MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA3-384 hash: c4609df6a6f4cd195fc9ba7647f77b748efc300114cd0b01a721fcbef33b5860f99f2d11093aba9735f7f7f4ebf0fb8f
SHA1 hash: 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
MD5 hash: a92d6465d69430b38cbc16bf1c6a7210
humanhash: delta-solar-maine-comet
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:439'296 bytes
First seen:2025-03-01 15:24:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 738a9f5d52d683b5b6a4ba77d2da72af (6 x Amadey, 1 x Rhadamanthys)
ssdeep 6144:Q/RCey1AxsmF1cQxQ3KcTN3Wz40v1fwb6prdotQ6g0MQYSE2/H9yQ+iT5gc7AOOp:Q/RCey1AxsmUQ63NmjyQ6g0MQYZc7Kb
Threatray 5'325 similar samples on MalwareBazaar
TLSH T1FC944A207817D032D62191B11FADFFF195ADA9269B710ADB7BC00E765A201E37A31F39
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:092155 Amadey exe


Avatar
iamaachum
http://176.113.115.7/files/unique1/random.exe

Amadey Botnet: 092155
Amadey C2: http://176.113.115.6/Ni9kiput/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
355
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-10033391-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c325a22dfba428b46f91ce
Tags:
vmdetect autorun emotet autoit
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey fingerprint lolbin microsoft_visual_cc netsh obfuscated stealer wmic
Link:
https://www.filescan.io/uploads/67c326ddf8726576332c0786/reports/73a3aebe-31ad-44d9-973c-4118d7d4fa89/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e406a358-7f86-4cf0-a92a-4134c6a8e5b9
Result
Threat name:
Amadey, Credential Flusher, GCleaner, Lu
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1627193
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Credential Flusher
Yara detected GCleaner
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627193 Sample: random.exe Startdate: 01/03/2025 Architecture: WINDOWS Score: 100 96 45.91.200.135 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 2->96 98 exarthynature.run 2->98 100 24 other IPs or domains 2->100 126 Suricata IDS alerts for network traffic 2->126 128 Found malware configuration 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 26 other signatures 2->132 10 rapes.exe 6 54 2->10         started        15 186adf2617.exe 2->15         started        17 random.exe 5 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 108 176.113.115.6, 49712, 49713, 49744 SELECTELRU Russian Federation 10->108 110 176.113.115.7, 49720, 49766, 49824 SELECTELRU Russian Federation 10->110 84 C:\Users\user\AppData\...\977b4d66ef.exe, PE32 10->84 dropped 86 C:\Users\user\AppData\...\cefa09b2a4.exe, PE32 10->86 dropped 88 C:\Users\user\AppData\...\40c4d92e87.exe, PE32 10->88 dropped 94 17 other malicious files 10->94 dropped 170 Contains functionality to start a terminal service 10->170 172 Creates multiple autostart registry keys 10->172 21 dd662b5386.exe 10->21         started        24 186adf2617.exe 10->24         started        27 5a20b6327b.exe 12 10->27         started        34 7 other processes 10->34 174 Query firmware table information (likely to detect VMs) 15->174 176 Tries to harvest and steal ftp login credentials 15->176 178 Tries to harvest and steal browser information (history, passwords, etc) 15->178 180 Tries to steal Crypto Currency Wallets 15->180 90 C:\Users\user\AppData\Local\...\rapes.exe, PE32 17->90 dropped 92 C:\Users\user\...\rapes.exe:Zone.Identifier, ASCII 17->92 dropped 182 Contains functionality to inject code into remote processes 17->182 30 rapes.exe 17->30         started        184 Hides threads from debuggers 19->184 186 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->186 188 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->188 32 firefox.exe 19->32         started        file6 signatures7 process8 dnsIp9 134 Detected unpacking (changes PE section rights) 21->134 154 6 other signatures 21->154 36 BitLockerToGo.exe 21->36         started        80 C:\Users\...\O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe, PE32 24->80 dropped 136 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->136 138 Query firmware table information (likely to detect VMs) 24->138 140 Contains functionality to start a terminal service 24->140 142 Tries to steal Crypto Currency Wallets 24->142 40 O5B9GD1ATV6RLTMC0ANGDNKXPTNV.exe 24->40         started        112 techpxioneers.run 188.114.97.3, 443, 49812, 49817 CLOUDFLARENETUS European Union 27->112 114 steamcommunity.com 23.67.133.187, 443, 49801 AKAMAI-ASN1EU United States 27->114 144 Found many strings related to Crypto-Wallets (likely being stolen) 27->144 156 2 other signatures 27->156 146 Multi AV Scanner detection for dropped file 30->146 116 youtube.com 142.250.185.142 GOOGLEUS United States 32->116 118 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 32->118 124 6 other IPs or domains 32->124 43 firefox.exe 32->43         started        45 firefox.exe 32->45         started        120 45.93.20.28 COGENT-174US Netherlands 34->120 122 dawtastream.bet 172.67.200.156, 443, 49852, 49859 CLOUDFLARENETUS United States 34->122 82 C:\Users\user\AppData\Local\...\0uDicgVYv.hta, HTML 34->82 dropped 148 Binary is likely a compiled AutoIt script file 34->148 150 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->150 152 Modifies windows update settings 34->152 158 4 other signatures 34->158 47 mshta.exe 34->47         started        49 9f19f13091.exe 34->49         started        51 cmd.exe 34->51         started        53 9 other processes 34->53 file10 signatures11 process12 dnsIp13 102 185.156.73.73 RELDAS-NETRU Russian Federation 36->102 72 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 36->72 dropped 74 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 36->74 dropped 76 C:\Users\user\AppData\Local\...\soft[1], PE32 36->76 dropped 78 C:\Users\user\AppData\Local\...\dll[1], PE32 36->78 dropped 160 Multi AV Scanner detection for dropped file 40->160 162 Suspicious powershell command line found 47->162 164 Tries to download and execute files (via powershell) 47->164 55 powershell.exe 47->55         started        104 exarthynature.run 104.21.96.1, 443, 49736, 49743 CLOUDFLARENETUS United States 49->104 166 Query firmware table information (likely to detect VMs) 49->166 168 Uses schtasks.exe or at.exe to add and modify task schedules 51->168 58 conhost.exe 51->58         started        60 schtasks.exe 51->60         started        62 conhost.exe 53->62         started        64 conhost.exe 53->64         started        66 conhost.exe 53->66         started        68 2 other processes 53->68 file14 signatures15 process16 dnsIp17 106 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 55->106 70 conhost.exe 55->70         started        process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2025-02-23 14:25:37 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=htnsixvqgerq2vss5jnbcygazo5wx2jpwpvdz4xocsz5qrtx7r3q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
1500f5d2c76350b29aaa9e46a37881fee4cd125b363d175909d2f5855990b95e
Amadey
360f28577ebce5c521979aa0d72c9c5d055074c479462349cdfe7ca06c2332cc
Amadey
36b9add594a4567786f897af4446dd80955572a45254502ab57c820b52022185
Amadey
6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65
Amadey
939310706200640f603a1fb3e6528c3a4bafa87e0d610e817a7824cf2e089bc7
Amadey
b2137c97af2814ff8fdf50ddd9babc2231c049f08c2b86fdb27b9ccfa80b0946
Amadey
b40bca0264f21f6ad389319dd05a41d8168a8ac3e150ac1b2e21293711e62f18
Amadey
daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30
Amadey
error
Amadey
f71076e0c55d22eebaa094191d996299de7c0cb9f1bbde65a3b935ebeb0d0a3f
Amadey
fe674dea7f07e1e0320496f3ce1b42b0e7f3b406b2b482ebcd06bbaee14865d6
Amadey
+ 5'315 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:vidar family:xmrig family:xworm botnet:092155 botnet:ir7am credential_access defense_evasion discovery execution miner persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250301-stq19atzhw/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Detect Vidar Stealer
Detect Xworm Payload
Vidar
Vidar family
Xmrig family
Xworm
Xworm family
xmrig
Malware Config
C2 Extraction:
http://176.113.115.6
https://t.me/l793oy
https://steamcommunity.com/profiles/76561199829660832
95.164.19.68:1987
Verdict:
Malicious
Tags:
Win.Malware.Generic-10033391-0 c2 stealer lumma lumma_stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/3a7f00c4-05aa-44e3-be27-de08dcfa58fa
Unpacked files
SH256 hash:
3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
MD5 hash:
a92d6465d69430b38cbc16bf1c6a7210
SHA1 hash:
421fadebee484c9d19b9cb18faf3b0f5d9b7a554
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/51fc5a97-cdf3-44d8-a6f3-ab743289e9b8/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3cdb245eb031/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

(this sample)

  
Link
https://tria.ge/250301-smfa6svky2/
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/
  
URLhaus
https://urlhaus.abuse.ch/url/3338012/
  
URLhaus
https://urlhaus.abuse.ch/url/3338043/
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/
  
URLhaus
https://urlhaus.abuse.ch/url/3460858/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
ADVAPI32.dll::RevertToSelf
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipGetImageEncoders
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetSidIdentifierAuthority
ADVAPI32.dll::ImpersonateLoggedOnUser
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
ADVAPI32.dll::LookupAccountNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments