MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751
SHA3-384 hash: 3a408d7550bbc0468ee9f7151b85523bc444fa13e8e675c308bd73a0cf9f210bccc144e5e6d21a68f385c86d24c590ac
SHA1 hash: 4d95f09ebace4dd55b8f51a538c0e57cdf8ac9e6
MD5 hash: c5755c3a37da95ca4b17861fe5ace4ce
humanhash: carbon-single-eighteen-ceiling
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'863'168 bytes
First seen:2025-02-01 20:34:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:iAfebvaCutoAQXft0Ks8ic8m9vJKgobV:df6aCwDbKs8aHp
Threatray 1 similar samples on MalwareBazaar
TLSH T1BE85330B6EB66D70C7820276D3D10F25A26407D3DE5BD2A9DFAB2017EE62F453BD6480
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:Amadey exe LummaStealer


Avatar
iamaachum
http://185.215.113.16/luma/random.exe

Lumma C2: https://warlikedbeliev.org/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
469
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
http://185.215.113.16/soka/random.exe
Verdict:
Malicious activity
Analysis date:
2025-02-01 20:06:52 UTC
Tags:
amadey botnet stealer loader stealc themida cryptbot lumma auto generic gcleaner telegram autoit evasion credentialflusher remote xworm redline lefthook rat asyncrat antivm ahk
Link:
https://app.any.run/tasks/014565ea-6d49-4c0b-9820-d7debddef970

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.15078.2068.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e8583416a81ccc3c4ebcf
Tags:
vmdetect autorun autoit lien
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected
Link:
https://www.filescan.io/uploads/679e8588a4e90e7849c2cf24/reports/620c93a1-c7a8-410c-9420-e63ed6d3dc94/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f394fd51-80f8-4103-acad-9f9fd0b2b4ed
Result
Threat name:
Amadey, Credential Flusher, Cryptbot, Lu
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604684
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Leaks process information
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604684 Sample: random.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 118 youtube.com 2->118 120 youtube-ui.l.google.com 2->120 122 37 other IPs or domains 2->122 166 Suricata IDS alerts for network traffic 2->166 168 Found malware configuration 2->168 170 Malicious sample detected (through community Yara rule) 2->170 172 31 other signatures 2->172 10 skotes.exe 4 57 2->10         started        15 random.exe 2 2->15         started        17 0436fcd702.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 124 185.215.113.43, 49772, 49774, 80 WHOLESALECONNECTIONSNL Portugal 10->124 126 185.215.113.97, 49776, 80 WHOLESALECONNECTIONSNL Portugal 10->126 106 C:\Users\user\AppData\...\51c549c9c2.exe, PE32 10->106 dropped 108 C:\Users\user\AppData\...\f64eac2185.exe, PE32 10->108 dropped 110 C:\Users\user\AppData\...\fee976e9bb.exe, PE32 10->110 dropped 116 19 other malicious files 10->116 dropped 218 Creates multiple autostart registry keys 10->218 220 Hides threads from debuggers 10->220 240 2 other signatures 10->240 21 0436fcd702.exe 10->21         started        25 ec93a94e48.exe 10->25         started        27 275588fe9c.exe 10->27         started        40 7 other processes 10->40 128 185.215.113.16, 49739, 80 WHOLESALECONNECTIONSNL Portugal 15->128 130 warlikedbeliev.org 172.67.181.203, 443, 49731, 49732 CLOUDFLARENETUS United States 15->130 112 C:\Users\user\...\HYCURX00F7L1ZQ3FYN.exe, PE32 15->112 dropped 114 C:\Users\user\...\AGDDD2MYZL6KQO94XW.exe, PE32 15->114 dropped 222 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->222 224 Query firmware table information (likely to detect VMs) 15->224 226 Found many strings related to Crypto-Wallets (likely being stolen) 15->226 242 2 other signatures 15->242 30 AGDDD2MYZL6KQO94XW.exe 33 15->30         started        32 HYCURX00F7L1ZQ3FYN.exe 4 15->32         started        228 Tries to harvest and steal ftp login credentials 17->228 230 Tries to harvest and steal browser information (history, passwords, etc) 17->230 232 Tries to steal Crypto Currency Wallets 17->232 234 Suspicious powershell command line found 19->234 236 Binary is likely a compiled AutoIt script file 19->236 238 Tries to download and execute files (via powershell) 19->238 34 firefox.exe 19->34         started        36 powershell.exe 19->36         started        38 taskkill.exe 19->38         started        file6 signatures7 process8 dnsIp9 88 C:\Users\user\...88EGM0426B51QOF76X3GO8.exe, PE32 21->88 dropped 90 C:\Users\user\...909RHN6UAFCLUOOV6DH7.exe, PE32 21->90 dropped 174 Antivirus detection for dropped file 21->174 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->176 178 Query firmware table information (likely to detect VMs) 21->178 42 NEGM0426B51QOF76X3GO8.exe 21->42         started        92 C:\Users\user\AppData\Local\...\9OAIPrhRB.hta, HTML 25->92 dropped 180 Binary is likely a compiled AutoIt script file 25->180 182 Creates HTA files 25->182 56 2 other processes 25->56 132 103.84.89.222 AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK Hong Kong 27->132 134 api.ip.sb.cdn.cloudflare.net 172.67.75.172 CLOUDFLARENETUS United States 27->134 94 C:\Users\user\AppData\Local\...\tmpE345.tmp, PE32 27->94 dropped 184 Multi AV Scanner detection for dropped file 27->184 192 2 other signatures 27->192 45 conhost.exe 27->45         started        136 185.215.113.115, 49746, 49769, 80 WHOLESALECONNECTIONSNL Portugal 30->136 138 127.0.0.1 unknown unknown 30->138 96 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 30->96 dropped 98 C:\Users\user\AppData\...\softokn3[1].dll, PE32 30->98 dropped 100 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 30->100 dropped 104 11 other malicious files 30->104 dropped 186 Detected unpacking (changes PE section rights) 30->186 188 Attempt to bypass Chrome Application-Bound Encryption 30->188 190 Tries to steal Mail credentials (via file / registry access) 30->190 194 6 other signatures 30->194 47 chrome.exe 30->47         started        102 C:\Users\user\AppData\Local\...\skotes.exe, PE32 32->102 dropped 196 3 other signatures 32->196 50 skotes.exe 32->50         started        142 10 other IPs or domains 34->142 58 3 other processes 34->58 52 conhost.exe 36->52         started        54 conhost.exe 38->54         started        140 t.me 149.154.167.99 TELEGRAMRU United Kingdom 40->140 144 4 other IPs or domains 40->144 198 3 other signatures 40->198 60 6 other processes 40->60 file10 signatures11 process12 dnsIp13 200 Tries to detect sandboxes and other dynamic analysis tools (window names) 42->200 202 Tries to detect sandboxes / dynamic malware analysis system (registry check) 42->202 204 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 42->204 152 192.168.2.4, 443, 49723, 49731 unknown unknown 47->152 154 239.255.255.250 unknown Reserved 47->154 62 chrome.exe 47->62         started        206 Detected unpacking (changes PE section rights) 50->206 208 Tries to evade debugger and weak emulator (self modifying code) 50->208 210 Hides threads from debuggers 50->210 212 Suspicious powershell command line found 56->212 214 Tries to download and execute files (via powershell) 56->214 216 Uses schtasks.exe or at.exe to add and modify task schedules 56->216 65 powershell.exe 56->65         started        69 conhost.exe 56->69         started        71 schtasks.exe 56->71         started        73 conhost.exe 60->73         started        75 conhost.exe 60->75         started        77 conhost.exe 60->77         started        79 2 other processes 60->79 signatures14 process15 dnsIp16 146 play.google.com 142.250.74.206, 443, 49764, 49771 GOOGLEUS United States 62->146 148 www.google.com 172.217.16.132, 443, 49748, 49751 GOOGLEUS United States 62->148 150 2 other IPs or domains 62->150 86 TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE, PE32 65->86 dropped 164 Powershell drops PE file 65->164 81 TempBUCVAPINNJNDM77PBYPAVFOC4POLOPHT.EXE 65->81         started        84 conhost.exe 65->84         started        file17 signatures18 process19 signatures20 156 Antivirus detection for dropped file 81->156 158 Detected unpacking (changes PE section rights) 81->158 160 Machine Learning detection for dropped file 81->160 162 4 other signatures 81->162
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dikxfq5ks3bv5ibk3d6sx7byq27vynqty6dxxqpfhbjrcb4km5iq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
stealc
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751
Amadey
error
Amadey
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250201-zc33ta1len/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
lumma lumma_stealer c2 stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/f8cf8c42-905b-487e-9cd1-e0710dbe504e
Unpacked files
SH256 hash:
6d4a4cd71ac5701de635ca00a79329d38e81271b6fc5127dd52a1dc8b9f93bf3
MD5 hash:
1bf7321d34ecfe4d8426ae969ddd0636
SHA1 hash:
0f5627de8227e2ea760f66cc81e5f72895dafdd6
Link:
https://www.unpac.me/results/a68ed892-4a23-4e27-b630-e7a723f3eff9/
SH256 hash:
1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751
MD5 hash:
c5755c3a37da95ca4b17861fe5ace4ce
SHA1 hash:
4d95f09ebace4dd55b8f51a538c0e57cdf8ac9e6
Link:
https://www.unpac.me/results/a68ed892-4a23-4e27-b630-e7a723f3eff9/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a1572c3aa96/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_lumma_2eabe9054cad5152567f0699947a2c5b
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 1a1572c3aa96c35ea02ad8fd2bfc3886bf5c3613c7877bc1e5385311078a6751

(this sample)

  
Link
https://tria.ge/250201-y5t5yazqhk
  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments