MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761
SHA3-384 hash: 592f4408f73a73493acef3daf9219da00078c58397efdbd1abcfa513c43442c9e92bc353f58994ace0b74dfa304fe838
SHA1 hash: e95f1e3251d0c661728a709b41f206ab4df0b394
MD5 hash: 403b787070f339f7292240d33a1f619a
humanhash: mockingbird-tennessee-william-florida
File name:rkhuba.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:168'960 bytes
First seen:2026-05-02 04:55:05 UTC
Last seen:2026-05-19 07:06:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 58e55310d66c611cb140f28166224b10 (2 x SVCStealer, 1 x Amadey, 1 x XTinyLoader)
ssdeep 3072:w7nVDG7iPEC7P6Tx5TksYq2KCTzo9I/A++cblAtlJ+56Kpv/f:0G7iPECL6TTTtjE4I/B+olerA
Threatray 12 similar samples on MalwareBazaar
TLSH T134F36E4A335460F4E17B9278CDA25B46E7B2787A17B1634E437843BA5F33251AE3D322
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter BastianHein
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
149
Origin country :
CL CL
Vendor Threat Intelligence
Malware configuration found for:
TinyLoader
Details
TinyLoader
xor decoded strings including cryptocurrency addresses and a c2 url
Link:
https://research.acce.ciphertechsolutions.com/results/f5ae499a-081e-4bdf-83b6-d42c4dba9fcd/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Hotmail Checker.exe
Verdict:
Malicious activity
Analysis date:
2026-04-28 07:30:35 UTC
Tags:
stealc stealer amadey botnet python pyinstaller openssl tool
Link:
https://app.any.run/tasks/97640d15-ae31-4231-a70e-aecc3f14f3cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64250/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.29534.13209.15912.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Sending an HTTP POST request to an infection source
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-26T02:41:00Z UTC
Last seen:
2026-05-03T22:30:00Z UTC
Hits:
~100
Detections:
BSS:Trojan.Win32.Generic Trojan.Win32.Agent.sb HEUR:Trojan.Win64.Generic VHO:Trojan.Win64.Agent.gen
Link:
https://opentip.kaspersky.com/203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/089ecca6-0572-4b62-8cbf-825f14e0d95b
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2026-04-26 07:37:33 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ea4friveqc467shjoie2hbzrsqozqwla5ku7z5qelo4xf42la5qq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
unc_clipper_003
Create hunting rule
Similar samples:
105987492bef48ec9dce03ad6ada29ce8d3b71622cd8110e75f6aa6d55f24538
Amadey
166b96bb21ccc318800efda8bd54089def1e9d3d6129da67e278b854892d67af
Amadey
203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761
Amadey
7969fd3648138292a9398f957f809ca67d9f3a1a9af91f7ac75ca5b2fbe3242a
Amadey
7f3a51d0624ebf838a483be1e6e463702f742e21e64548a0de99845270647965
Amadey
a4f3bed939becb91cb104dc61bcf9e58314de9858b9d07125a3d3312ee40f0cb
Amadey
ea05197e0c3bfb7ca461146bcfba417834b97a96d2a24397d745fe0f487e5d59
Amadey
error
Amadey
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/260502-fkhmasc16m/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761
MD5 hash:
403b787070f339f7292240d33a1f619a
SHA1 hash:
e95f1e3251d0c661728a709b41f206ab4df0b394
Link:
https://www.unpac.me/results/2e22b139-1881-4f4d-8c2f-188a1bb9d682/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/203858a2a480b9efc8e97209a38731941d985960eaa9fcf6045bb972f34b0761

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/64250/

Comments