MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b
SHA3-384 hash: bb98a0edf2053497332e4bc954e877fb96a022515131f009398eb3f70dd62f5dcfa418775c682c899d5a7dbf23c39d3a
SHA1 hash: 3a7264e9e24f92198b903216c300739af2c8440c
MD5 hash: 91f9b91f0b970f8b0c202e2b822fb03f
humanhash: island-grey-april-jupiter
File name:34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b.zip
Download: download sample
Signature Amadey
Create hunting rule
File size:3'443'636 bytes
First seen:2025-07-31 11:53:26 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:2wMtbnFQC+J1Bt/VHTsIgz+ZRpbXYRmi9VlHSAmmSxlr6tCHrqgO7LCb:2wMhnmr1BLHYVibpbXQVNnmVThHm3LCb
TLSH T1B5F5330B53369662050B4F30F553614E1B6E9CF32EA2D638D1318D7B92FADC286F5EA4
Magika zip
Reporter JAMESWT_WT
Tags:Amadey zip

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://85.208.84.41/f7ehhfadDSk/index.php https://threatfox.abuse.ch/ioc/1560372/

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
IT IT
File Archive Information

This file archive contains 5 file(s), sorted by their relevance:

File name:CheckerBasics.dll
File size:16'384 bytes
SHA256 hash: 4f13f13adcdd5edfdfb45e85d90e34c13f93abc5a2b18eee1ac673aacd45b3db
MD5 hash: 8e3cd46a43352a4b9db1bae60a500d7e
MIME type:application/x-dosexec
Signature Amadey
File name:Newtonsoft.Json.dll
File size:700'336 bytes
SHA256 hash: 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
MD5 hash: 6815034209687816d8cf401877ec8133
MIME type:application/x-dosexec
Signature Amadey
File name:Colorful.Console.dll
File size:90'112 bytes
SHA256 hash: f31d4fd7e729fc6cf4ecab972b6b1ee897918a325b1ca572030966f831e768fb
MD5 hash: 5f3d2cfbc21591b8feef1efa3e59a4d0
MIME type:application/x-dosexec
Signature Amadey
File name:Leaf.xNet.dll
File size:134'144 bytes
SHA256 hash: 5f4938c1140be5e19f0bfd0fe9838dccf8554db781c56482660aa7dc751fb4bb
MD5 hash: c56de89f88b5e8203a637fc0cc1fa0db
MIME type:application/x-dosexec
Signature Amadey
File name:Coinbase Checker @Soud69.exe.exe
File size:3'642'880 bytes
SHA256 hash: 720da27621335893eb8b2bf8350f213e6bf559359e6f9071822f027d812a2a55
MD5 hash: af6b4cea1f79badd946c80cf5db4676f
MIME type:application/x-dosexec
Signature Amadey
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b59bb0b4775fb2133f20e
Tags:
infosteal autorun emotet
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/688b597642dbe1175d438edd/reports/e56afd02-6d1e-4f17-8e07-0017467a7d8e/overview
Verdict:
Suspicious
Labled as:
Susp.U.XOREncoded.sd
Link:
https://www.hybrid-analysis.com/sample/34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.12 SOS: 0.23 SOS: 0.24 SOS: 0.26 Zip Archive
Link:
https://app.malva.re/file/91f9b91f0b970f8b0c202e2b822fb03f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 14:50:40 UTC
File Type:
Binary (Archive)
Extracted files:
40
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsxtivecarefen6ganhwc3e4pom2y3nb4wk2sjzn5yhkclqhaavq._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:1f3bdd discovery execution persistence trojan
Link:
https://tria.ge/reports/250731-n7kn6styfv/
Malware Config
C2 Extraction:
http://76.46.157.65
http://85.208.84.41
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/34af34548204485237c6034f616c9c7b99ac6da1e595a9272dee0ea12e07002b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MAL_Win_Amadey_Jun25
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34
Reference:https://0x0d4y.blog/amadey-targeted-analysis/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ScanStringsInsocks5systemz
Create hunting rule
Author:Byambaa@pubcert.mn
Description:Scans presence of the found strings using the in-house brute force method
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_amadey_062025
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34.
Reference:https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments