MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9
SHA3-384 hash: 8a38d997576fe0817e333a5a4273843cc45606f2a8fcffa046ee53d221e9a03d6b773b2dde370ba1b44bdf9046a7e3d5
SHA1 hash: c344b3c1cb8f45b4ff9ce4fa7c4e591c214b04de
MD5 hash: 17e96e93713cf1cc2c86f7194a4debc3
humanhash: low-lion-winter-golf
File name:Nexilo-CC-CheckerUpdated.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:14'496'768 bytes
First seen:2025-10-27 17:30:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e839b2b8c6a7d8e894d832a50c547c30 (1 x Amadey)
ssdeep 393216:a+qcVMBO09lbKGlIpEBl4LQ804e5/RCfwNsTGnX:aBPbKGlIg2h04u/RKSnX
TLSH T1EAE6231AB3A406FCD5AB907CD9475A42F672B8560370DBDF03A042BA2F636D09E3D761
TrID 53.0% (.EXE) InstallShield setup (43053/19/16)
20.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.9% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://158.94.208.102/cvdfnaFJBmC2/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://158.94.208.102/cvdfnaFJBmC2/index.php https://threatfox.abuse.ch/ioc/1627594/

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Nexilo-CC-CheckerUpdated.exe
Verdict:
Malicious activity
Analysis date:
2025-10-27 16:28:26 UTC
Tags:
amadey botnet stealer auto-sch clipper diamotrix nuitka rdp auto-reg auto pythonstealer crypto-regex python loader
Link:
https://app.any.run/tasks/e48978e1-6efd-4208-baf6-4dfe387ce84c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34321/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ff9dab5c3edf10df52ddb4
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Reading critical registry keys
Creating a file in the %temp% subdirectories
Running batch commands
Creating a window
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 expand explorer fingerprint lolbin microsoft_visual_cc netsh packed schtasks
Link:
https://www.filescan.io/uploads/68ffac9b11ff3db29f695025/reports/fc133239-7e6e-4694-bc16-b6c61febda57/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-27T08:54:00Z UTC
Last seen:
2025-10-27T22:25:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9/results?tab=lookup
Malware family:
Gapz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f19f1a8-08f4-4595-b187-d28d2312b1d7
Result
Threat name:
Amadey, Clipboard Hijacker, MicroClip, R
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802636
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Drops PE files with benign system names
Early bird code injection technique detected
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Clipboard Hijacker
Yara detected MicroClip
Yara detected RHADAMANTHYS Stealer
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802636 Sample: Nexilo-CC-CheckerUpdated.exe Startdate: 27/10/2025 Architecture: WINDOWS Score: 100 128 x.ns.gin.ntt.net 2->128 130 twc.trafficmanager.net 2->130 132 17 other IPs or domains 2->132 158 Suricata IDS alerts for network traffic 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 164 20 other signatures 2->164 11 Nexilo-CC-CheckerUpdated.exe 6 2->11         started        15 ebecabcdbbbdc.exe 2->15         started        17 syshost.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 120 C:\Users\user\Desktop120exilo-CC-Checker.exe, PE32+ 11->120 dropped 122 C:\Users\user\AppData\Roaming\vopni.exe, PE32+ 11->122 dropped 124 C:\Users\user\AppData\Roaming\syshost.exe, PE32+ 11->124 dropped 126 2 other malicious files 11->126 dropped 208 Contains functionality to start a terminal service 11->208 210 Drops PE files with benign system names 11->210 21 sobxv.exe 2 2 11->21         started        25 Nexilo-CC-Checker.exe 11->25         started        27 syshost.exe 27 11->27         started        32 2 other processes 11->32 212 Found evasive API chain (may stop execution after checking mutex) 15->212 30 schtasks.exe 15->30         started        signatures6 process7 dnsIp8 98 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 21->98 dropped 178 Found evasive API chain (may stop execution after checking mutex) 21->178 180 Creates autostart registry keys with suspicious names 21->180 182 Injects code into the Windows Explorer (explorer.exe) 21->182 190 5 other signatures 21->190 34 explorer.exe 54 22 21->34 injected 39 schtasks.exe 21->39         started        41 schtasks.exe 21->41         started        100 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 25->100 dropped 102 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 25->102 dropped 104 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 25->104 dropped 112 26 other malicious files 25->112 dropped 184 Multi AV Scanner detection for dropped file 25->184 186 Found pyInstaller with non standard icon 25->186 43 Nexilo-CC-Checker.exe 25->43         started        150 158.94.208.102, 49682, 49684, 49685 JANETJiscServicesLimitedGB United Kingdom 27->150 152 176.46.152.21, 49686, 49690, 49702 ESTPAKEE Iran (ISLAMIC Republic Of) 27->152 154 178.16.53.7, 49681, 49683, 49692 DUSNET-ASDE Germany 27->154 106 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 27->106 dropped 108 C:\Users\user\AppData\Local\Temp\...\zocp.exe, PE32 27->108 dropped 110 C:\Users\user\AppData\Local\...\Clipper.exe, PE32+ 27->110 dropped 114 4 other malicious files 27->114 dropped 188 Contains functionality to start a terminal service 27->188 45 dropper64.exe 27->45         started        47 Stealc.exe 27->47         started        49 Clipper.exe 27->49         started        51 conhost.exe 30->51         started        file9 signatures10 process11 dnsIp12 134 176.46.152.46, 49687, 49688, 49693 ESTPAKEE Iran (ISLAMIC Republic Of) 34->134 136 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->136 90 C:\Users\user\AppData\Local\...07D.tmp.exe, PE32+ 34->90 dropped 92 C:\Users\user\AppData\Local\...\CD4F.tmp.exe, PE32+ 34->92 dropped 94 C:\Users\user\AppData\Local\...\B8E9.tmp.exe, PE32+ 34->94 dropped 96 5 other malicious files 34->96 dropped 166 System process connects to network (likely due to code injection or exploit) 34->166 168 Benign windows process drops PE files 34->168 170 Found many strings related to Crypto-Wallets (likely being stolen) 34->170 176 2 other signatures 34->176 53 CD4F.tmp.exe 34->53         started        57 A59C.tmp.exe 34->57         started        60 E07D.tmp.exe 34->60         started        70 3 other processes 34->70 62 conhost.exe 39->62         started        64 conhost.exe 41->64         started        66 cmd.exe 43->66         started        68 elevation_service.exe 43->68         started        172 Multi AV Scanner detection for dropped file 45->172 174 Found evasive API chain (may stop execution after checking mutex) 45->174 file13 signatures14 process15 dnsIp16 116 C:\Users\user\AppData\...\dropper64[1].exe, PE32+ 53->116 dropped 118 C:\Users\user\AppData\...\1APEjzBjH5dq.exe, PE32+ 53->118 dropped 192 Multi AV Scanner detection for dropped file 53->192 194 Early bird code injection technique detected 53->194 196 Found many strings related to Crypto-Wallets (likely being stolen) 53->196 204 9 other signatures 53->204 72 chrome.exe 53->72         started        74 chrome.exe 53->74         started        76 chrome.exe 53->76         started        144 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 57->144 146 x.ns.gin.ntt.net 129.250.35.250 NTT-COMMUNICATIONS-2914US United States 57->146 148 4 other IPs or domains 57->148 198 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 57->198 200 Tries to steal Mail credentials (via file / registry access) 57->200 202 Tries to harvest and steal ftp login credentials 57->202 206 3 other signatures 57->206 78 chrome.exe 57->78         started        81 chrome.exe 57->81         started        83 conhost.exe 66->83         started        file17 signatures18 process19 dnsIp20 156 192.168.2.7, 443, 49672, 49681 unknown unknown 78->156 85 chrome.exe 78->85         started        88 chrome.exe 78->88         started        process21 dnsIp22 138 googlehosted.l.googleusercontent.com 142.250.69.161, 443, 49765 GOOGLEUS United States 85->138 140 www.google.com 142.250.73.132, 443, 49771 GOOGLEUS United States 85->140 142 3 other IPs or domains 85->142
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/17e96e93713cf1cc2c86f7194a4debc3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-10-27 13:54:53 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hulohex2dpea2ntipquo4kq4vajih2ga3dnhapax7sfioa5a5h4q._file
Verdict:
malicious
Label(s):
unc_loader_073
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer downloader execution persistence stealer
Link:
https://tria.ge/reports/251027-v3q4qahm51/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://176.46.152.46/diamo/data.php
http://158.94.208.102/diamo/data.php
http://178.16.53.7/diamo/data.php
http://176.46.152.47/diamo/data.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/063971e4-b764-4284-8971-2c6b1d85141b
Unpacked files
SH256 hash:
3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9
MD5 hash:
17e96e93713cf1cc2c86f7194a4debc3
SHA1 hash:
c344b3c1cb8f45b4ff9ce4fa7c4e591c214b04de
Link:
https://www.unpac.me/results/edee488a-9707-45a3-b757-b7e0f0244b20/
SH256 hash:
87769ce5583559cbb56095267d88c420b8d8799446c8a5e753df30f3c11db81d
MD5 hash:
00ac949decdfb50f383e2732b85342e4
SHA1 hash:
f08c1173138415f01a1519e8220e82d90f5e2cca
Link:
https://www.unpac.me/results/edee488a-9707-45a3-b757-b7e0f0244b20/
SH256 hash:
b9e622eb1849ddf12bed114e1239345a7d8d241b8ae35311e0e2b925db8d56b6
MD5 hash:
3eb7620d88ee392f4ab95c848e3c95a6
SHA1 hash:
43fdd8b5f728c91fe35c8ee9a155a95f42d7e003
Link:
https://www.unpac.me/results/edee488a-9707-45a3-b757-b7e0f0244b20/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d16e392fa1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d16e392fa1bc80d36687c28ee2a1ca81283e8c0d8da703c17fc8a8703a0e9f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34321/

Comments