MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a
SHA3-384 hash: f00af17e75053b660454f2de0f737337e2cccb5a959ee89fcee42b73cb88d1b5f84a4be75c241fc51eb296d0bb89db5c
SHA1 hash: d559d825e2016d384928eb4eb6dea957692779c0
MD5 hash: 385771f2dbeeec2a8c4e0204e5dbfbcc
humanhash: echo-mike-indigo-lactose
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:5'063'680 bytes
First seen:2025-09-18 12:55:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 98304:PkriZvwJfV6FN6tybhgMIBugYDbRvrWBl4L5zHilgqGAegeRuaKqe:sriZO96utQWMIBAbQkLtHilgqjrJO
Threatray 1'477 similar samples on MalwareBazaar
TLSH T12C36339F421FC30AF3F6A2BF817316713C715E16AF641272B364F81D4B9B563AA61260
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://178.16.54.200/f8nus4b/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.16.54.200/f8nus4b/index.php https://threatfox.abuse.ch/ioc/1593931/

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-18 12:35:37 UTC
Tags:
lumma stealer amadey botnet unlocker-eject tool loader arch-exec evasion auto-reg telegram auto-startup auto rdp crypto-regex generic coinminer miner gcleaner stealc vidar autoit
Link:
https://app.any.run/tasks/7e50cb3d-19df-4cec-b5d1-754858871091

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28152/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cbfc98246a2631bd3099d5
Tags:
vmdetect asyncrat delphi cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a service
Launching a service
Restart of the analyzed sample
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
Sending a custom TCP request
Creating a window
Searching for the window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin obfuscated obfuscated packed packed packer_detected schtasks
Link:
https://www.filescan.io/uploads/68cc016373af424b47e601a0/reports/057a41a1-7b1d-41e7-a4af-89d466170f28/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-18T09:40:00Z UTC
Last seen:
2025-09-18T09:40:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/694c2358-b6ce-4071-8041-f43ae8ed02b2
Result
Threat name:
Stealc v2, Vidar, XWorm, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780015
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Drops executables to the windows directory (C:\Windows) and starts them
Drops password protected ZIP file
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: PUA - NSudo Execution
Sigma detected: Suspicious New Service Creation
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Stealc v2
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780015 Sample: random.exe Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 87 pir.aztu.edu.az 2->87 89 yunded.com 2->89 91 20 other IPs or domains 2->91 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 17 other signatures 2->111 10 random.exe 9 2->10         started        14 random.exe 4 2->14         started        16 svchost.exe 54 110 2->16         started        18 7 other processes 2->18 signatures3 process4 file5 75 C:\Windows\systemhelper.exe, PE32 10->75 dropped 77 C:\Windows\svchosthelper.exe, PE32 10->77 dropped 79 C:\Users\user\AppData\...\svchostmanager.exe, PE32 10->79 dropped 85 3 other malicious files 10->85 dropped 127 Drops executables to the windows directory (C:\Windows) and starts them 10->127 20 svchosthelper.exe 47 10->20         started        25 systemhelper.exe 15 10->25         started        27 cmd.exe 1 10->27         started        33 3 other processes 10->33 81 C:\Windows\Temp\svchostmanager.exe, PE32 14->81 dropped 83 C:\Windows\Temp\svchostam.exe, PE32 14->83 dropped 129 Contains functionality to start a terminal service 14->129 131 Uses cmd line tools excessively to alter registry or file data 14->131 29 svchosthelper.exe 14->29         started        31 WerFault.exe 2 16->31         started        133 Changes security center settings (notifications, updates, antivirus, firewall) 18->133 signatures6 process7 dnsIp8 93 178.16.54.200, 49715, 49716, 49717 DUSNET-ASDE Germany 20->93 95 178.16.55.70, 49790, 80 DUSNET-ASDE Germany 20->95 59 C:\Users\user\AppData\Local\...\ojjvpn1.exe, PE32 20->59 dropped 61 C:\Users\user\AppData\Local\...\ws92P1k.exe, PE32 20->61 dropped 63 C:\Users\user\AppData\Local\...\v3434.exe, PE32+ 20->63 dropped 71 19 other malicious files 20->71 dropped 115 Contains functionality to start a terminal service 20->115 65 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 25->65 dropped 67 C:\Users\user\AppData\Local\...\cecho.exe, PE32 25->67 dropped 69 C:\Users\user\AppData\Local\...69SudoLG.exe, PE32+ 25->69 dropped 73 2 other malicious files 25->73 dropped 117 Multi AV Scanner detection for dropped file 25->117 35 cmd.exe 25->35         started        119 Uses cmd line tools excessively to alter registry or file data 27->119 121 Uses schtasks.exe or at.exe to add and modify task schedules 27->121 123 Uses the nircmd tool (NirSoft) 27->123 38 conhost.exe 27->38         started        40 schtasks.exe 1 27->40         started        125 Contains functionality to inject code into remote processes 29->125 42 WerFault.exe 29->42         started        44 conhost.exe 33->44         started        46 conhost.exe 33->46         started        file9 signatures10 process11 signatures12 113 Uses cmd line tools excessively to alter registry or file data 35->113 48 reg.exe 35->48         started        51 cmd.exe 35->51         started        53 conhost.exe 35->53         started        55 20 other processes 35->55 process13 signatures14 97 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 48->97 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->99 101 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 48->101 103 Queries memory information (via WMI often done to detect virtual machines) 48->103 57 tasklist.exe 51->57         started        process15
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/385771f2dbeeec2a8c4e0204e5dbfbcc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 12:35:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fymzznmuyoxn4wbvbpjp56tjkmdrs34wcko7z4exji2wbr3hoyva._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
admintool_nsudo
Create hunting rule
amadey
Create hunting rule
admintool_nircmd
Create hunting rule
Similar samples:
0046ac156acfd377676b3b6a529e8dd7426d058f20a8ff445d47134b02e5c8c3
Amadey
0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c
Amadey
1db211a355727107916e15b30f1f91bf0630b6bf8d3c0e9ea88a76d8ff3c9ed1
Amadey
2f994afc548d528e56a029cf4481d56a3459d438b46ec38403a977bc7d70dced
Amadey
3ba3ef4cc21a08817b7e7dae3a46f13bd596025ecd2d983a2203e4bd3eeb14c7
Amadey
4a9ea80070aeef34e75107e504544232228ffa9a09e037c778cd264a2c5564d2
Amadey
7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43
Amadey
error
Amadey
+ 1'467 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:lumma family:xworm collection credential_access defense_evasion discovery execution loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250918-p59qysgl3s/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Detect Xworm Payload
Detects DonutLoader
Disables service(s)
DonutLoader
Donutloader family
Lumma Stealer, LummaC
Lumma family
Xworm
Xworm family
Malware Config
C2 Extraction:
rockyx22.duckdns.org:8887
https://acrislegt.su/tazd
https://yunded.com/uwuz
https://sirhirssg.su/xzde
https://prebwle.su/xazd
https://rhussois.su/tatr
https://todoexy.su/xqts
https://averiryvx.su/zadr
https://cerasatvf.su/qtpd
https://consnbx.su/sawo
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c32f5405-8621-43da-96df-f9160bbb5f37
Unpacked files
SH256 hash:
2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a
MD5 hash:
385771f2dbeeec2a8c4e0204e5dbfbcc
SHA1 hash:
d559d825e2016d384928eb4eb6dea957692779c0
Link:
https://www.unpac.me/results/a8eca872-5945-43a1-9a1b-cfd999d29a36/
SH256 hash:
68443fd4155d23e9584e81efbd924565a4621be75e471cf2279a247b070b1619
MD5 hash:
cb723e3f178b59d5433d48e2791cbcb5
SHA1 hash:
635f198bcf90c9a57a0a94b244f3a6a2b0a539dc
Link:
https://www.unpac.me/results/a8eca872-5945-43a1-9a1b-cfd999d29a36/
SH256 hash:
62e499a6744f34f461364bc545b299b13b085a80acb1c4a9a89f98b93ece4413
MD5 hash:
b914046edbdaa90ea676d1292b262e37
SHA1 hash:
6479ce2a1d5777277eddd028cd506143b89b095a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/a8eca872-5945-43a1-9a1b-cfd999d29a36/
SH256 hash:
66088db1c9353108a61455f165f643289d0eea5013197e87fcef2211fd6b4300
MD5 hash:
8d77e66ea16b0e3a79aead89f7c7c3ae
SHA1 hash:
8beabf0b36db6b1ba5f7f8d3c27840de8927296c
Link:
https://www.unpac.me/results/a8eca872-5945-43a1-9a1b-cfd999d29a36/
SH256 hash:
c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851
MD5 hash:
a7993e5a520b17fec65435fb4838a08f
SHA1 hash:
18fe6286473a03735e7b701d4bfaf61ad35da7ad
Link:
https://www.unpac.me/results/a8eca872-5945-43a1-9a1b-cfd999d29a36/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e199cb594c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e199cb594c3aede58350bd2fefa695307196f96129dfcf0974a3560c767762a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win_5t_downloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.5t_downloader.
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28152/

Comments