 2 other processes 37->62 58 conhost.exe 39->58         started        186 climepunneddus.com 104.21.88.148 CLOUDFLARENETUS United States 43->186 152 C:\Users\user\AppData\Local\...\axplong.exe, PE32 43->152 dropped 258 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->258 260 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->260 262 Machine Learning detection for dropped file 43->262 266 5 other signatures 43->266 60 axplong.exe 43->60         started        64 4 other processes 43->64 file10 signatures11 process12 dnsIp13 274 Suspicious powershell command line found 46->274 276 Tries to download and execute files (via powershell) 46->276 67 powershell.exe 46->67         started        278 Uses schtasks.exe or at.exe to add and modify task schedules 49->278 83 2 other processes 49->83 120 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 51->120 dropped 122 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 51->122 dropped 124 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 51->124 dropped 71 BjOFAcx.exe 51->71         started        126 C:\Users\user\...\widescreenrecorder31.exe, PE32 54->126 dropped 128 C:\Users\user\AppData\...\unins000.exe (copy), PE32 54->128 dropped 130 C:\Users\user\AppData\Local\...\is-C0EK8.tmp, PE32 54->130 dropped 136 21 other files (11 malicious) 54->136 dropped 73 widescreenrecorder31.exe 1 3 54->73         started        132 TempAZ39Z6U8HMWWVAOKNDXK1NUTMH8EUJMH.EXE, PE32 56->132 dropped 75 conhost.exe 56->75         started        280 Multi AV Scanner detection for dropped file 60->280 282 Detected unpacking (changes PE section rights) 60->282 284 Tries to evade debugger and weak emulator (self modifying code) 60->284 292 3 other signatures 60->292 178 innerkomen.com 172.67.178.239, 443, 51024, 51026 CLOUDFLARENETUS United States 64->178 134 C:\Temp\C0eI3oS6H.hta, HTML 64->134 dropped 286 Query firmware table information (likely to detect VMs) 64->286 288 Found many strings related to Crypto-Wallets (likely being stolen) 64->288 290 Tries to harvest and steal ftp login credentials 64->290 294 3 other signatures 64->294 77 mshta.exe 64->77         started        79 cmd.exe 64->79         started        81 cmd.exe 64->81         started        85 4 other processes 64->85 file14 signatures15 process16 file17 138 Temp79NNKXWDGXPKNR6F9BHAN1CF4G32IWQD.EXE, PE32 67->138 dropped 228 Powershell drops PE file 67->228 87 Temp79NNKXWDGXPKNR6F9BHAN1CF4G32IWQD.EXE 67->87         started        90 conhost.exe 67->90         started        140 C:\Users\user\AppData\Local\...\BjOFAcx.tmp, PE32 71->140 dropped 92 BjOFAcx.tmp 71->92         started        142 C:\ProgramData\...\sqlite3.dll, PE32 73->142 dropped 144 C:\ProgramData\...\WideScreenRecorder.exe, PE32 73->144 dropped 230 Suspicious powershell command line found 77->230 232 Tries to download and execute files (via powershell) 77->232 95 powershell.exe 77->95         started        97 powershell.exe 79->97         started        99 powershell.exe 81->99         started        101 powershell.exe 85->101         started        signatures18 process19 file20 234 Multi AV Scanner detection for dropped file 87->234 236 Detected unpacking (changes PE section rights) 87->236 238 Machine Learning detection for dropped file 87->238 240 8 other signatures 87->240 154 C:\Users\user\AppData\Roaming\is-4I2IV.tmp, PE32+ 92->154 dropped 156 C:\Users\user\...\8dnsapi_5.drv (copy), PE32+ 92->156 dropped 158 C:\Users\user\AppData\...\unins000.exe (copy), PE32 92->158 dropped 162 4 other files (3 malicious) 92->162 dropped 103 regsvr32.exe 92->103         started        160 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 95->160 dropped 105 conhost.exe 95->105         started        signatures21 process22 process23 107 regsvr32.exe 103->107         started        signatures24 268 Suspicious powershell command line found 107->268 270 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 107->270 272 Uses Register-ScheduledTask to add task schedules 107->272 110 powershell.exe 107->110         started        113 powershell.exe 107->113         started        process25 signatures26 296 Loading BitLocker PowerShell Module 110->296 115 conhost.exe 110->115         started        118 conhost.exe 113->118         started        process27 signatures28 224 Suspicious powershell command line found 115->224 226 Tries to download and execute files (via powershell) 115->226
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2/
Threat name:
Win32.Ransomware.StealC
Create hunting rule
Status:
Malicious
First seen:
2025-01-29 14:38:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsr32v4gcdqlxiijwwnnqnpfgdhfkr4pndauvzicn57nq2wdgtba._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2
Amadey
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:9c9aa5 defense_evasion discovery trojan
Link:
https://tria.ge/reports/250129-rzqf8s1lgv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Malware Config
C2 Extraction:
http://185.215.113.43
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fe57f8a7-28c2-47c5-ba1c-bb037709a47d
Unpacked files
SH256 hash:
6f1443720ae3c2214582cbcf513eebdeb325be6b57b0ee604ecc484d8a171b1e
MD5 hash:
a659f29207e0014bd415611dd0f73cfe
SHA1 hash:
45c1228af8b732bf5ff62b90569251e01c6343f3
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/95c2b125-8524-4694-b244-f441db078adf/
SH256 hash:
0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2
MD5 hash:
5a4986d664e5088868835d0f137fcfcf
SHA1 hash:
19a3a8b122817fc1ef7f09e98d080dc28fc82414
Link:
https://www.unpac.me/results/95c2b125-8524-4694-b244-f441db078adf/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ca3bd578610/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 0ca3bd578610e0bba109b59ad835e530ce55478f68c14ae5026f7ed86ac334c2

(this sample)

  
Link
https://tria.ge/250129-rgmydsyjhr/
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338043/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments