MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f0a5d79e362c2bb34dd1cc42468f5ac0bc7f4affa64df85b8ce0e245a206299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f0a5d79e362c2bb34dd1cc42468f5ac0bc7f4affa64df85b8ce0e245a206299
SHA3-384 hash: 33e0e361446891fc9c0e9f7f8c95de12fabdb7473143631434afd1a5eda75235f47023b4a1c64a7ad163dce223bf411c
SHA1 hash: f6f28e247c30133f04f5307a68f39a1f745ff63e
MD5 hash: 003dc680c85178fe5dc35b150b0b207c
humanhash: wolfram-ceiling-georgia-texas
File name:003DC680C85178FE5DC35B150B0B207C.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:10'563'469 bytes
First seen:2025-03-17 17:55:20 UTC
Last seen:2025-03-17 18:34:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:8pqOoJhD0monOQGwbswVz6lMjou97VlodYoZo:jDvFEOQGwbTt8ubl
TLSH T170B6E037F3886D2FC0AB1B315A7782A0A8377A6275128D7BA7F4094C8F355506E3E746
TrID 46.7% (.EXE) Inno Setup installer (107240/4/30)
25.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
18.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.5% (.EXE) Win64 Executable (generic) (10522/11/4)
1.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon f1e862c8c968e2c8 (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://159.100.14.208/jb87ejvjdsS/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
481
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
003DC680C85178FE5DC35B150B0B207C.exe
Verdict:
Malicious activity
Analysis date:
2025-03-17 17:56:15 UTC
Tags:
delphi inno installer autoit amadey botnet stealer rdp autorun-reg
Link:
https://app.any.run/tasks/2bf83e9c-7679-4909-a021-ee8c36090e11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d8673c3962f1a6f4726376
Tags:
dropper virus hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for the window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
Launching a process
Connection attempt
Sending an HTTP POST request
Setting a single autorun event
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd embarcadero_delphi expand fingerprint installer invalid-signature lolbin overlay packed packed packer_detected regsvr32 runonce signed
Link:
https://www.filescan.io/uploads/67d8623ad2c4beeae926e7af/reports/ff1696ea-b835-4969-9395-d6ac01ffa055/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2f0a5d79e362c2bb34dd1cc42468f5ac0bc7f4affa64df85b8ce0e245a206299
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f9a9213-75b1-434b-a4c5-ad358e55f82f
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1640816
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1640816 Sample: lYYTvL1KgS.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 6 other signatures 2->80 10 lYYTvL1KgS.exe 2 2->10         started        13 AutoIt3.exe 2->13         started        16 AutoIt3.exe 2->16         started        process3 file4 54 C:\Users\user\AppData\...\lYYTvL1KgS.tmp, PE32 10->54 dropped 18 lYYTvL1KgS.tmp 3 15 10->18         started        88 Writes to foreign memory regions 13->88 90 Allocates memory in foreign processes 13->90 92 Injects a PE file into a foreign processes 13->92 21 jsc.exe 13->21         started        24 jsc.exe 16->24         started        signatures5 process6 file7 48 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->48 dropped 50 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 18->50 dropped 52 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->52 dropped 26 lYYTvL1KgS.exe 2 18->26         started        82 Contains functionality to start a terminal service 21->82 signatures8 process9 file10 56 C:\Users\user\AppData\...\lYYTvL1KgS.tmp, PE32 26->56 dropped 29 lYYTvL1KgS.tmp 5 31 26->29         started        process11 file12 58 C:\Users\user\AppData\...\AutoIt3.exe (copy), PE32 29->58 dropped 60 C:\Users\user\...\vstest.console.dll (copy), PE32+ 29->60 dropped 62 C:\Users\user\...\pythoncom311.dll (copy), PE32+ 29->62 dropped 64 26 other files (none is malicious) 29->64 dropped 32 AutoIt3.exe 1 10 29->32         started        process13 file14 40 C:\...\AutoIt3.exe, PE32 32->40 dropped 42 C:\...\vstest.console.dll, PE32+ 32->42 dropped 44 C:\...\pythoncom311.dll, PE32+ 32->44 dropped 46 4 other files (none is malicious) 32->46 dropped 68 Writes to foreign memory regions 32->68 70 Allocates memory in foreign processes 32->70 72 Injects a PE file into a foreign processes 32->72 36 jsc.exe 12 32->36         started        signatures15 process16 dnsIp17 66 159.100.14.208, 49689, 49693, 49694 DE-FIRSTCOLOwwwfirst-colonetDE Germany 36->66 84 Contains functionality to start a terminal service 36->84 86 Contains functionality to inject code into remote processes 36->86 signatures18
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2f0a5d79e362c2bb34dd1cc42468f5ac0bc7f4affa64df85b8ce0e245a206299
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f0a5d79e362c2bb34dd1cc42468f5ac0bc7f4affa64df85b8ce0e245a206299/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-03-14 01:47:39 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4ff26pdmlblwng5dtcci2hvvqf4p5fp7jsn7bnyzyhciwramkmq._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:c6cb73 discovery persistence trojan
Link:
https://tria.ge/reports/250317-wh1yvswsfw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Amadey family
Malware Config
C2 Extraction:
http://159.100.14.208
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/25070db7-1931-4e4d-a6b3-ceb775e291be
Unpacked files
SH256 hash:
2f0a5d79e362c2bb34dd1cc42468f5ac0bc7f4affa64df85b8ce0e245a206299
MD5 hash:
003dc680c85178fe5dc35b150b0b207c
SHA1 hash:
f6f28e247c30133f04f5307a68f39a1f745ff63e
Link:
https://www.unpac.me/results/c3b06b1e-be89-4cfd-ab6b-ba9a07207bb7/
SH256 hash:
3269b3495fa583ea8d825ef31157b5a22dc4861b71b016e1fcc7d2261c4aed02
MD5 hash:
21f802b6d7ad5a0a6d10a15576c516b2
SHA1 hash:
55d989582104746e5c4aa4b0f2240d3a45a27154
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/c3b06b1e-be89-4cfd-ab6b-ba9a07207bb7/
SH256 hash:
1ebaf5b3e0e5ff3960d77fbdbea0ee74f4a37c5b73ea052d385df8ff08f3283f
MD5 hash:
96b3c330df2619f50dd6d57949228158
SHA1 hash:
4995610faec6d0a000ef11b1f2b7180986d96a0a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/c3b06b1e-be89-4cfd-ab6b-ba9a07207bb7/
SH256 hash:
4d6445fd74fe073c9fca770fe6e5e7bfaec5d189cd52de773e8683d9f3521adf
MD5 hash:
e6617fde70bc07eb5aa82a25fd1e70a5
SHA1 hash:
26d6e02259f813751e543c8dec1c975052509151
Link:
https://www.unpac.me/results/c3b06b1e-be89-4cfd-ab6b-ba9a07207bb7/
SH256 hash:
86dcb8699891fa006bd1bf7d55cbc5d3ce4abde4e82f1d54235e945e938e2876
MD5 hash:
86dba9d6a2b3b3ce3f7dc7b0cf205cb2
SHA1 hash:
8002f23d577d8a901f015e123981c0225c773eb2
Link:
https://www.unpac.me/results/c3b06b1e-be89-4cfd-ab6b-ba9a07207bb7/
SH256 hash:
206e66857637d3dd0a859195b5307189358318d609e6fc2580f39544bb4cfcc1
MD5 hash:
a86d8881ff0a3dee5f39ef971f2af05b
SHA1 hash:
f4aeb61b3a0bac977555fafcc8055528200ab933
Link:
https://www.unpac.me/results/c3b06b1e-be89-4cfd-ab6b-ba9a07207bb7/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f0a5d79e362/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f0a5d79e362c2bb34dd1cc42468f5ac0bc7f4affa64df85b8ce0e245a206299

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments