MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f
SHA3-384 hash: bca477b388d212a3ada9803efb3a6bbaa5a89b2a4d0b95f76bcb7211f91c2b4ffe75c5738c6076c436a48272c1f2490b
SHA1 hash: 9edf31faf30399457f5ef17b4b9edc8e04c868f5
MD5 hash: 4545db8dbdd518489821c8ab976c2813
humanhash: uncle-washington-wolfram-north
File name:2.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'522'688 bytes
First seen:2025-10-16 00:55:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 568eebe42af88b3c4c1a66dab767bb2f (2 x Amadey)
ssdeep 24576:ZMwDrI3nf7Gs7Gp8uDwtTSfRpFnbmUUf5VJXtHnl9PT:ZDUdG6uDakRPbdUJd/r
Threatray 28 similar samples on MalwareBazaar
TLSH T12365C0217512D0B2E1A190721E55ABA1E6BABC338B354FDF53D08B361E126D41F3AF39
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://158.94.208.102/g8jejcDS74f/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://158.94.208.102/g8jejcDS74f/index.php https://threatfox.abuse.ch/ioc/1616401/

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Yahoo v1.1.zip
Verdict:
Malicious activity
Analysis date:
2025-10-16 00:29:18 UTC
Tags:
arch-exec amadey botnet stealer loader anti-evasion stealc python
Link:
https://app.any.run/tasks/4e18c226-6a84-4f90-a412-2558fe1ba29e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32974/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f0428997a16d00a8da62b6
Tags:
autorun spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 crypt fingerprint fingerprint lolbin lumma microsoft_visual_cc netsh packed schtasks unsafe virus zusy
Link:
https://www.filescan.io/uploads/68f042893fe1a004456a8078/reports/0cff05a9-7920-4dc9-a90c-8c25a482ab3f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-15T21:17:00Z UTC
Last seen:
2025-10-17T22:26:00Z UTC
Hits:
~100
Detections:
VHO:Backdoor.Win64.Convagent.gen Trojan-PSW.Lumma.HTTP.Download Trojan-Dropper.Win32.Injector.sb Trojan.Agentb.TCP.C&C HEUR:Trojan-PSW.Win32.Lumma.gen Trojan-PSW.Win32.Lumma.wyi Trojan-Dropper.Win32.Dapato.sb Trojan.Win32.Agent.rnd PDM:Trojan.Win32.Generic Backdoor.Win32.Androm Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbed9066-3ec2-4012-9a98-177ba282f5a5
Result
Threat name:
Amadey, Clipboard Hijacker, Diamotrix Cl
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1796176
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Clipboard Hijacker
Yara detected Diamotrix Clipper
Yara detected MicroClip
Yara detected RHADAMANTHYS Stealer
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796176 Sample: 2.exe Startdate: 16/10/2025 Architecture: WINDOWS Score: 100 136 twc.trafficmanager.net 2->136 138 time.windows.com 2->138 140 13 other IPs or domains 2->140 166 Suricata IDS alerts for network traffic 2->166 168 Found malware configuration 2->168 170 Malicious sample detected (through community Yara rule) 2->170 172 16 other signatures 2->172 13 2.exe 2 3 2->13         started        17 swibu.exe 2->17         started        19 swibu.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 file5 132 C:\Users\user\AppData\Roaming\syshost.exe, PE32 13->132 dropped 134 C:\Users\user\AppData\Roaming\swibu.exe, PE32+ 13->134 dropped 222 Contains functionality to start a terminal service 13->222 224 Creates multiple autostart registry keys 13->224 226 Uses schtasks.exe or at.exe to add and modify task schedules 13->226 23 syshost.exe 1 27 13->23         started        28 swibu.exe 13->28         started        30 schtasks.exe 1 13->30         started        32 schtasks.exe 1 13->32         started        228 Modifies the context of a thread in another process (thread injection) 17->228 230 Injects a PE file into a foreign processes 17->230 34 swibu.exe 17->34         started        36 swibu.exe 19->36         started        signatures6 process7 dnsIp8 142 158.94.208.102, 49691, 49692, 49695 JANETJiscServicesLimitedGB United Kingdom 23->142 144 176.46.152.46, 49694, 80 ESTPAKEE Iran (ISLAMIC Republic Of) 23->144 146 178.16.53.7, 49690, 49693, 49698 DUSNET-ASDE Germany 23->146 124 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 23->124 dropped 126 C:\Users\user\AppData\Local\Temp\...\clp.exe, PE32+ 23->126 dropped 128 C:\Users\user\AppData\Local\Temp\...\rad.exe, PE32+ 23->128 dropped 130 5 other malicious files 23->130 dropped 208 Multi AV Scanner detection for dropped file 23->208 210 Contains functionality to start a terminal service 23->210 212 Creates multiple autostart registry keys 23->212 38 zx.exe 51 23->38         started        42 rad.exe 23->42         started        45 s.exe 23->45         started        47 clp.exe 23->47         started        214 Sets debug register (to hijack the execution of another thread) 28->214 216 Modifies the context of a thread in another process (thread injection) 28->216 218 Injects a PE file into a foreign processes 28->218 49 swibu.exe 28->49         started        51 conhost.exe 30->51         started        53 conhost.exe 32->53         started        220 Injects code into the Windows Explorer (explorer.exe) 34->220 55 explorer.exe 34->55         started        57 explorer.exe 36->57         started        file9 signatures10 process11 dnsIp12 106 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 38->106 dropped 108 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 38->108 dropped 110 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 38->110 dropped 118 47 other malicious files 38->118 dropped 186 Multi AV Scanner detection for dropped file 38->186 59 zx.exe 38->59         started        148 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 42->148 150 ntp.time.nl 94.198.159.10 SIDNNL Netherlands 42->150 154 6 other IPs or domains 42->154 120 2 other malicious files 42->120 dropped 188 Early bird code injection technique detected 42->188 190 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->190 192 Tries to steal Mail credentials (via file / registry access) 42->192 200 8 other signatures 42->200 61 chrome.exe 42->61         started        63 chrome.exe 42->63         started        65 msedge.exe 42->65         started        152 176.46.152.47 ESTPAKEE Iran (ISLAMIC Republic Of) 45->152 112 C:\Users\user\AppData\Local\...\7_4778046.exe, PE32+ 45->112 dropped 114 C:\Users\user\AppData\Local\...\7_4733078.exe, PE32+ 45->114 dropped 116 C:\Users\user\AppData\Local\...\6_4770656.exe, PE32+ 45->116 dropped 122 9 other malicious files 45->122 dropped 194 Antivirus detection for dropped file 45->194 67 swibu.exe 47->67         started        70 schtasks.exe 47->70         started        196 Injects code into the Windows Explorer (explorer.exe) 49->196 198 Modifies the context of a thread in another process (thread injection) 49->198 72 explorer.exe 49->72         started        file13 signatures14 process15 signatures16 74 chrome.exe 61->74         started        77 chrome.exe 61->77         started        174 Modifies the context of a thread in another process (thread injection) 67->174 176 Injects a PE file into a foreign processes 67->176 79 swibu.exe 67->79         started        82 conhost.exe 70->82         started        178 Injects code into the Windows Explorer (explorer.exe) 72->178 180 Writes to foreign memory regions 72->180 182 Allocates memory in foreign processes 72->182 184 Creates a thread in another existing process (thread injection) 72->184 84 explorer.exe 35 9 72->84 injected process17 dnsIp18 156 192.168.2.5, 443, 49675, 49690 unknown unknown 74->156 158 googlehosted.l.googleusercontent.com 142.250.64.193 GOOGLEUS United States 74->158 160 2 other IPs or domains 74->160 232 Injects code into the Windows Explorer (explorer.exe) 79->232 234 Modifies the context of a thread in another process (thread injection) 79->234 86 explorer.exe 79->86         started        88 swibu.exe 84->88         started        91 swibu.exe 84->91         started        93 syshost.exe 84->93         started        95 2 other processes 84->95 signatures19 process20 signatures21 202 Modifies the context of a thread in another process (thread injection) 88->202 204 Injects a PE file into a foreign processes 88->204 97 swibu.exe 88->97         started        100 swibu.exe 91->100         started        206 Contains functionality to start a terminal service 93->206 process22 signatures23 162 Injects code into the Windows Explorer (explorer.exe) 97->162 164 Modifies the context of a thread in another process (thread injection) 97->164 102 explorer.exe 97->102         started        104 explorer.exe 100->104         started        process24
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/4545db8dbdd518489821c8ab976c2813
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 00:55:58 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gz7oiitwqd2gs2wsyj65qcos6x56c4jncgrrogssnhgmp6joiy7q._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
12c73cf8cb9b42205636ea3daa24004db05de32f40f838d8f08c4f46d5f15538
Amadey
50dd1509cdf939140a6c4f03801ff7124d89307950aa2b003933e5b91bff55ad
Amadey
5900df1f7a056597ac529215af893e7ebf72e1f50bf8660ae4159e1698c86dad
Amadey
cd1b933186de9887c871bebdf8dcea3133ae253a2f6033d09d787413f68131cc
Amadey
d1bb18e8a3e4e3cbe08910ed8d92b970c936094059e3179b8f48c3f8df18853e
Amadey
d7ab100eec217ae7edde5ad39ec0775e7ebca760ed758c63c412a6253de6a9d5
Amadey
eaf3380be5ef1bff98fef23b114b28531dfb7423e25dfc94d7e76bdc43997327
Amadey
error
Amadey
+ 18 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey discovery execution persistence pyinstaller spyware stealer trojan upx
Link:
https://tria.ge/reports/251016-a988naf17f/
Behaviour
Checks processor information in registry
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Amadey
Amadey family
Detects Amadey x86-bit Payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1bc328ef-a3d7-47c8-a0a2-2656e0565a31
Unpacked files
SH256 hash:
367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f
MD5 hash:
4545db8dbdd518489821c8ab976c2813
SHA1 hash:
9edf31faf30399457f5ef17b4b9edc8e04c868f5
Link:
https://www.unpac.me/results/adbc07f4-f5fd-44a8-9a82-d020430a774c/
SH256 hash:
567bc6c87779e3af9cc43b84887b83cc07e1889f789b1cd6ed663524f8414d0d
MD5 hash:
a5a7e6386d9e3e6c045b9aa8001d5a41
SHA1 hash:
4447d7ead660bf286f06c792b86f6887614bb928
Link:
https://www.unpac.me/results/adbc07f4-f5fd-44a8-9a82-d020430a774c/
SH256 hash:
2c0ddf000d9048b1bca93eaacaddd3b8a1a07e3248ad26c0a099cae3cbece1eb
MD5 hash:
a220e9fadbda236502404c75ee1a5741
SHA1 hash:
eab14eeef9d027f076574ae46bf78c5a6638353b
Link:
https://www.unpac.me/results/adbc07f4-f5fd-44a8-9a82-d020430a774c/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/367ee4227680/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly, YungBinary
Description:Amadey Payload
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 367ee4227680f4696ad2c27dd809d2f5fbe1712d11a3171a5269ccc7f92e463f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3615926/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32974/

Comments