MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f
SHA3-384 hash: 7a586d4eefbf9f8b1401632b1186ac1e176a76fc6ddefbde56b4286524e4a255706a446d0f7ea9a8c03b5aa3bb94ccbe
SHA1 hash: 5b71e2af5805b30cfbda85e95117fa7acf66e8b0
MD5 hash: 9610430bd6a7fd411c5bc1b96424d119
humanhash: oklahoma-edward-finch-jupiter
File name:9610430BD6A7FD411C5BC1B96424D119.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'964'864 bytes
First seen:2025-07-26 00:31:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:BpoEWrrc4UaQOgnjOSGpp5gINf8cQmun/QdbsRfvKNiIZG83Y:Xkrc4LQOgnC5vBQ7/FWiIZJ3Y
Threatray 1 similar samples on MalwareBazaar
TLSH T143363354B3D94125F86447B46C7E03830BB53ED1E766CA89252B3B0E16B32FC9261BDB
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
176.46.152.46:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.46.152.46:1912 https://threatfox.abuse.ch/ioc/1560525/
http://94.154.35.25/di9ku38f/index.php https://threatfox.abuse.ch/ioc/1560781/

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9610430BD6A7FD411C5BC1B96424D119.exe
Verdict:
Malicious activity
Analysis date:
2025-07-26 00:55:28 UTC
Tags:
lumma stealer amadey botnet loader telegram rdp qrcode gcleaner
Link:
https://app.any.run/tasks/a35f6b27-690b-4322-a41a-cdda840faed6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16885/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688422230b4775fb21313870
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Sending an HTTP POST request
Launching a service
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm CAB explorer installer lolbin microsoft_visual_cc obfuscated packed packed packer_detected rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/6884221013488cfd44d9036a/reports/dda82bdf-4058-49b1-b1b5-a10d90c5c4e4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f
Gathering data
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1744466
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1744466 Sample: P96z6UnaHh.exe Startdate: 26/07/2025 Architecture: WINDOWS Score: 100 112 stfota.xyz 2->112 114 perfoxd.xyz 2->114 116 8 other IPs or domains 2->116 128 Suricata IDS alerts for network traffic 2->128 130 Found malware configuration 2->130 132 Antivirus / Scanner detection for submitted sample 2->132 136 13 other signatures 2->136 12 P96z6UnaHh.exe 1 4 2->12         started        15 idcN8ML8.exe 2->15         started        18 rundll32.exe 2->18         started        signatures3 134 Performs DNS queries to domains with low reputation 114->134 process4 file5 108 C:\Users\user\AppData\Local\...\2d7866.exe, PE32 12->108 dropped 110 C:\Users\user\AppData\Local\...\1i67p5.exe, PE32 12->110 dropped 20 2d7866.exe 7 12->20         started        24 1i67p5.exe 12->24         started        172 Binary is likely a compiled AutoIt script file 15->172 27 cmd.exe 15->27         started        29 Ujt33fDd.exe 15->29         started        31 cmd.exe 15->31         started        33 cmd.exe 15->33         started        signatures6 process7 dnsIp8 92 C:\KGlU0OR\idcN8ML8.exe, PE32 20->92 dropped 94 C:\KGlU0OR\h0vI2e7J.exe, PE32 20->94 dropped 96 C:\KGlU0OR\KB31HMQe.exe, PE32 20->96 dropped 148 Multi AV Scanner detection for dropped file 20->148 150 Suspicious powershell command line found 20->150 35 cmd.exe 1 20->35         started        118 steamcommunity.com 23.204.10.89, 443, 49691 AKAMAI-ASUS United States 24->118 152 Antivirus detection for dropped file 24->152 154 Detected unpacking (changes PE section rights) 24->154 156 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->156 160 4 other signatures 24->160 38 powershell.exe 27->38         started        40 conhost.exe 27->40         started        158 Contains functionality to start a terminal service 29->158 42 conhost.exe 31->42         started        44 KB31HMQe.exe 31->44         started        46 conhost.exe 33->46         started        48 schtasks.exe 33->48         started        file9 signatures10 process11 signatures12 138 Suspicious powershell command line found 35->138 140 Uses cmd line tools excessively to alter registry or file data 35->140 142 Bypasses PowerShell execution policy 35->142 146 2 other signatures 35->146 50 idcN8ML8.exe 35->50         started        53 h0vI2e7J.exe 15 35->53         started        56 conhost.exe 35->56         started        144 Loading BitLocker PowerShell Module 38->144 process13 file14 122 Multi AV Scanner detection for dropped file 50->122 124 Binary is likely a compiled AutoIt script file 50->124 126 Found API chain indicative of sandbox detection 50->126 58 Ujt33fDd.exe 12 50->58         started        62 cmd.exe 1 50->62         started        64 cmd.exe 1 50->64         started        66 cmd.exe 1 50->66         started        98 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 53->98 dropped 100 C:\Users\user\AppData\Local\...\cecho.exe, PE32 53->100 dropped 102 C:\Users\user\AppData\Local\...102SudoLG.exe, PE32+ 53->102 dropped 104 2 other malicious files 53->104 dropped 68 cmd.exe 1 53->68         started        signatures15 process16 dnsIp17 120 94.154.35.25, 49693, 49694, 49696 SELECTELRU Ukraine 58->120 164 Multi AV Scanner detection for dropped file 58->164 166 Contains functionality to start a terminal service 58->166 168 Suspicious powershell command line found 62->168 70 powershell.exe 62->70         started        73 conhost.exe 62->73         started        75 KB31HMQe.exe 2 64->75         started        78 conhost.exe 64->78         started        80 conhost.exe 66->80         started        82 schtasks.exe 1 66->82         started        170 Uses cmd line tools excessively to alter registry or file data 68->170 84 cmd.exe 68->84         started        86 conhost.exe 68->86         started        88 25 other processes 68->88 signatures18 process19 file20 162 Loading BitLocker PowerShell Module 70->162 106 C:\KGlU0OR\Ujt33fDd.exe, PE32 75->106 dropped 90 tasklist.exe 84->90         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/9610430bd6a7fd411c5bc1b96424d119
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 00:18:00 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
25 of 35 (71.43%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j64qcgmhlhsxn3upw42rb3o47abaselg6it26q5vsa3ueb42fshq._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
admintool_nircmd
Create hunting rule
amadey
Create hunting rule
lummastealer
Create hunting rule
admintool_nsudo
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:ateraagent family:donutloader family:lumma family:redline family:sectoprat family:stealc family:vidar family:xmrig botnet:688030915904af919fe18b6149e6ca05 botnet:dcxwvcxv5 botnet:default botnet:fbf543 botnet:pohuy credential_access defense_evasion discovery execution infostealer loader miner persistence rat spyware stealer themida trojan upx
Link:
https://tria.ge/reports/250726-avqg1avpx4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Detects videocard installed
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Detectes NiceHashMiner Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
AsyncRat
Asyncrat family
AteraAgent
Ateraagent family
Detect Vidar Stealer
Detects AteraAgent
Detects DonutLoader
Disables service(s)
DonutLoader
Donutloader family
Lumma Stealer, LummaC
Lumma family
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xmrig family
xmrig
Malware Config
C2 Extraction:
https://perfoxd.xyz/xkfj
https://stfota.xyz/toxz
https://mosaicia.top/zlap
https://corronxu.xyz/xowq
https://ondcvxe.top/xkdz
https://keepnody.top/tiow
https://eartheea.life/itiz
https://glassma.live/alpz
https://familkqo.xyz/xlak
https://siltapl.fun/xiru
https://royaltbn.xyz/xaoi
https://columnez.shop/xlak
https://mixp.digital/amnt
https://woodenso.top/xaoi
https://foundrr.bet/zuqy
https://potosuz.fun/xiir
https://wagnvp.fun/akjf
https://nanoceus.run/agkr
http://94.154.35.25
https://t.me/dz25gz
https://steamcommunity.com/profiles/76561199880530249
85.192.63.194:8848
176.46.152.46:1912
http://45.141.233.187
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/6a91b9f0-ae0f-4e2e-84c4-8126854d47d6
Unpacked files
SH256 hash:
4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f
MD5 hash:
9610430bd6a7fd411c5bc1b96424d119
SHA1 hash:
5b71e2af5805b30cfbda85e95117fa7acf66e8b0
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
SH256 hash:
82d36948c74c09768f2eb0f7560a672966b205cb05a987be11a5edfc93668f51
MD5 hash:
d466cb49184ca2b7959b35fd0e69a71d
SHA1 hash:
664ae05aef108319bfef3211f718217af0e2ea90
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
SH256 hash:
002e297482b4acc39f8c177f4d62d6f6596639e6dc1bc7a5521f19e9b2381495
MD5 hash:
98ee6eb8e5969fb6f71e5cb6799f280e
SHA1 hash:
aad83db96ff5092740189feba7b5412551998514
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
SH256 hash:
f28a5e66dfb4f7ec5c5bd7dbb51624363ced626d65f529c00fe3cbe39299dc5e
MD5 hash:
521f0a16b9d52f195f42f94d85f3bf8f
SHA1 hash:
318d7306bb53035c9a9d521b8dcba24723dda9b1
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
SH256 hash:
aa270b73d13a95ecdb507acb21a480ef08b3dff7ef64e1a75697bf9a29e74081
MD5 hash:
1c1d4513061cc289a10070164beddcf8
SHA1 hash:
c67bb8b912079b0100b08950a398e1b4b501da51
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
SH256 hash:
9d02210175c23f90f28e8d49f6c8d866125792885d82de08fa597ba283186343
MD5 hash:
e262ce39439527867e7486f733504fbe
SHA1 hash:
b9263797641b54ff214ffdae93cd5a25aa633acb
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
Parent samples :
62274f044b7407f18bcec4712d6de71076213915f9e4a95c5363436c5f8ebb22
4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f
SH256 hash:
806e14c8bd693e858d74606284df0263c674144cb17806109e25ac91c85510f8
MD5 hash:
38457071d3faeea502c574a3f3ea5ba8
SHA1 hash:
8ef881f830787eb025c21051807ac341ce22a195
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
SH256 hash:
772ed44867cd95be3517f2baea99106e5bbfed221a6d7fb1d8ac591afe02cb3a
MD5 hash:
d260616b80864303586e6c2f727151de
SHA1 hash:
ed288bcd5375cc6da6970da9d705c99c40afdc19
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/87a037cd-24f3-49ae-9e3a-5173d609435d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16885/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments