MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2acc7c9c4fed3150daff3c7e18b9ae9e6f5cff5e882a1c5bf9eabf6cec19c010. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2acc7c9c4fed3150daff3c7e18b9ae9e6f5cff5e882a1c5bf9eabf6cec19c010
SHA3-384 hash: 7fc2059a0089be06d0ce3a2872eb28998feedb5e8b6a49faf87e9ee0dc57ab44050acae840de5cb3946a0319b851af1a
SHA1 hash: e96b062c76b6a5c37e138a2c93b8779da60e9403
MD5 hash: 3cbe234a1185f87a5be77643ac671788
humanhash: sierra-winner-lemon-uncle
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'947'648 bytes
First seen:2025-04-18 16:59:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:ZntcJpLeNO2b1tNXyFskD8BdOxZz19b7ec6mjS3QV:OqbRtBYn1N7exSS3Q
Threatray 4 similar samples on MalwareBazaar
TLSH T19995337A0C397727DC4CBC318C77D02E5E26838A97DA2A2777855935E86B2019B4F7B0
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
466
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-18 18:30:08 UTC
Tags:
lumma stealer amadey botnet loader phishing auto generic auto-reg pastebin credentialflusher rdp auto-sch inno installer delphi
Link:
https://app.any.run/tasks/9e25bf9b-3321-45b2-929b-9d10f9195287

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2921/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68028a98280f5f89a0d17b15
Tags:
phishing autorun emotet spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/6802853090767142c3daf87f/reports/627ff8d1-f427-4e7f-ac3f-4de4467ce4ee/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/2acc7c9c4fed3150daff3c7e18b9ae9e6f5cff5e882a1c5bf9eabf6cec19c010
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ddaba4d6-aaf5-4147-98f9-9038a354d8e3
Result
Threat name:
Amadey, LummaC Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1668624
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1668624 Sample: random.exe Startdate: 18/04/2025 Architecture: WINDOWS Score: 100 87 zestmodp.top 2->87 89 piratetwrath.run 2->89 91 16 other IPs or domains 2->91 121 Sigma detected: Xmrig 2->121 123 Suricata IDS alerts for network traffic 2->123 125 Found malware configuration 2->125 127 22 other signatures 2->127 11 namez.exe 3 39 2->11         started        16 random.exe 1 2->16         started        18 svchost.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 111 185.215.113.59, 49699, 49700, 49703 WHOLESALECONNECTIONSNL Portugal 11->111 75 C:\Users\user\AppData\Local\...\235T1TS.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\...\Hmcm0Oj.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\...\ff1ee53f59.exe, PE32 11->79 dropped 83 13 other malicious files 11->83 dropped 175 Contains functionality to start a terminal service 11->175 177 Found strings related to Crypto-Mining 11->177 22 aZOpr5t.exe 11->22         started        25 cmd.exe 11->25         started        27 i5Kz53x.exe 11->27         started        34 5 other processes 11->34 113 185.39.17.162, 49688, 49702, 49704 RU-TAGNET-ASRU Russian Federation 16->113 115 clarmodq.top 104.21.85.126, 443, 49681, 49682 CLOUDFLARENETUS United States 16->115 81 C:\Users\...\L3WU2TONWS9CL9K42B9T459HUB.exe, PE32 16->81 dropped 179 Detected unpacking (changes PE section rights) 16->179 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->181 183 Query firmware table information (likely to detect VMs) 16->183 187 6 other signatures 16->187 29 L3WU2TONWS9CL9K42B9T459HUB.exe 4 16->29         started        185 Changes security center settings (notifications, updates, antivirus, firewall) 18->185 32 MpCmdRun.exe 18->32         started        117 127.0.0.1 unknown unknown 20->117 file6 signatures7 process8 file9 143 Antivirus detection for dropped file 22->143 145 Multi AV Scanner detection for dropped file 22->145 147 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->147 167 9 other signatures 22->167 149 Command shell drops VBS files 25->149 36 cscript.exe 25->36         started        39 conhost.exe 25->39         started        151 Writes to foreign memory regions 27->151 153 Allocates memory in foreign processes 27->153 155 Injects a PE file into a foreign processes 27->155 41 MSBuild.exe 27->41         started        52 3 other processes 27->52 85 C:\Users\user\AppData\Local\...\namez.exe, PE32 29->85 dropped 157 Contains functionality to start a terminal service 29->157 159 Contains functionality to inject code into remote processes 29->159 44 namez.exe 29->44         started        46 conhost.exe 32->46         started        161 Detected unpacking (changes PE section rights) 34->161 163 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->163 165 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->165 48 MSBuild.exe 34->48         started        50 MSBuild.exe 34->50         started        54 7 other processes 34->54 signatures10 process11 dnsIp12 129 Bypasses PowerShell execution policy 36->129 56 powershell.exe 36->56         started        97 piratetwrath.run 104.21.48.30, 443, 49729, 49732 CLOUDFLARENETUS United States 41->97 99 file-eu-par-1.gofile.io 202.165.69.5 VPIS-APVADSManagedBusinessInternetServiceProviderMY Australia 41->99 101 store-na-phx-1.gofile.io 94.139.32.29 ENIX-ASFR Belgium 41->101 131 Query firmware table information (likely to detect VMs) 41->131 133 Tries to harvest and steal ftp login credentials 41->133 135 Tries to steal Crypto Currency Wallets 41->135 137 Multi AV Scanner detection for dropped file 44->137 139 Contains functionality to start a terminal service 44->139 103 t.me 149.154.167.99, 443, 49705 TELEGRAMRU United Kingdom 48->103 105 newzeconi.digital 104.21.60.19, 443, 49706, 49708 CLOUDFLARENETUS United States 48->105 141 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->141 107 zestmodp.top 104.21.32.1, 443, 49712, 49715 CLOUDFLARENETUS United States 50->107 109 changeaie.top 172.67.197.226, 443, 49721, 49724 CLOUDFLARENETUS United States 54->109 signatures13 process14 dnsIp15 93 github.com 140.82.112.4, 443, 49741 GITHUBUS United States 56->93 95 objects.githubusercontent.com 185.199.110.133, 443, 49742 FASTLYUS Netherlands 56->95 69 C:\Users\user\AppData\Roaming\...\xmrig.exe, PE32+ 56->69 dropped 71 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 56->71 dropped 73 C:\Users\user\AppData\Roaming\...\config.json, JSON 56->73 dropped 169 Sample is not signed and drops a device driver 56->169 171 Loading BitLocker PowerShell Module 56->171 173 Powershell drops PE file 56->173 61 xmrig.exe 56->61         started        65 conhost.exe 56->65         started        file16 signatures17 process18 dnsIp19 119 104.251.123.89 1GSERVERSUS United States 61->119 189 Multi AV Scanner detection for dropped file 61->189 191 Query firmware table information (likely to detect VMs) 61->191 193 Found strings related to Crypto-Mining 61->193 67 conhost.exe 61->67         started        signatures20 process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2acc7c9c4fed3150daff3c7e18b9ae9e6f5cff5e882a1c5bf9eabf6cec19c010
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2acc7c9c4fed3150daff3c7e18b9ae9e6f5cff5e882a1c5bf9eabf6cec19c010/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-18 17:00:39 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=flghzhcp5uyvbwx7hr7bronotzxvz726ravbyw7z5k7wz3azyaia._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
3c0fafc0f46add0e045e4eb4f0d6ce3ec7471c9101a67eb48c628cbc607507d9
Amadey
6bd034f709cafad125c1614593b0305716d698b1f05b34fab97fc2df04bfa2dd
Amadey
8b0b20727462c5f3d5a4ace630d9690528dcefa79407480db3abde2455f700d8
Amadey
cc8607b4d2293f00f6e33b0869459019ba27813ecabb1ea884c23cca9c0f0d61
Amadey
error
Amadey
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250418-w5175s1xcv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://piratetwrath.run/ytus
https://changeaie.top/geps
https://quilltayle.live/gksi
https://qliftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://rzestmodp.top/zeda
https://starofliught.top/wozd
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04421473-3883-4ca2-b8cb-9b8e309100b9
Unpacked files
SH256 hash:
2acc7c9c4fed3150daff3c7e18b9ae9e6f5cff5e882a1c5bf9eabf6cec19c010
MD5 hash:
3cbe234a1185f87a5be77643ac671788
SHA1 hash:
e96b062c76b6a5c37e138a2c93b8779da60e9403
Link:
https://www.unpac.me/results/ce7daef0-21a2-4463-8168-38d2b867222a/
SH256 hash:
2df36c1b28f8bbdc6a99368c2205a5bae8ebec82639b6024a5d1cf0189b81777
MD5 hash:
40789521487ef9bdb86cb3556ae60c53
SHA1 hash:
deec83d5b33bb6ddbcb99ea887abe06777bcdb5a
Link:
https://www.unpac.me/results/ce7daef0-21a2-4463-8168-38d2b867222a/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2acc7c9c4fed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2acc7c9c4fed3150daff3c7e18b9ae9e6f5cff5e882a1c5bf9eabf6cec19c010

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 2acc7c9c4fed3150daff3c7e18b9ae9e6f5cff5e882a1c5bf9eabf6cec19c010

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/2921/
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments