MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7
SHA3-384 hash: efc78161561b245aad9368580b572be996ee7baa4430f98c8ea3848e41bcf954cc1b6d024618f8f731687d3c94e6e773
SHA1 hash: 1277d3f0a9ceb8260fbe396f2a7369381bfb7406
MD5 hash: c873c0af86d36318f23bf63377181cdd
humanhash: timing-hydrogen-mobile-six
File name:c873c0af86d36318f23bf63377181cdd.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'908'224 bytes
First seen:2025-01-12 16:36:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:3UD21gzSJUaD6nFX4q0KPulTJW1gERg6tIev8bYe:3UaUSJUabpKP4kIe1
TLSH T1939533665EBA9CCEC7735B30171A42E23868CEFDC222BC1FAD893B59D44F5724AB1051
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6783efb42c8240e189bc23f3
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6783efb5f093d6ed187f01bf/reports/3d60a6c9-798f-4a61-92cd-af219194b0b5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dd22b708-3e10-409e-ba5e-a972aac4b011
Result
Threat name:
LummaC, Amadey, Babadeda, DanaBot, KeyLo
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1589502
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected BrowserPasswordDump
Yara detected DanaBot stealer dll
Yara detected Generic Downloader
Yara detected Keylogger Generic
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Poverty Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected StormKitty Stealer
Yara detected VenomRAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589502 Sample: UWYXurYZ2x.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 120 wholersorie.shop 2->120 122 plodnittpw.lat 2->122 124 23 other IPs or domains 2->124 154 Suricata IDS alerts for network traffic 2->154 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 28 other signatures 2->160 13 skotes.exe 2 50 2->13         started        18 UWYXurYZ2x.exe 5 2->18         started        20 skotes.exe 2->20         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 146 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 13->146 148 185.215.113.43, 49973, 49974, 80 WHOLESALECONNECTIONSNL Portugal 13->148 152 2 other IPs or domains 13->152 100 C:\Users\user\AppData\...\eb15c414be.exe, PE32 13->100 dropped 102 C:\Users\user\AppData\...\fe4d890d0f.exe, PE32 13->102 dropped 104 C:\Users\user\AppData\...\b2ee16741f.exe, PE32 13->104 dropped 110 19 other malicious files 13->110 dropped 192 Creates multiple autostart registry keys 13->192 194 Hides threads from debuggers 13->194 196 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->196 24 bKIFsVe.exe 13->24         started        28 fe4d890d0f.exe 13->28         started        30 usPaQ3D.exe 1 26 13->30         started        34 8 other processes 13->34 106 C:\Users\user\AppData\Local\...\skotes.exe, PE32 18->106 dropped 108 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 18->108 dropped 198 Detected unpacking (changes PE section rights) 18->198 200 Tries to evade debugger and weak emulator (self modifying code) 18->200 202 Tries to detect virtualization through RDTSC time measurements 18->202 204 Potentially malicious time measurement code found 18->204 32 skotes.exe 18->32         started        206 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->206 150 127.0.0.1 unknown unknown 22->150 file6 signatures7 process8 dnsIp9 134 marka4.cyou 116.203.166.124 HETZNER-ASDE Germany 24->134 136 t.me 149.154.167.99 TELEGRAMRU United Kingdom 24->136 162 Antivirus detection for dropped file 24->162 164 Multi AV Scanner detection for dropped file 24->164 166 Detected unpacking (changes PE section rights) 24->166 180 2 other signatures 24->180 36 chrome.exe 24->36         started        138 plodnittpw.lat 172.67.161.160 CLOUDFLARENETUS United States 28->138 168 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->168 170 Machine Learning detection for dropped file 28->170 182 2 other signatures 28->182 140 157.20.182.24 FCNUniversityPublicCorporationOsakaJP unknown 30->140 172 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->172 174 Found many strings related to Crypto-Wallets (likely being stolen) 30->174 176 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->176 184 3 other signatures 32->184 142 194.32.76.77 MVPShttpswwwmvpsnetEU Germany 34->142 144 45.76.251.57 AS-CHOOPAUS United States 34->144 178 Detected unpacking (overwrites its own PE header) 34->178 186 5 other signatures 34->186 39 cmd.exe 34->39         started        41 cmd.exe 34->41         started        45 HNsLLEj.exe 34->45         started        47 4 other processes 34->47 signatures10 process11 dnsIp12 126 239.255.255.250 unknown Reserved 36->126 49 chrome.exe 36->49         started        52 cmd.exe 39->52         started        54 conhost.exe 39->54         started        98 C:\Temp\2alGwEWbJ.hta, HTML 41->98 dropped 188 Creates HTA files 41->188 56 cmd.exe 41->56         started        58 cmd.exe 41->58         started        60 cmd.exe 41->60         started        62 4 other processes 41->62 128 185.244.212.106 M247GB Romania 45->128 190 Tries to harvest and steal browser information (history, passwords, etc) 45->190 130 misha-lomonosov.com 104.21.14.233 CLOUDFLARENETUS United States 47->130 132 steamcommunity.com 104.102.49.254 AKAMAI-ASUS United States 47->132 file13 signatures14 process15 dnsIp16 114 play.google.com 142.250.184.206 GOOGLEUS United States 49->114 116 plus.l.google.com 172.217.16.142 GOOGLEUS United States 49->116 118 2 other IPs or domains 49->118 64 5f6d06eefa.exe 52->64         started        66 conhost.exe 52->66         started        68 powershell.exe 56->68         started        70 powershell.exe 58->70         started        72 powershell.exe 60->72         started        74 powershell.exe 62->74         started        76 powershell.exe 62->76         started        process17 process18 78 cmd.exe 64->78         started        file19 112 C:\Temp\Pn8FljxwM.hta, HTML 78->112 dropped 208 Creates HTA files 78->208 82 cmd.exe 78->82         started        84 cmd.exe 78->84         started        86 cmd.exe 78->86         started        88 4 other processes 78->88 signatures20 process21 process22 90 powershell.exe 82->90         started        92 powershell.exe 84->92         started        94 powershell.exe 86->94         started        96 powershell.exe 88->96         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7/
Threat name:
Win32.Exploit.StealC
Create hunting rule
Status:
Malicious
First seen:
2025-01-12 04:17:25 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ea5fwuy3rabwfc3kun7iu7qiuded4pyqxotbkxrffhgaxslvjd3q._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:9c9aa5 discovery evasion trojan
Link:
https://tria.ge/reports/250112-t4tesssnem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Malware Config
C2 Extraction:
http://185.215.113.43
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af66b2f8-b325-40d5-9320-da8360392a29
Unpacked files
SH256 hash:
cb02c72c562daee06455296dd4dd072eb45a583ff1e43c9c239c149edb6ba561
MD5 hash:
cebcf881db4c912cb07fde6def9e3888
SHA1 hash:
ff2c96b6f552cb2fd17bc1f3b0198471a39401d0
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/73fce0f7-5a6e-4f6a-b848-d6b15ab8d8ba/
SH256 hash:
203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7
MD5 hash:
c873c0af86d36318f23bf63377181cdd
SHA1 hash:
1277d3f0a9ceb8260fbe396f2a7369381bfb7406
Link:
https://www.unpac.me/results/73fce0f7-5a6e-4f6a-b848-d6b15ab8d8ba/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/203a5b531b88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 203a5b531b8803628b6aa37e8a7e08a0c83e3f10bba6155e2529cc0bc97548f7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3338012/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments