MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081
SHA3-384 hash: 7fa5ab93d926ea271c06c98891e291e5c28b44a68ff3ae3c2f02f4b921f32b8291c601e13a57f7d50972111608a183eb
SHA1 hash: 833ec696928b0c240340160bd02effce5f6634e0
MD5 hash: 7bb7022413b39959eecfab8dc02b6cd0
humanhash: bakerloo-jig-cola-virginia
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'940'800 bytes
First seen:2025-04-29 06:29:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:YiKdYx7s7GeVF/hw7yctrDMwQxjTs6ygNRTqGuz16tNlnxQAxQgHnm3t:Yirx7Be7avrDMwQx9RfuzMlVxnHm3t
TLSH T1AB36332FABD84929F43E03F154F712D22B30B8E5EE64568FA9538C561A31384A37177E
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
439
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 07:12:37 UTC
Tags:
lumma stealer amadey botnet auto loader arch-exec purecrypter purelogs upatre telegram generic rdp rat quasar remote
Link:
https://app.any.run/tasks/7f04d609-6eb1-4fcd-9f6f-86ad03d788c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4908/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68107615cc5fb3600cc45086
Tags:
enigmaprotector phishing autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Running batch commands
Launching a process
Launching a service
Searching for analyzing tools
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CAB crypt entropy explorer installer lolbin lolbin microsoft_visual_cc packed packed packer_detected rat redcap rundll32 runonce sfx virtual xpack
Link:
https://www.filescan.io/uploads/681071fa218c4a98ade6c283/reports/5a0dd6ee-79f6-4fc0-b99d-3b84e47bc27b/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5793de5-c32f-4679-bf97-8784019cead5
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677014
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses cmd line tools excessively to alter registry or file data
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677014 Sample: random.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 85 zenithcorde.top 2->85 87 clarmodq.top 2->87 101 Suricata IDS alerts for network traffic 2->101 103 Found malware configuration 2->103 105 Antivirus detection for URL or domain 2->105 107 14 other signatures 2->107 13 random.exe 1 4 2->13         started        16 saved.exe 2->16         started        signatures3 process4 dnsIp5 77 C:\Users\user\AppData\Local\...\J2h70.exe, PE32 13->77 dropped 79 C:\Users\user\AppData\Local\...\3z24g.exe, PE32 13->79 dropped 20 J2h70.exe 1 4 13->20         started        24 3z24g.exe 1 13->24         started        83 185.39.17.163, 49683, 49685, 49687 RU-TAGNET-ASRU Russian Federation 16->83 93 Contains functionality to start a terminal service 16->93 file6 signatures7 process8 dnsIp9 61 C:\Users\user\AppData\Local\...\2h9616.exe, PE32 20->61 dropped 63 C:\Users\user\AppData\Local\...\1G17p6.exe, PE32 20->63 dropped 109 Antivirus detection for dropped file 20->109 27 1G17p6.exe 1 16 20->27         started        31 2h9616.exe 4 20->31         started        89 185.39.17.162, 49701, 80 RU-TAGNET-ASRU Russian Federation 24->89 91 zenithcorde.top 104.21.51.232, 443, 49682, 49684 CLOUDFLARENETUS United States 24->91 65 C:\Users\...\DH5GEY4KQTWIS3ZS75S4TEP9AW62.exe, PE32 24->65 dropped 111 Multi AV Scanner detection for dropped file 24->111 113 Detected unpacking (changes PE section rights) 24->113 115 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->115 117 11 other signatures 24->117 file10 signatures11 process12 file13 67 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 27->67 dropped 69 C:\Users\user\AppData\Local\...\cecho.exe, PE32 27->69 dropped 71 C:\Users\user\AppData\Local\...71SudoLG.exe, PE32+ 27->71 dropped 75 2 other malicious files 27->75 dropped 123 Antivirus detection for dropped file 27->123 125 Multi AV Scanner detection for dropped file 27->125 127 Detected unpacking (changes PE section rights) 27->127 129 Contains functionality to detect sleep reduction / modifications 27->129 33 cmd.exe 1 27->33         started        73 C:\Users\user\AppData\Local\...\saved.exe, PE32 31->73 dropped 131 Contains functionality to start a terminal service 31->131 133 Contains functionality to inject code into remote processes 31->133 36 saved.exe 31->36         started        signatures14 process15 signatures16 95 Uses cmd line tools excessively to alter registry or file data 33->95 38 cmd.exe 1 33->38         started        41 conhost.exe 33->41         started        97 Multi AV Scanner detection for dropped file 36->97 99 Contains functionality to start a terminal service 36->99 process17 signatures18 119 Uses cmd line tools excessively to alter registry or file data 38->119 43 Unlocker.exe 38->43         started        46 7z.exe 38->46         started        49 cmd.exe 38->49         started        51 31 other processes 38->51 process19 file20 121 Multi AV Scanner detection for dropped file 43->121 53 cmd.exe 43->53         started        81 C:\Users\user\AppData\Local\...\Unlocker.exe, PE32 46->81 dropped 55 tasklist.exe 49->55         started        signatures21 process22 process23 57 conhost.exe 53->57         started        59 sc.exe 53->59         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 06:30:23 UTC
File Type:
PE (Exe)
Extracted files:
129
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3pt5g3rs4gznjzeswz2khsegd5tzltjio6ebf5i325y56ri4caq._file
Verdict:
malicious
Label(s):
admintool_nsudo
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:f272e9 discovery persistence trojan
Link:
https://tria.ge/reports/250429-g9m4raxry9/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Amadey family
Malware Config
C2 Extraction:
http://185.39.17.163
Verdict:
Malicious
Tags:
stealer redline Win.Trojan.Scar-6903585-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/4489572d-063a-42f8-bbbe-051b4705882a
Unpacked files
SH256 hash:
16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081
MD5 hash:
7bb7022413b39959eecfab8dc02b6cd0
SHA1 hash:
833ec696928b0c240340160bd02effce5f6634e0
Link:
https://www.unpac.me/results/c46bf710-0567-4abd-a2ce-48aca0ba14dd/
SH256 hash:
70c9fb75ce201f6fe24eef0bf888449aad00afdb09edf9f3c27a071f518c82d2
MD5 hash:
16547961dfddf3ecb95d431053c044b6
SHA1 hash:
491b804a9a30d8fb8f437208f217b1ded257bf4c
Link:
https://www.unpac.me/results/c46bf710-0567-4abd-a2ce-48aca0ba14dd/
SH256 hash:
e328a50a7e49364325354165d90b1893a1a05d81bfa3872f982c76152e1bb00f
MD5 hash:
582a3691c9a3712743aefa8651bf484a
SHA1 hash:
8675193bd56aef61182ff725479671c8b29736fe
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/c46bf710-0567-4abd-a2ce-48aca0ba14dd/
SH256 hash:
50db9f1b8d6a4f75f42fc5027fa5b0aaa6b67af8a5483872119561b73f6eb4d8
MD5 hash:
d1a68dafa226ba23c5b9238f5f7fc476
SHA1 hash:
32090ebb534ada00db096d808d521e6c35de01a6
Link:
https://www.unpac.me/results/c46bf710-0567-4abd-a2ce-48aca0ba14dd/
SH256 hash:
6921a0a1fe5f6ed02257b236d566c13d05ba4d62a65b9988c7f5334c974dbab6
MD5 hash:
b58fa5744611ba45cb35fa2b165cdf0a
SHA1 hash:
9f740c2d4b094628c933841b5c38eb44bffc4ed4
Link:
https://www.unpac.me/results/c46bf710-0567-4abd-a2ce-48aca0ba14dd/
SH256 hash:
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567
MD5 hash:
426ccb645e50a3143811cfa0e42e2ba6
SHA1 hash:
3c17e212a5fdf25847bc895460f55819bf48b11d
Link:
https://www.unpac.me/results/c46bf710-0567-4abd-a2ce-48aca0ba14dd/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16df3e9b7197/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/4908/
  
URLhaus
https://urlhaus.abuse.ch/url/3518517/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments