MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d68b275188c504e2055e774cc36bb98f8766b8c2b143e74df28201e16523584. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d68b275188c504e2055e774cc36bb98f8766b8c2b143e74df28201e16523584
SHA3-384 hash: 84bec17aab8c057de117abc5ba2394e8c2fcf9ff23d6ce4d4e499d9cb57c65cf61f7ce6daa0f0145537385c65a721a1e
SHA1 hash: 46142e1f7bf0267057071575430dce9f34107cfc
MD5 hash: fcdd943dfdd8eb31ba798659fd66767e
humanhash: arizona-enemy-burger-eighteen
File name:clip64.dll
Download: download sample
Signature Amadey
Create hunting rule
File size:126'976 bytes
First seen:2025-03-31 12:43:32 UTC
Last seen:2025-03-31 12:46:30 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash fdb088ba51afbf555d7a0f495212d8f1 (21 x Amadey)
ssdeep 3072:N4Z27UeZm+wr7CImXEGP/Y4Z3SNqYfYYOpf:Co7JfuCIAEG/Z30Ynpf
TLSH T11CC34A213096C031D66D567E18A8ABF487BD6910DFB00DD77B840E7B9E642C2EE34D7A
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:22031d Amadey AmadeyPlugin dll


Avatar
iamaachum
http://176.65.137.193/Lajv8eS3/Plugins/clip64.dll

Amadey Botnet: 22031d
Amadey C2: http://176.65.137.193/Lajv8eS3/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10015683-0
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ea8ff3855e5ec5240ad4f9
Tags:
clipbanker virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Labled as:
Trojan/Amadey
Link:
https://www.hybrid-analysis.com/sample/2d68b275188c504e2055e774cc36bb98f8766b8c2b143e74df28201e16523584
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/473b4068-d5a5-48ee-a4af-e2751b2fb647
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1652865
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652865 Sample: clip64.dll Startdate: 31/03/2025 Architecture: WINDOWS Score: 88 22 tse1.mm.bing.net 2->22 24 mm-mm.bing.net.trafficmanager.net 2->24 26 ax-0001.ax-msedge.net 2->26 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 3 other signatures 2->36 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 12 8->10         started        13 rundll32.exe 12 8->13         started        16 cmd.exe 1 8->16         started        18 5 other processes 8->18 dnsIp6 38 System process connects to network (likely due to code injection or exploit) 10->38 28 176.65.137.193, 49714, 49715, 80 PALTEL-ASPALTELAutonomousSystemPS Germany 13->28 20 rundll32.exe 16->20         started        signatures7 process8
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2d68b275188c504e2055e774cc36bb98f8766b8c2b143e74df28201e16523584
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d68b275188c504e2055e774cc36bb98f8766b8c2b143e74df28201e16523584/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-03-30 09:54:53 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvule5iyrrie4icv452mynv3td4hm24mfmkd45g7faqb4fssgwca._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:22031d discovery
Link:
https://tria.ge/reports/250331-pyhnwszxas/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Malware Config
C2 Extraction:
http://176.65.137.193
Unpacked files
SH256 hash:
2d68b275188c504e2055e774cc36bb98f8766b8c2b143e74df28201e16523584
MD5 hash:
fcdd943dfdd8eb31ba798659fd66767e
SHA1 hash:
46142e1f7bf0267057071575430dce9f34107cfc
Link:
https://www.unpac.me/results/2b8466b7-ac74-41da-ba12-a437fd3b3c17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d68b275188c504e2055e774cc36bb98f8766b8c2b143e74df28201e16523584

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:ClipperDLL_Amadey
Create hunting rule
Author:NDA0E
Description:Detects Amadey's Clipper DLL
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

DLL dll 2d68b275188c504e2055e774cc36bb98f8766b8c2b143e74df28201e16523584

(this sample)

  
Link
https://tria.ge/250331-pwppessnt7/static1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard

Comments