MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74
SHA3-384 hash: 179e48e708d57add5d6222ebec121c0f35951e2bbe15012c87e4e6f1bbb5a4cdb7e48e6ec99e9703d2ea3b1172aab601
SHA1 hash: af82d1c612dc47fb72a4798cbc42057bcc941602
MD5 hash: 7638e458b00be1a00936ab9419267621
humanhash: apart-happy-whiskey-spaghetti
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'312'128 bytes
First seen:2025-01-07 09:05:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:BTMxAHE1CwGlAyzR/Bl2fkYdE7u4oUkJrYWH4w7rsF:BBk1hGlAyzR/BwfkYdE64w4
TLSH T19BE52B61E41D71CFD48E1AF4B517CE86799E72B9472248C39868B8FA7DB3DC021B9C24
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
455
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-01-07 09:09:06 UTC
Tags:
amadey botnet stealer loader lumma autoit rat asyncrat remote stealc tofsee themida auto generic gcleaner credentialflusher evasion
Link:
https://app.any.run/tasks/f4d32c0d-5d72-447d-9f49-0f457526824d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.1977.11922.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677cef44ffdcee13ec85a918
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm evasive fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/677cee7d212309a703977133/reports/e07372f3-c4cb-4a3d-93b0-473db5709234/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/77581328-a988-438e-ad6f-c2a79dacd187
Result
Threat name:
Amadey, Babadeda, LummaC Stealer, Povert
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1585203
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Poverty Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585203 Sample: file.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 192 wholersorie.shop 2->192 194 undesirabkel.click 2->194 196 13 other IPs or domains 2->196 240 Suricata IDS alerts for network traffic 2->240 242 Found malware configuration 2->242 244 Antivirus detection for dropped file 2->244 246 29 other signatures 2->246 14 skotes.exe 2 27 2->14         started        19 file.exe 5 2->19         started        21 cmd.exe 2->21         started        23 6 other processes 2->23 signatures3 process4 dnsIp5 198 185.215.113.16, 49816, 49843, 49884 WHOLESALECONNECTIONSNL Portugal 14->198 200 185.215.113.43, 49793, 49809, 49840 WHOLESALECONNECTIONSNL Portugal 14->200 202 31.41.244.11, 50017, 50019, 80 AEROEXPRESS-ASRU Russian Federation 14->202 178 C:\Users\user\AppData\...\e14357a0aa.exe, PE32+ 14->178 dropped 180 C:\Users\user\AppData\...\9a8f788f0d.exe, PE32 14->180 dropped 182 C:\Users\user\AppData\Local\...\mQvinTe.exe, PE32+ 14->182 dropped 190 19 other malicious files 14->190 dropped 206 Creates multiple autostart registry keys 14->206 208 Hides threads from debuggers 14->208 210 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->210 25 cmd.exe 1 14->25         started        27 1759c0aff4.exe 8 14->27         started        184 C:\Users\user\AppData\Local\...\skotes.exe, PE32 19->184 dropped 186 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 19->186 dropped 212 Detected unpacking (changes PE section rights) 19->212 214 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 19->214 216 Tries to evade debugger and weak emulator (self modifying code) 19->216 218 Tries to detect virtualization through RDTSC time measurements 19->218 30 skotes.exe 19->30         started        188 C:\Temp\random.hta, HTML 21->188 dropped 220 Creates HTA files 21->220 32 mshta.exe 21->32         started        41 2 other processes 21->41 204 127.0.0.1 unknown unknown 23->204 222 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 23->222 34 cmd.exe 23->34         started        36 cmd.exe 23->36         started        38 cmd.exe 23->38         started        43 7 other processes 23->43 file6 signatures7 process8 file9 45 cmd.exe 3 25->45         started        48 conhost.exe 25->48         started        266 Machine Learning detection for dropped file 27->266 50 cmd.exe 1 27->50         started        53 conhost.exe 27->53         started        268 Multi AV Scanner detection for dropped file 30->268 270 Detected unpacking (changes PE section rights) 30->270 272 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 30->272 278 4 other signatures 30->278 274 Suspicious powershell command line found 32->274 276 Tries to download and execute files (via powershell) 32->276 55 powershell.exe 32->55         started        57 cmd.exe 34->57         started        59 cmd.exe 36->59         started        168 C:\Temp\CucWPjLzJ.txt, HTML 38->168 dropped 61 6 other processes 38->61 170 C:\Temp\erFIq31tw.txt, HTML 43->170 dropped 63 6 other processes 43->63 signatures10 process11 file12 172 C:\Temp\WkYLwajB0.txt, HTML 45->172 dropped 65 mshta.exe 45->65         started        74 5 other processes 45->74 234 Suspicious powershell command line found 50->234 236 Tries to download and execute files (via powershell) 50->236 238 Uses schtasks.exe or at.exe to add and modify task schedules 50->238 68 cmd.exe 1 50->68         started        76 2 other processes 55->76 70 1759c0aff4.exe 57->70         started        72 conhost.exe 57->72         started        78 2 other processes 59->78 80 3 other processes 61->80 82 3 other processes 63->82 signatures13 process14 signatures15 224 Suspicious powershell command line found 65->224 226 Tries to download and execute files (via powershell) 65->226 84 powershell.exe 65->84         started        87 1759c0aff4.exe 8 68->87         started        89 conhost.exe 68->89         started        91 cmd.exe 70->91         started        102 2 other processes 74->102 228 Hides threads from debuggers 76->228 230 Tries to detect sandboxes / dynamic malware analysis system (registry check) 76->230 232 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 76->232 93 cmd.exe 78->93         started        95 483d2fa8a0d53818306efeb32d3.exe 80->95         started        98 conhost.exe 80->98         started        100 conhost.exe 82->100         started        process16 file17 160 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 84->160 dropped 104 483d2fa8a0d53818306efeb32d3.exe 84->104         started        107 conhost.exe 84->107         started        162 C:\Users\user\AppData\Local\Temp\...\7B21.bat, ISO-8859 87->162 dropped 109 cmd.exe 4 87->109         started        164 C:\Temp\A9Dfw7SLp.txt, HTML 91->164 dropped 112 mshta.exe 91->112         started        114 cmd.exe 91->114         started        116 cmd.exe 91->116         started        120 2 other processes 91->120 166 C:\Temp\CAvWBYtqI.txt, HTML 93->166 dropped 118 mshta.exe 93->118         started        122 4 other processes 93->122 284 Hides threads from debuggers 95->284 286 Tries to detect sandboxes / dynamic malware analysis system (registry check) 95->286 288 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 95->288 290 Powershell drops PE file 102->290 signatures18 process19 file20 254 Antivirus detection for dropped file 104->254 256 Detected unpacking (changes PE section rights) 104->256 258 Tries to detect sandboxes and other dynamic analysis tools (window names) 104->258 264 6 other signatures 104->264 174 C:\Temp\w9dhIoFqs.txt, HTML 109->174 dropped 176 C:\Temp\.gif, HTML 109->176 dropped 124 mshta.exe 109->124         started        127 cmd.exe 1 109->127         started        129 cmd.exe 109->129         started        139 3 other processes 109->139 260 Suspicious powershell command line found 112->260 262 Tries to download and execute files (via powershell) 112->262 131 powershell.exe 112->131         started        133 powershell.exe 114->133         started        135 powershell.exe 116->135         started        137 powershell.exe 118->137         started        141 2 other processes 122->141 signatures21 process22 signatures23 280 Suspicious powershell command line found 124->280 282 Tries to download and execute files (via powershell) 124->282 143 powershell.exe 124->143         started        145 powershell.exe 15 127->145         started        147 powershell.exe 129->147         started        149 483d2fa8a0d53818306efeb32d3.exe 131->149         started        152 conhost.exe 131->152         started        154 483d2fa8a0d53818306efeb32d3.exe 137->154         started        156 conhost.exe 137->156         started        process24 signatures25 158 conhost.exe 143->158         started        248 Hides threads from debuggers 149->248 250 Tries to detect sandboxes / dynamic malware analysis system (registry check) 149->250 252 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 149->252 process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74
Detection:
amadey
Create hunting rule
Link:
https://mwdb.cert.pl/sample/12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-01-07 09:06:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=clpv6qjugtyckmpyrmdspolk5dko2pbhr7ebla637vgacrnuhz2a._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:9c9aa5 discovery evasion trojan
Link:
https://tria.ge/reports/250107-k2qfpawmbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Malware Config
C2 Extraction:
http://185.215.113.43
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c9da46a-3050-4b3c-bc4d-f4592cd80c11
Unpacked files
SH256 hash:
0529c65a38699d5925efc7ebb5dee976a7aafca5d7c521a29ed12afba87d77af
MD5 hash:
13726e6bf007b176c249cadecb989ac0
SHA1 hash:
bc32a80c595f097f42bd2bfbe596c2eeae39898b
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/a90bfbd4-ff29-4c07-8562-446068925e99/
SH256 hash:
12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74
MD5 hash:
7638e458b00be1a00936ab9419267621
SHA1 hash:
af82d1c612dc47fb72a4798cbc42057bcc941602
Link:
https://www.unpac.me/results/a90bfbd4-ff29-4c07-8562-446068925e99/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/12df5f413434/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338043/
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high

Comments