MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1
SHA3-384 hash: 40e878918f6c6aaa661c87de723d10701cf831a1f9dc8a25bf1d0882b4ea38d2e3eed9edffbca6e2f2c5248fc2fce49d
SHA1 hash: 5ca782a3f40ba1539bcc214065901a000126c179
MD5 hash: 39f811c648cc1f58d649c0b9fba6f72d
humanhash: hot-mexico-solar-lake
File name:39f811c648cc1f58d649c0b9fba6f72d.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:961'024 bytes
First seen:2025-05-22 21:30:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 24576:/qDEvCTbMWu7rQYlBQcBiT6rprG8aMlb:/TvC/MTQYxsWR7aMl
Threatray 33 similar samples on MalwareBazaar
TLSH T1A8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://91.92.46.53/2Api5/Api4/universalPhpmariadbdle/3/LongpolleternalRequestFlower/VideoRequest7request/Universalmariadb/6/LinuxphpPrivateUniversal/Universal/externalVideovmToPhpApiDlepublicCdnUploads.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.92.46.53/2Api5/Api4/universalPhpmariadbdle/3/LongpolleternalRequestFlower/VideoRequest7request/Universalmariadb/6/LinuxphpPrivateUniversal/Universal/externalVideovmToPhpApiDlepublicCdnUploads.php https://threatfox.abuse.ch/ioc/1532323/
162.120.19.25:7712 https://threatfox.abuse.ch/ioc/1532658/

Intelligence

File Origin
# of uploads :
1
# of downloads :
750
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
39f811c648cc1f58d649c0b9fba6f72d.exe
Verdict:
Malicious activity
Analysis date:
2025-05-22 21:35:20 UTC
Tags:
auto-sch loader amadey botnet stealer telegram lumma rdp
Link:
https://app.any.run/tasks/5c61405f-9fd3-46d4-bb26-6ab016363ee9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682f9942c28c67d666449728
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Connection attempt to an infection source
Enabling autorun by creating a file
Launching a file downloaded from the Internet
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context autoit compiled-script fingerprint keylogger lolbin microsoft_visual_cc mshta packed schtasks
Link:
https://www.filescan.io/uploads/682f9794fd02ed5e05835381/reports/c3d8f44b-abe9-42f4-ae1f-80c7919a7e87/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1782c127-73b1-44f6-85e1-b3450f59b681
Result
Threat name:
ScreenConnect Tool, Amadey, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1697272
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a Image File Execution Options (IFEO) Debugger entry
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTA files
Creates multiple autostart registry keys
Drops large PE files
Drops PE files with a suspicious file extension
Excessive usage of taskkill to terminate processes
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected PRYSMAX STEALER
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1697272 Sample: 3wsVJzZK67.exe Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 161 t.me 2->161 163 suZILJTpnmtlvXgrKDRlcKnDoR.suZILJTpnmtlvXgrKDRlcKnDoR 2->163 165 16 other IPs or domains 2->165 203 Suricata IDS alerts for network traffic 2->203 205 Found malware configuration 2->205 207 Malicious sample detected (through community Yara rule) 2->207 209 25 other signatures 2->209 12 ramez.exe 2->12         started        17 3wsVJzZK67.exe 1 2->17         started        19 mshta.exe 1 2->19         started        21 7 other processes 2->21 signatures3 process4 dnsIp5 181 185.156.72.96, 49722, 49723, 49728 ITDELUXE-ASRU Russian Federation 12->181 183 github.com 140.82.112.4, 443, 49724, 49726 GITHUBUS United States 12->183 185 objects.githubusercontent.com 185.199.111.133, 443, 49725, 49727 FASTLYUS Netherlands 12->185 135 C:\Users\user\AppData\Local\...\08IyOOF.exe, PE32+ 12->135 dropped 137 C:\Users\user\AppData\...\4a73b231a2.exe, PE32 12->137 dropped 139 C:\Users\user\AppData\Local\...\ZCm7ZwA.exe, PE32+ 12->139 dropped 143 28 other malicious files 12->143 dropped 275 Contains functionality to start a terminal service 12->275 23 qc8MT4h.exe 12->23         started        27 cmd.exe 12->27         started        29 i0vIpjm.exe 12->29         started        37 4 other processes 12->37 141 C:\Users\user\AppData\Local\...\ToOpSWCFR.hta, HTML 17->141 dropped 277 Binary is likely a compiled AutoIt script file 17->277 279 Found API chain indicative of sandbox detection 17->279 281 Creates HTA files 17->281 31 mshta.exe 1 17->31         started        33 cmd.exe 1 17->33         started        283 Suspicious powershell command line found 19->283 285 Tries to download and execute files (via powershell) 19->285 35 powershell.exe 14 16 19->35         started        287 Excessive usage of taskkill to terminate processes 21->287 file6 signatures7 process8 dnsIp9 117 C:\Users\user\AppData\Local\...\Venture.iso, DOS 23->117 dropped 119 C:\Users\user\AppData\Local\...\Vampire.iso, data 23->119 dropped 121 C:\Users\user\AppData\Local\Temp\Usd.iso, data 23->121 dropped 129 37 other malicious files 23->129 dropped 221 Multi AV Scanner detection for dropped file 23->221 223 Writes many files with high entropy 23->223 40 cmd.exe 23->40         started        43 cmd.exe 27->43         started        46 conhost.exe 27->46         started        225 Antivirus detection for dropped file 29->225 227 Writes to foreign memory regions 29->227 243 2 other signatures 29->243 48 MSBuild.exe 29->48         started        50 conhost.exe 29->50         started        229 Suspicious powershell command line found 31->229 231 Tries to download and execute files (via powershell) 31->231 52 powershell.exe 15 19 31->52         started        233 Drops PE files with a suspicious file extension 33->233 235 Uses schtasks.exe or at.exe to add and modify task schedules 33->235 55 2 other processes 33->55 57 2 other processes 35->57 173 cornerdurv.top 104.21.64.1 CLOUDFLARENETUS United States 37->173 175 66.63.187.190 ASN-QUADRANET-GLOBALUS United States 37->175 177 steamcommunity.com 23.222.161.105 AKAMAI-ASUS United States 37->177 123 C:\Users\user\AppData\...\runtime_broker.exe, PE32+ 37->123 dropped 125 C:\Users\user\...\CTMM2MI7LWFU5K85107.exe, PE32 37->125 dropped 127 C:\Users\user\...\BGE46CJWP3PX0SBD.exe, PE32+ 37->127 dropped 237 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->237 239 Query firmware table information (likely to detect VMs) 37->239 241 Creates an undocumented autostart registry key 37->241 245 9 other signatures 37->245 59 26 other processes 37->59 file10 signatures11 process12 dnsIp13 131 C:\Users\user\AppData\Local\...\Forecasts.com, PE32 40->131 dropped 61 conhost.exe 40->61         started        249 Suspicious powershell command line found 43->249 251 Tries to download and execute files (via powershell) 43->251 63 rtx.exe 43->63         started        67 sys.exe 43->67         started        78 2 other processes 43->78 253 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->253 255 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 48->255 257 Maps a DLL or memory area into another process 48->257 269 3 other signatures 48->269 69 explorer.exe 48->69 injected 167 185.156.72.2, 49714, 49715, 49729 ITDELUXE-ASRU Russian Federation 52->167 133 TempGAIRSQLOVIFQ76QWKSNDZBU1DDFTUFQ4.EXE, PE32 52->133 dropped 259 Found many strings related to Crypto-Wallets (likely being stolen) 52->259 271 2 other signatures 52->271 72 TempGAIRSQLOVIFQ76QWKSNDZBU1DDFTUFQ4.EXE 4 52->72         started        74 conhost.exe 52->74         started        261 Contains functionality to start a terminal service 57->261 76 ramez.exe 57->76         started        169 t.me 149.154.167.99 TELEGRAMRU United Kingdom 59->169 171 gofzm.digital 172.67.158.39 CLOUDFLARENETUS United States 59->171 263 Query firmware table information (likely to detect VMs) 59->263 265 Tries to harvest and steal ftp login credentials 59->265 267 Tries to harvest and steal browser information (history, passwords, etc) 59->267 273 2 other signatures 59->273 80 24 other processes 59->80 file14 signatures15 process16 dnsIp17 145 C:\Users\user\...\75204139856203418759, Unknown 63->145 dropped 147 C:\Users\user\...\46197283504128096357, Unknown 63->147 dropped 149 C:\Users\user\...\32098675419873205610, Unknown 63->149 dropped 187 Writes many files with high entropy 63->187 189 Found pyInstaller with non standard icon 63->189 82 rtx.exe 63->82         started        151 C:\Users\user\AppData\Local\Temp\...\rtx.exe, PE32+ 67->151 dropped 191 Drops large PE files 67->191 179 helpsscodds.in 119.194.160.37 KIXS-AS-KRKoreaTelecomKR Korea Republic of 69->179 153 C:\Users\user\AppData\Roaming\fwjcgic, PE32 69->153 dropped 193 System process connects to network (likely due to code injection or exploit) 69->193 195 Benign windows process drops PE files 69->195 155 C:\Users\user\AppData\Local\...\ramez.exe, PE32 72->155 dropped 197 Multi AV Scanner detection for dropped file 72->197 199 Contains functionality to start a terminal service 72->199 201 Contains functionality to inject code into remote processes 72->201 86 ramez.exe 72->86         started        157 C:\Users\user\AppData\Local\Temp\...\sys.exe, PE32 78->157 dropped 159 C:\Users\user\AppData\Local\Temp\...\rtx.rar, RAR 78->159 dropped file18 signatures19 process20 file21 115 C:\Users\user\AppData\Local\...\csrr.hxh, PE32 82->115 dropped 211 Creates an undocumented autostart registry key 82->211 213 Creates multiple autostart registry keys 82->213 88 cmd.exe 82->88         started        91 cmd.exe 82->91         started        93 cmd.exe 82->93         started        95 5 other processes 82->95 215 Multi AV Scanner detection for dropped file 86->215 217 Contains functionality to start a terminal service 86->217 219 Writes many files with high entropy 86->219 signatures22 process23 signatures24 247 Excessive usage of taskkill to terminate processes 88->247 97 conhost.exe 88->97         started        99 taskkill.exe 88->99         started        101 conhost.exe 91->101         started        103 taskkill.exe 91->103         started        105 conhost.exe 93->105         started        107 taskkill.exe 93->107         started        109 conhost.exe 95->109         started        111 conhost.exe 95->111         started        113 8 other processes 95->113 process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 12:22:20 UTC
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=imqq7juvqs7dufrk3tw5uthx4ttb5wudlkmvl6kaqczfd6l7ogqq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
0f378f4dbf137ca4abdf88f8d137684c4196935df8bc8e3cfabeb4bdc5c3ba75
Amadey
188c3798b6d41bdfa3981bb61a40b81f4fe123c64b9bed2d4c40951de2064f19
Amadey
2cff2d8379bed82a5e4a3620d03dd6a01858a42e0401d9cbfefde6bba3d04951
Amadey
3ccb9faef9dbef3d2f6116b69d9282eb4d12de78c7602df150cb606f6f2b0a50
Amadey
7b35ac7d0508af9f47937ccd33b06771dd38cb267ee00d47c4364a78aad29a71
Amadey
92088cdedc08a20576bdb1e8edab2555134ba5832628b7cd9c91515d21d3df4c
Amadey
b8e19fd419a785e6d78784f9641d502abde0869f26743e27a9bfd8e359e6b4a9
Amadey
dd1170d6628c0f63e2f2e7e86fed5092a1c93d579bdbdb52c677031dec24c9c0
Amadey
error
Amadey
+ 23 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/250522-1ctptazly3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Interacts with shadow copies
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Power Settings
Checks BIOS information in registry
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Reads ssh keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Event Triggered Execution: Image File Execution Options Injection
Stops running service(s)
Uses browser remote debugging
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Modifies WinLogon for persistence
Modifies Windows Defender notification settings
Malware Config
C2 Extraction:
https://cornerdurv.top/adwq
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://ordntx.top/pxla/api
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://bogtkr.top/zhyk/api
Dropper Extraction:
http://185.156.72.2/testmine/random.exe
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/183cf1d0-1b2b-49ab-b7f0-0c264c647b15
Unpacked files
SH256 hash:
43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1
MD5 hash:
39f811c648cc1f58d649c0b9fba6f72d
SHA1 hash:
5ca782a3f40ba1539bcc214065901a000126c179
Link:
https://www.unpac.me/results/3f8ef75a-6f1e-4787-ad4d-5bd8a716892f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542097/
  
Delivery method
Distributed via web download

Comments