MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7
SHA3-384 hash: da6de3474a8bf5e30a8a95ece7246c7176f24af31f2d01fb7274b435ab9ac0b7ad469d7e324e96a347e1220906ab2b9a
SHA1 hash: 9a0d9ecd99ae139c063b12c5f6ad1dbf5ede0aee
MD5 hash: ea4074142cbc09d33f8a6a065f02cbf4
humanhash: winner-alpha-foxtrot-oregon
File name:ea4074142cbc09d33f8a6a065f02cbf4.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'094'656 bytes
First seen:2025-08-16 18:20:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:EwVOxM9O9z6Ywu2j/7McRqyHiJ99unipdBkMgQex9edMNRJM:NVOc/wcR5HizgB94MzJ
TLSH T1173533ED8B4442D8DE36B37F9EF3E88A18A966AE5C63F117B507134A413D315CA09BD0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:Amadey cnr-software-ru exe


Avatar
abuse_ch
Amadey C2:
http://telemetrywatson.live/b9kdj3s3C2/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://telemetrywatson.live/b9kdj3s3C2/index.php https://threatfox.abuse.ch/ioc/1570058/

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ea4074142cbc09d33f8a6a065f02cbf4.exe
Verdict:
Malicious activity
Analysis date:
2025-08-16 18:21:18 UTC
Tags:
auto-startup amadey botnet stealer loader auto-reg rdp purecrypter github miner netreactor pureminer xmrig
Link:
https://app.any.run/tasks/4a06672b-5a68-4265-b1cb-ea73b780179a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21684/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a0cbfcc2f5296a1a279393
Tags:
obfuscate autorun xtreme virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Connection attempt to an infection source
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun by creating a file
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated packed packed
Link:
https://www.filescan.io/uploads/68a0cc2aabfbaec31823ffb7/reports/06109b5b-0596-41bc-b760-1ada3963f7df/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1a913d5-37bf-4238-9c2c-ab2324b81734
Result
Threat name:
Amadey, PureLog Stealer, ResolverRAT, Xm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1758430
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Drops script at startup location
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected ResolverRAT
Yara detected Xmrig cryptocurrency miner
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1758430 Sample: 6FlauqC1HS.exe Startdate: 16/08/2025 Architecture: WINDOWS Score: 100 68 witasametry.live 2->68 70 telemetrywatson.live 2->70 72 6 other IPs or domains 2->72 90 Sigma detected: Xmrig 2->90 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 27 other signatures 2->96 11 6FlauqC1HS.exe 6 2->11         started        15 wscript.exe 1 2->15         started        17 svchost.exe 2->17         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 60 C:\Users\user\AppData\Local\sestendqdaq.exe, PE32 11->60 dropped 62 C:\Users\user\AppData\...\sestendqdaq.vbs, ASCII 11->62 dropped 64 C:\Users\...\sestendqdaq.exe:Zone.Identifier, ASCII 11->64 dropped 118 Contains functionality to start a terminal service 11->118 120 Drops VBS files to the startup folder 11->120 122 Encrypted powershell cmdline option found 11->122 130 3 other signatures 11->130 22 MSBuild.exe 17 11->22         started        27 powershell.exe 23 11->27         started        124 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->124 29 sestendqdaq.exe 15->29         started        126 Changes security center settings (notifications, updates, antivirus, firewall) 17->126 31 MpCmdRun.exe 17->31         started        74 127.0.0.1 unknown unknown 19->74 128 Loading BitLocker PowerShell Module 19->128 33 conhost.exe 19->33         started        file6 signatures7 process8 dnsIp9 76 telemetrywatson.live 195.10.205.157, 49717, 49718, 49725 TSSCOM-ASRU Russian Federation 22->76 78 cnr.microsoft-telemetry.cc 22->78 80 cnr-software.ru 31.31.196.134, 49721, 80 AS-REGRU Russian Federation 22->80 56 C:\Users\user\AppData\Local\...\dd12[1].exe, PE32+ 22->56 dropped 58 C:\Users\user\10000210102\dd12.exe, PE32+ 22->58 dropped 108 Contains functionality to inject code into remote processes 22->108 35 dd12.exe 22->35         started        110 Loading BitLocker PowerShell Module 27->110 38 conhost.exe 27->38         started        112 Antivirus detection for dropped file 29->112 114 Multi AV Scanner detection for dropped file 29->114 116 Contains functionality to start a terminal service 29->116 40 MSBuild.exe 29->40         started        42 conhost.exe 31->42         started        file10 signatures11 process12 signatures13 98 Multi AV Scanner detection for dropped file 35->98 100 Sets debug register (to hijack the execution of another thread) 35->100 102 Writes to foreign memory regions 35->102 106 3 other signatures 35->106 44 MSBuild.exe 35->44         started        104 Contains functionality to start a terminal service 40->104 process14 dnsIp15 82 cnr.microsoft-telemetry.cc 195.10.205.165, 39001, 39002, 39003 TSSCOM-ASRU Russian Federation 44->82 84 witasametry.live 44->84 86 2 other IPs or domains 44->86 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->132 134 Found strings related to Crypto-Mining 44->134 136 Writes to foreign memory regions 44->136 138 2 other signatures 44->138 48 AddInProcess.exe 44->48         started        52 AddInProcess.exe 44->52         started        signatures16 process17 dnsIp18 66 pool.hashvault.pro 104.251.123.89, 443, 49748 1GSERVERSUS United States 48->66 88 Query firmware table information (likely to detect VMs) 48->88 54 conhost.exe 48->54         started        signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.96 Win 32 Exe x86
Link:
https://app.malva.re/file/ea4074142cbc09d33f8a6a065f02cbf4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7
Threat name:
ByteCode-MSIL.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-10 00:48:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cytnasgrmc7fclwv4tuxkxesjgakbhixleqw747kfftkand5bttq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:58f169 defense_evasion discovery execution persistence trojan
Link:
https://tria.ge/reports/250816-wy3sdsfp5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies trusted root certificate store through registry
Amadey
Amadey family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8470ca1a-7525-4d8e-a8a0-58a474539280
Unpacked files
SH256 hash:
1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7
MD5 hash:
ea4074142cbc09d33f8a6a065f02cbf4
SHA1 hash:
9a0d9ecd99ae139c063b12c5f6ad1dbf5ede0aee
Link:
https://www.unpac.me/results/67ce1e48-0817-4bdf-905b-302ab463d4cc/
SH256 hash:
d22d0f510fbde831b908f99b7470abe320a57706fad033e2eb4cf34a679b2946
MD5 hash:
963d1c4fa2442979ae52f20e27287f97
SHA1 hash:
22c51652f534045dcb8333e484e3bbaf9506fc3c
Link:
https://www.unpac.me/results/67ce1e48-0817-4bdf-905b-302ab463d4cc/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/67ce1e48-0817-4bdf-905b-302ab463d4cc/
SH256 hash:
ddd4049ee86c20792f6c8a1d1cbedbc6aaaadd90a199ac3de3be6db37373f012
MD5 hash:
eaae10d7fa306893318a0f7162ba4bcf
SHA1 hash:
6598c340aad47818cc3a6707fcdec2342d119b5d
Link:
https://www.unpac.me/results/67ce1e48-0817-4bdf-905b-302ab463d4cc/
SH256 hash:
4e441f92766efc2d3a6a9155161782e2601fde20c1566cda5b9a74b91969de09
MD5 hash:
a965b011529dfeb0e3091a597232dc6c
SHA1 hash:
8b4c1530c58fba4d8b5531be82afa2a546f24d1d
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/67ce1e48-0817-4bdf-905b-302ab463d4cc/
Parent samples :
031dbb2abab32fa35f27c03c86cb1533dfd46562ab91594f0ae0d4296ee91638
1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7
83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1626d048d160/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MAL_Win_Amadey_Jun25
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34
Reference:https://0x0d4y.blog/amadey-targeted-analysis/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_amadey_062025
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34.
Reference:https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21684/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments