MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 264ff65eccf58c8a3501b9dba9282adb807a6c92408dd19bdf1be35021d7b9f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Amadey


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash: 264ff65eccf58c8a3501b9dba9282adb807a6c92408dd19bdf1be35021d7b9f4
SHA3-384 hash: 9f92eb6d3b81537cbcbe6af825521f920c0065ad4260918973931c877bff1100324ea386a3eb3528adbf8c2e1857a0ca
SHA1 hash: 92d9b362e9ef316b97618522b871543155914ea3
MD5 hash: 230313b9885a7dc703b431730e7c38d0
humanhash: zebra-chicken-march-social
File name:sdHookpp.32.dll
Download: download sample
Signature Amadey
File size:1'133'288 bytes
First seen:2025-05-31 17:59:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 44f00ea5a937dd4b1b52ca1ae71fc5ab (3 x ACRStealer, 1 x Amadey)
ssdeep 12288:x8zgke1195Sov270y0JDgycuKg38dB2GIOwAlnZdOcPNlj7FiidAFnvNlT:xQgkkzv27P0Tcu53kB2GIOtZdtQKU7
TLSH T14A356E1BB2C5A53DC06A16364A7BA3609C3B677379168C6B17F4084CCFA56402F3B6E7
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:Amadey dll dropped-by-ACRStealer f63f23 HIjackLoader IDATLoader


Avatar
iamaachum
https://mi.ricespider.digital/kernelbase64.bin

Amadey Botnet: f63f23
Amadey C2: http://mi.professedunease.top/dash/png/index.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
457
Origin country :
ES ES
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi expired-cert fingerprint invalid-signature keylogger packed signed
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
9 / 100
Behaviour
Behavior Graph:
n/a
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
264ff65eccf58c8a3501b9dba9282adb807a6c92408dd19bdf1be35021d7b9f4
MD5 hash:
230313b9885a7dc703b431730e7c38d0
SHA1 hash:
92d9b362e9ef316b97618522b871543155914ea3
SH256 hash:
1268b61e443ae4f8383390f62e2b94192d41400baf926878f8bb5749a803c5b5
MD5 hash:
32db8735a3c688034b512ec311ae0a78
SHA1 hash:
bc873e3a5766876abd817c6520c527f262856a53
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Author:malware-lu
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

DLL dll 264ff65eccf58c8a3501b9dba9282adb807a6c92408dd19bdf1be35021d7b9f4

(this sample)

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryW
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileW
kernel32.dll::FindFirstFileW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW

Comments