MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bb7b314205b20d1dd7f616ab7d688a88901d055d85232ba12c475b41ef04efd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bb7b314205b20d1dd7f616ab7d688a88901d055d85232ba12c475b41ef04efd
SHA3-384 hash: 54d004fdda965a393006200eb03d6a883fd0a99ee0b7b28c737d15468abd40c6f7d1ffccff7200d418cf5d11612ed50e
SHA1 hash: 467b1a1c76993f2897a1dae918c0de2770c3926c
MD5 hash: 1cd78549ff4bfbc19670921e44ec29f4
humanhash: maine-uranus-avocado-florida
File name:test.ps1.ps1
Download: download sample
Signature Amadey
Create hunting rule
File size:174 bytes
First seen:2026-04-23 04:45:43 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:BP+wKBM2S4HE6RmKLTyRsrKF2xKt2y+zBJYgRJBRVBpddr5o2Mv4s26JqWRRmwtm:ZhKBM34HRpTCsu2xKt5gvBzBzdrK4VNJ
TLSH T1F4C080A53477BF0C029017D554029DD0F2250AE0767F5FD4C7C14BAF45C5566B03D314
Magika powershell
Reporter abuse_ch
Tags:Amadey ps1


Avatar
abuse_ch
Amadey C2:
http://196.251.107.248/kont2rt/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://196.251.107.248/kont2rt/index.php https://threatfox.abuse.ch/ioc/1796426/

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e8f74c51cce3ff702f13c0
Tags:
obfuscate dridex trojan shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated
Link:
https://www.filescan.io/uploads/69e9a42781aa9ec3bc1fdd43/reports/df9b7d3d-5e8a-4e71-b5a3-b5e419f1e1c6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1bb7b314205b20d1dd7f616ab7d688a88901d055d85232ba12c475b41ef04efd
Verdict:
Clean
File Type:
text
Link:
https://opentip.kaspersky.com/1bb7b314205b20d1dd7f616ab7d688a88901d055d85232ba12c475b41ef04efd/results?tab=lookup
Result
Threat name:
Amadey, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1903164
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Disables Windows Defender (via service or powershell)
Drops password protected ZIP file
Drops PE files to the user root directory
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Disable Windows Defender AV Security Monitoring
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Powershell launch regsvr32
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1903164 Sample: test.ps1.ps1 Startdate: 23/04/2026 Architecture: WINDOWS Score: 100 122 arb.ducard.com.br 2->122 124 www.google.com 2->124 126 52 other IPs or domains 2->126 160 Suricata IDS alerts for network traffic 2->160 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 21 other signatures 2->166 11 powershell.exe 15 22 2->11         started        15 runtimehost.exe 2->15         started        18 msedge.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 150 166.1.89.91, 49718, 80 ACEDATACENTERS-AS-1US United States 11->150 168 Suspicious powershell command line found 11->168 170 Bypasses PowerShell execution policy 11->170 172 Drops PE files to the user root directory 11->172 176 6 other signatures 11->176 22 powershell.exe 11->22         started        25 powershell.exe 19 11->25         started        28 powershell.exe 30 11->28         started        31 conhost.exe 11->31         started        152 85.239.147.6 TELECOMASET-ASBG Bulgaria 15->152 154 196.251.107.248 ANGANI-ASKE Seychelles 15->154 114 C:\Users\user\AppData\...\b29da2acd0.exe, PE32+ 15->114 dropped 116 C:\Users\user\AppData\...\bd85d150d7.exe, PE32+ 15->116 dropped 118 C:\Users\user\AppData\Local\...\Ka2iGhd.exe, PE32+ 15->118 dropped 120 18 other malicious files 15->120 dropped 174 Multi AV Scanner detection for dropped file 15->174 33 25226a77d8.exe 15->33         started        156 239.255.255.250 unknown Reserved 18->156 35 msedge.exe 18->35         started        39 2 other processes 18->39 158 192.168.2.5 unknown unknown 20->158 37 msedge.exe 20->37         started        41 2 other processes 20->41 file6 signatures7 process8 dnsIp9 94 C:\Users\user\VB4kK.exe, PE32+ 22->94 dropped 96 C:\Users\user\QPri1.exe, PE32 22->96 dropped 98 C:\Users\user\71nu.exe, MS-DOS 22->98 dropped 100 C:\Users\user\2fl.exe, PE32 22->100 dropped 43 QPri1.exe 22->43         started        47 2fl.exe 22->47         started        49 71nu.exe 22->49         started        51 VB4kK.exe 22->51         started        136 89.125.188.171, 49719, 49720, 49739 IBIS-ASImagineGroupLtdIE Ireland 25->136 102 C:\Users\user\MneUrH.exe, PE32+ 25->102 dropped 53 MneUrH.exe 21 25->53         started        178 Loading BitLocker PowerShell Module 28->178 56 conhost.exe 28->56         started        58 WmiPrvSE.exe 28->58         started        138 91.92.34.211 ASDETUKhttpwwwheficedcomGB Bulgaria 33->138 180 Multi AV Scanner detection for dropped file 33->180 140 part-0012.t-0009.t-msedge.net 13.107.213.40, 443, 49780 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->140 142 13.107.246.40, 443, 49730, 49752 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->142 146 39 other IPs or domains 35->146 144 a-0003.dc-msedge.net 131.253.33.203 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->144 148 42 other IPs or domains 37->148 file10 signatures11 process12 dnsIp13 104 C:\Users\user\runtimehost.exe, PE32 43->104 dropped 106 C:\Users\user\...\SystemHealthMonitor.xml, XML 43->106 dropped 182 Drops PE files to the user root directory 43->182 60 cmd.exe 43->60         started        63 runtimehost.exe 43->63         started        108 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 47->108 dropped 110 C:\Users\user\AppData\Local\...\cecho.exe, PE32 47->110 dropped 112 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32 47->112 dropped 65 cmd.exe 47->65         started        184 Antivirus detection for dropped file 49->184 186 Tries to detect virtualization through RDTSC time measurements 49->186 128 arb.ducard.com.br 104.21.74.169, 443, 49725, 49728 CLOUDFLARENETUS United States 53->128 130 telegram.me 149.154.167.99, 443, 49722 TELEGRAMRU United Kingdom 53->130 188 Multi AV Scanner detection for dropped file 53->188 190 Tries to harvest and steal browser information (history, passwords, etc) 53->190 192 Writes to foreign memory regions 53->192 194 6 other signatures 53->194 67 msedge.exe 53->67         started        69 msedge.exe 53->69         started        71 chrome.exe 53->71         started        file14 signatures15 process16 signatures17 196 Uses cmd line tools excessively to alter registry or file data 60->196 198 Uses schtasks.exe or at.exe to add and modify task schedules 60->198 200 Uses the nircmd tool (NirSoft) 60->200 73 conhost.exe 60->73         started        75 schtasks.exe 60->75         started        77 cmd.exe 65->77         started        79 conhost.exe 65->79         started        81 nircmd.exe 65->81         started        90 7 other processes 65->90 202 Monitors registry run keys for changes 67->202 83 msedge.exe 67->83         started        85 msedge.exe 69->85         started        87 chrome.exe 71->87         started        process18 dnsIp19 92 tasklist.exe 77->92         started        132 www.google.com 142.251.155.119, 443, 49746, 49749 GOOGLEUS United States 87->132 134 ogads-pa.clients6.google.com 87->134 process20
Score:
33%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/1bb7b314205b20d1dd7f616ab7d688a88901d055d85232ba12c475b41ef04efd
Verdict:
Malware
YARA:
1 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/1cd78549ff4bfbc19670921e44ec29f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bb7b314205b20d1dd7f616ab7d688a88901d055d85232ba12c475b41ef04efd/
Verdict:
Malicious
Threat:
Family.VIDAR
Link:
https://tip.neiki.dev/file/1bb7b314205b20d1dd7f616ab7d688a88901d055d85232ba12c475b41ef04efd
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=do33gfbalmqndxl7mfvlpvuivceqducv3bjdfoqsyr23ihxqj36q._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:0c14910b9da47efb683982ba180cb5d2 defense_evasion discovery execution persistence stealer upx
Link:
https://tria.ge/reports/260423-fd7mvaa16y/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Launches sc.exe
Enumerates processes with tasklist
UPX packed file
Checks installed software on the system
Disables service(s)
Executes dropped EXE
Loads dropped DLL
Stops running service(s)
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detected Nirsoft tools
NirSoft NirCmd
Detects Vidar Stealer
Family: Vidar
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://telegram.me/p74kol
https://steamcommunity.com/profiles/76561198721902688
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1bb7b314205b20d1dd7f616ab7d688a88901d055d85232ba12c475b41ef04efd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments