MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c20ebfe4575a9d9b7c7bb7093dd7c0940ee0fc5da3e50923876e1ade785c323. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c20ebfe4575a9d9b7c7bb7093dd7c0940ee0fc5da3e50923876e1ade785c323
SHA3-384 hash: 0a76ede2a2a247a3d5ef97cbc2ed94b5360c1363d0c46f1095d35e4d4b577b8e34943551555ea318633f1c0dde83dfd0
SHA1 hash: efa21b96fc73b01cab892b952e0463b9e2c4ba23
MD5 hash: 213c5c3b1fa42206e807c2c363992958
humanhash: floor-magnesium-fanta-magnesium
File name:213c5c3b1fa42206e807c2c363992958.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'865'728 bytes
First seen:2025-02-06 15:47:31 UTC
Last seen:2025-02-06 17:02:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:uczVM0solVBmTgwWfzjpUG6I2fl2zjUQUMOdZO1G6ZgrhwNR3ySa/ioHEsx:ucBRmTNQW2PUQUqG6eregK
TLSH T1B98533956FA4E8A9E1FC23311CEB167228B80B706DCFC036EFBADC19D1677628D05645
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
443
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
213c5c3b1fa42206e807c2c363992958.exe
Verdict:
Malicious activity
Analysis date:
2025-02-06 15:49:49 UTC
Tags:
amadey botnet stealer loader lumma redline telegram vidar auto generic themida stealc lefthook gcleaner credentialflusher
Link:
https://app.any.run/tasks/939e7717-726d-47b7-ade4-7ed2c5bded2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.20102.1051.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a4db2251193558eb19a360
Tags:
vmdetect autoit emotet spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67a4d9c0ba420adaa784a707/reports/0882eb3c-a603-4fe8-845e-0017232d58fd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3c20ebfe4575a9d9b7c7bb7093dd7c0940ee0fc5da3e50923876e1ade785c323
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c4c027d8-8836-446e-b226-8d16105053c6
Result
Threat name:
Amadey, AsyncRAT, Healer AV Disabler, Lu
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1608526
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AsyncRAT
Yara detected Healer AV Disabler
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1608526 Sample: H0gXadpzWD.exe Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 153 Found malware configuration 2->153 155 Malicious sample detected (through community Yara rule) 2->155 157 Antivirus detection for URL or domain 2->157 159 28 other signatures 2->159 10 skotes.exe 6 106 2->10         started        15 H0gXadpzWD.exe 5 2->15         started        17 657b3c9f48.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 131 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->131 133 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 10->133 135 185.215.113.97 WHOLESALECONNECTIONSNL Portugal 10->135 105 C:\Users\user\AppData\...\ff3622a4a0.exe, PE32 10->105 dropped 107 C:\Users\user\AppData\...\b159b031ff.exe, PE32 10->107 dropped 109 C:\Users\user\AppData\...\5f9178654e.exe, PE32 10->109 dropped 117 34 other malicious files 10->117 dropped 205 Creates multiple autostart registry keys 10->205 207 Hides threads from debuggers 10->207 209 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->209 21 657b3c9f48.exe 10->21         started        25 cmd.exe 10->25         started        27 50e5c8add4.exe 10->27         started        37 3 other processes 10->37 111 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->111 dropped 113 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->113 dropped 211 Detected unpacking (changes PE section rights) 15->211 213 Tries to evade debugger and weak emulator (self modifying code) 15->213 215 Tries to detect virtualization through RDTSC time measurements 15->215 29 skotes.exe 15->29         started        115 C:\Users\user\AppData\Local\...\iJY0ot7uG.hta, HTML 17->115 dropped 217 Binary is likely a compiled AutoIt script file 17->217 219 Creates HTA files 17->219 31 mshta.exe 17->31         started        33 cmd.exe 17->33         started        221 Suspicious powershell command line found 19->221 223 Tries to download and execute files (via powershell) 19->223 225 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->225 35 powershell.exe 19->35         started        file5 signatures6 process7 file8 101 C:\Users\user\AppData\Local\...\JVMWkRICy.hta, HTML 21->101 dropped 161 Binary is likely a compiled AutoIt script file 21->161 163 Found API chain indicative of sandbox detection 21->163 165 Creates HTA files 21->165 39 mshta.exe 21->39         started        42 cmd.exe 21->42         started        44 cmd.exe 25->44         started        47 conhost.exe 25->47         started        167 Multi AV Scanner detection for dropped file 27->167 169 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->169 171 Injects a PE file into a foreign processes 27->171 49 50e5c8add4.exe 27->49         started        173 Detected unpacking (changes PE section rights) 29->173 185 4 other signatures 29->185 175 Suspicious powershell command line found 31->175 177 Tries to download and execute files (via powershell) 31->177 51 powershell.exe 31->51         started        55 2 other processes 33->55 53 conhost.exe 35->53         started        179 Found many strings related to Crypto-Wallets (likely being stolen) 37->179 181 Contains functionality to inject code into remote processes 37->181 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->183 57 8 other processes 37->57 signatures9 process10 dnsIp11 187 Suspicious powershell command line found 39->187 189 Tries to download and execute files (via powershell) 39->189 60 powershell.exe 39->60         started        191 Uses schtasks.exe or at.exe to add and modify task schedules 42->191 64 conhost.exe 42->64         started        66 schtasks.exe 42->66         started        119 C:\Temp\SPKv5Uk3N.hta, HTML 44->119 dropped 193 Creates HTA files 44->193 68 mshta.exe 44->68         started        70 cmd.exe 44->70         started        72 cmd.exe 44->72         started        78 4 other processes 44->78 195 Query firmware table information (likely to detect VMs) 49->195 197 Tries to harvest and steal ftp login credentials 49->197 199 Tries to harvest and steal browser information (history, passwords, etc) 49->199 121 TempYBRQTFMNLMWDA8MYJXGY5C4WJH6NCGTD.EXE, PE32 51->121 dropped 74 conhost.exe 51->74         started        76 Conhost.exe 55->76         started        125 95.216.115.242 HETZNER-ASDE Germany 57->125 127 127.0.0.1 unknown unknown 57->127 129 3 other IPs or domains 57->129 201 Found many strings related to Crypto-Wallets (likely being stolen) 57->201 203 Tries to steal Crypto Currency Wallets 57->203 file12 signatures13 process14 file15 123 TempFAX02ZFW5KAIPGHQ443E6PJ2GPLWSYG9.EXE, PE32 60->123 dropped 227 Powershell drops PE file 60->227 80 TempFAX02ZFW5KAIPGHQ443E6PJ2GPLWSYG9.EXE 60->80         started        83 conhost.exe 60->83         started        229 Suspicious powershell command line found 68->229 231 Tries to download and execute files (via powershell) 68->231 85 powershell.exe 68->85         started        88 powershell.exe 70->88         started        90 powershell.exe 72->90         started        92 powershell.exe 78->92         started        signatures16 process17 file18 137 Detected unpacking (changes PE section rights) 80->137 139 Machine Learning detection for dropped file 80->139 141 Modifies windows update settings 80->141 143 7 other signatures 80->143 94 Conhost.exe 80->94         started        103 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 85->103 dropped 96 483d2fa8a0d53818306efeb32d3.exe 85->96         started        99 conhost.exe 85->99         started        signatures19 process20 signatures21 145 Multi AV Scanner detection for dropped file 96->145 147 Tries to detect sandboxes and other dynamic analysis tools (window names) 96->147 149 Tries to evade debugger and weak emulator (self modifying code) 96->149 151 3 other signatures 96->151
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3c20ebfe4575a9d9b7c7bb7093dd7c0940ee0fc5da3e50923876e1ade785c323
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c20ebfe4575a9d9b7c7bb7093dd7c0940ee0fc5da3e50923876e1ade785c323/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-02-06 14:46:26 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqqox7sfowu5tn6hxnyjhxl4bfao4d6f3i7fberyo3q23z4fymrq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:9c9aa5 defense_evasion discovery trojan
Link:
https://tria.ge/reports/250206-s8texs1mdr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Malware Config
C2 Extraction:
http://185.215.113.43
Verdict:
Malicious
Tags:
c2 lumma_stealer win32_amadey stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/6ad2735f-b133-4221-8c87-45ba25dce34a
Unpacked files
SH256 hash:
3c20ebfe4575a9d9b7c7bb7093dd7c0940ee0fc5da3e50923876e1ade785c323
MD5 hash:
213c5c3b1fa42206e807c2c363992958
SHA1 hash:
efa21b96fc73b01cab892b952e0463b9e2c4ba23
Link:
https://www.unpac.me/results/c8f6cb4e-2b06-407a-9fd8-bea361718da3/
SH256 hash:
520b8e4972d33d6937739ae81453943bd9f916ceb326ec1005ba55fef6be91c4
MD5 hash:
3db6fb9f0c1286fce6515df76d7209eb
SHA1 hash:
7c3af4cb6e3229729d0da79fae33cadb1676af77
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/c8f6cb4e-2b06-407a-9fd8-bea361718da3/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c20ebfe4575/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Amadey
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c20ebfe4575a9d9b7c7bb7093dd7c0940ee0fc5da3e50923876e1ade785c323

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3c20ebfe4575a9d9b7c7bb7093dd7c0940ee0fc5da3e50923876e1ade785c323

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3279844/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338043/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments