MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 20


Intelligence 20 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df
SHA3-384 hash: 14705836547499b5443ede5a328f4941d31fe68be053eb9688866cca3bd006df6a8b0cda112c8e771c1d6a7ee1a0ec9c
SHA1 hash: 926b7353ffff7a34e1b73a5888eef4a734fb74bd
MD5 hash: 155af2bd59aaead8f4020d3a19c1765c
humanhash: failed-butter-winner-apart
File name:SecuriteInfo.com.Trojan.PackedNET.3400.15176.22215
Download: download sample
Signature Amadey
Create hunting rule
File size:844'800 bytes
First seen:2025-09-12 06:16:07 UTC
Last seen:2025-09-12 07:20:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c9391c4d011b74463c0b80c8ef62af14 (4 x LummaStealer, 2 x Rhadamanthys, 1 x NanoCore)
ssdeep 24576:47WfF3nHO7mxfg+zFCgCfVzX1sHFgvwBb:47WZe6fTxMu2vS
Threatray 30 similar samples on MalwareBazaar
TLSH T1BD05F102E0F3A0B3F663A4F02E39D6A4582DF973AF344DEB6154F23459658D2537262B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Launcher.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 18:36:35 UTC
Tags:
lumma stealer amadey botnet loader auto generic autoit auto-startup auto-sch rdp netreactor pureminer
Link:
https://app.any.run/tasks/7d411001-c8c9-4715-94cf-f76e57dde785

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27042/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3400.15176.22215.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c3b2516e66ba602d7acc6d
Tags:
phishing autorun cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey crypt keylogger krypt microsoft_visual_cc packed unsafe
Link:
https://www.filescan.io/uploads/68c3bacbdbc6f5a29c415bd1/reports/9f0a3369-a692-4ea3-819d-d0dced90c212/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-10T13:11:00Z UTC
Last seen:
2025-09-10T13:11:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.Win32.Deyma.sb Trojan-Downloader.Win32.Deyma.lct Trojan-PSW.Lumma.HTTP.Download Trojan.Agentb.TCP.C&C BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50d56318-3fca-4113-b4a0-e8a91d6eefcd
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/155af2bd59aaead8f4020d3a19c1765c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 00:23:33 UTC
File Type:
PE (Exe)
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=krj2z6lekurabcj32avuv7xrch4hvrs7ct7o72cduopt2yccxhpq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
2a2b75810cfd40cd803149592adbc5ae85d7a1c5f91a3cfa3c1593a1f84381c8
Amadey
62e6ff50f518e486bc4a0f6cf6be993eae8a62d6e257d4d294460ae30692299c
Amadey
8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d
Amadey
bbdc1202c69ce9c6ff5d2bbd11ad24f57fda5f92f0c045f86430cff52055a284
Amadey
d702da1da0a6cee7c8dff633c7b9d5092f52404e75068ccb0037a90494361ddb
Amadey
e1f00199faf5f9c3fd3e7745e063eefd63221132e45789ed11e0a3d6a4d4cb54
Amadey
e28d4cbee47765518c57f55682477097612afcf4fbf3243f39da4e6485f5eecb
Amadey
error
Amadey
fad2c0e8fe85428933e730f3844b81ecdc8d1ae26737a9dbbb241ae570cee57f
Amadey
+ 20 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:ecd247 discovery trojan
Link:
https://tria.ge/reports/250912-hj3besttcx/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Amadey
Amadey family
Malware Config
C2 Extraction:
http://microsoft-telemetry.cc
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d31495e2-cd6b-4951-a0b7-310f51b7ce74
Unpacked files
SH256 hash:
5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df
MD5 hash:
155af2bd59aaead8f4020d3a19c1765c
SHA1 hash:
926b7353ffff7a34e1b73a5888eef4a734fb74bd
Link:
https://www.unpac.me/results/377571af-4e51-4c84-bcff-c18b726af204/
SH256 hash:
a0ebb02e401b49ec96071c44a301cb9409c574489209240b9a89d530cd8a072f
MD5 hash:
ef9ae0f63044399239df9c490af2d4ed
SHA1 hash:
4f9ee9d28457980cd55661af5ee2cfc40e7e2490
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/377571af-4e51-4c84-bcff-c18b726af204/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5453acf96455/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly, YungBinary
Description:Amadey Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MAL_Win_Amadey_Jun25
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34
Reference:https://0x0d4y.blog/amadey-targeted-analysis/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_amadey_062025
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34.
Reference:https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5453acf964552200893bd02b4afef111f87ac65f14feefe843a39f3d6042b9df

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3622282/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27042/

Comments