MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0
SHA3-384 hash: d4129a803507c7c3ede8d36ab834cc15d1503bd565b3574e8024a15cb82296c729202c87b7a3cbc014d6dd809c906d27
SHA1 hash: 49553aa6782a2b30ef8eab051d7d19139d3d0858
MD5 hash: 853ee4c49462dce18cacee59597bfa1e
humanhash: tennessee-cat-johnny-salami
File name:bbji.gam.ps1
Download: download sample
Signature Amadey
Create hunting rule
File size:19'861'494 bytes
First seen:2025-10-17 21:18:04 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 49152:1NFlgWJ9U7CvLb+BOyNK1XJsxE0spec/xXDbjj2ZVgnQZIyH6ttwiZO7h5rLtQ0+:V
TLSH T1AC173311AF696DBE4B6C833871BF5F1D27A00F80848CE5DB93E164C7269EF90416F869
Magika powershell
Reporter aachum
Tags:37-27-45-144 827ad8 ACRStealer Amadey ClickFix HIjackLoader ps1


Avatar
iamaachum
https://valeforge.space/bbji.gam

ACRStealer C2: 37.27.45.144

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f2b2af72d478f90598d37f
Tags:
ransomware shellcode hype
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 masquerade obfuscated stealer
Link:
https://www.filescan.io/uploads/68f2b2ad11ff3db29f633eeb/reports/de4f1de1-5f23-4e27-b140-d54f1d81f7c4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0
Verdict:
Clean
File Type:
ps1
Link:
https://opentip.kaspersky.com/2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0/results?tab=lookup
Result
Threat name:
ACR Stealer, Amadey, HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1797416
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Powershell uses Background Intelligent Transfer Service (BITS)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected ACR Stealer
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected HijackLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1797416 Sample: bbji.gam.ps1 Startdate: 17/10/2025 Architecture: WINDOWS Score: 100 71 mi.limpingbronco.com 2->71 73 unpopularnational.com 2->73 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 16 other signatures 2->91 11 powershell.exe 263 2->11         started        14 svchost.exe 2->14         started        17 elevation_service.exe 2->17         started        signatures3 process4 dnsIp5 109 Suspicious powershell command line found 11->109 111 Found many strings related to Crypto-Wallets (likely being stolen) 11->111 113 Suspicious execution chain found 11->113 115 2 other signatures 11->115 19 Setup.exe 10 11->19         started        23 powershell.exe 20 11->23         started        25 powershell.exe 20 11->25         started        27 conhost.exe 11->27         started        83 127.0.0.1 unknown unknown 14->83 signatures6 process7 file8 63 C:\Users\user\...\MicrosoftEdgeUpdate.exe, PE32 19->63 dropped 65 C:\Users\user\AppData\Local\...\F9F97D1.tmp, PE32 19->65 dropped 67 C:\ProgramData\9372766\SQLite.Interop.dll, PE32+ 19->67 dropped 69 C:\ProgramData\...\CCleanerReactivator.dll, PE32+ 19->69 dropped 93 Found hidden mapped module (file has been removed from disk) 19->93 95 Switches to a custom stack to bypass stack traces 19->95 97 Found direct / indirect Syscall (likely to bypass EDR) 19->97 29 MicrosoftEdgeUpdate.exe 19->29         started        99 Deletes itself after installation 23->99 33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        signatures9 process10 dnsIp11 79 85.209.128.128, 49708, 49709, 80 VELIANET-ASvelianetInternetdiensteGmbHDE Netherlands 29->79 81 37.27.45.144, 443, 49693, 49694 UNINETAZ Iran (ISLAMIC Republic Of) 29->81 117 Found many strings related to Crypto-Wallets (likely being stolen) 29->117 119 Bypasses PowerShell execution policy 29->119 121 Contains functionality to inject code into remote processes 29->121 123 6 other signatures 29->123 37 rundll32.exe 29->37         started        41 powershell.exe 29->41         started        43 powershell.exe 29->43         started        45 9 other processes 29->45 signatures12 process13 dnsIp14 75 mi.limpingbronco.com 104.21.66.58, 49713, 49714, 49715 CLOUDFLARENETUS United States 37->75 101 System process connects to network (likely due to code injection or exploit) 37->101 103 Contains functionality to start a terminal service 37->103 105 Powershell uses Background Intelligent Transfer Service (BITS) 41->105 107 Loading BitLocker PowerShell Module 41->107 47 net.exe 41->47         started        49 conhost.exe 41->49         started        77 87.120.219.26, 49710, 49711, 80 NET1-ASBG Bulgaria 43->77 51 conhost.exe 43->51         started        53 WerFault.exe 45->53         started        55 WerFault.exe 45->55         started        57 WerFault.exe 45->57         started        59 9 other processes 45->59 signatures15 process16 process17 61 net1.exe 47->61         started       
Verdict:
Malware
YARA:
3 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/853ee4c49462dce18cacee59597bfa1e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0
Threat name:
Script-PowerShell.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-10-17 21:19:41 UTC
File Type:
Text (PowerShell)
AV detection:
2 of 24 (8.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fsvhbunrzfwormnuvd4f4quy6kz7h7n2rsr3t6tnmdffmgqss2ya._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader spyware stealer
Link:
https://tria.ge/reports/251017-z5n5cshp4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Malware Config
Dropper Extraction:
http://87.120.219.26/CCZT7wMNnD29ie
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amatera
Create hunting rule
Author:kevoreilly
Description:Amatera Payload
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:Windows_Exploit_Generic_008359cf
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_ACRStealer_f9728d76
Create hunting rule
Author:Elastic Security
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

HTML Application (hta) hta eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0

Amadey

PowerShell (PS) ps1 2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0

(this sample)

  
Link
https://tria.ge/251017-z18m7shp3s/behavioral2
  
Dropped by
SHA256 eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0
  
Delivery method
Distributed via web download
  
Dropped by
MD5 3038071606faa9813689c156303c9ad2

Comments