MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254
SHA3-384 hash: 4de109a5e3206796564bb7aa64eef919503ab7719511b07edbffb1bf799c1ee5af7738c0c9020607bc606d040e3a57b5
SHA1 hash: 369c44287f8f6887afa4edf132a7aa71282879bd
MD5 hash: a6f6f90f79c5b9ff59e3e55bd9793a37
humanhash: idaho-princess-april-sixteen
File name:PowerInjector.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'419'200 bytes
First seen:2025-03-22 22:02:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:HW/dHlhBrorKfF1/zXxRzY6Ql6Wu14rFBVkd5w2JhbYal+KT3SUDUJKFnLbd5v3E:HSzr/fFZz/dQFu+rXV222JhbFsOSUOyW
Threatray 3'329 similar samples on MalwareBazaar
TLSH T16CB5335FEB2EAA25FBBC427E2987B09067107257B243E524277E7F2F65071D0CAD8142
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter aachum
Tags:3bb599 Amadey exe


Avatar
iamaachum
Amadey Botnet: 3bb599
Amadey C2: http://ruspyc.top/j4Fvskd3/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254
Verdict:
Malicious activity
Analysis date:
2025-02-06 10:03:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad0ab499-df26-47dd-b299-3a296ec754e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67caf236c8d04e92a4bfb650
Tags:
phishing dropper androm msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor obfuscated packed packed packer_detected risepro
Link:
https://www.filescan.io/uploads/67df33b4195c2ecf47ef6cf4/reports/c633a6bf-2215-496c-88c1-5fa35b764fb7/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254
Result
Verdict:
MALICIOUS
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8bab0fa1-ac1e-49e3-9c99-fa27c2554049
Result
Threat name:
Amadey, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645904
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2024-06-05 09:44:46 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k45pg5bs7wonrca2ifir2ump6javydqcop72mpanc76jqqnqcjka._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254
Amadey
5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7
Amadey
5fa605bf9666dc9486a83737d1f77e241bb27a033e609625499f17dbf608e840
Amadey
751ad0b26586c0dbb06379c8bbb1b7a47e77adc19c3f068d6305f47faec551b2
Amadey
b26380b0e977fdb0d90f92963404163654aa39de3b43f8cab311b97eca3661f4
Amadey
d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
Amadey
error
Amadey
+ 3'319 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:3bb599 discovery persistence trojan
Link:
https://tria.ge/reports/250322-1ydwgsvny9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Amadey
Amadey family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://ruspyc.top
Gathering data
Unpacked files
SH256 hash:
573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254
MD5 hash:
a6f6f90f79c5b9ff59e3e55bd9793a37
SHA1 hash:
369c44287f8f6887afa4edf132a7aa71282879bd
Link:
https://www.unpac.me/results/3b56de52-e7fb-4a18-9420-25f93f792d0f/
SH256 hash:
4aff76dbf54311f2bcf0b6814f26d3c558061fd4b3c360b83c4e6bb2df3f6dc7
MD5 hash:
1796c588eaac8165d0977ea613deced2
SHA1 hash:
2dc34d0596ebfb2f750dd65fd71e4b8c4777300b
Detections:
win_amadey_auto
Create hunting rule
Amadey
Create hunting rule
win_amadey
Create hunting rule
win_amadey_bytecodes_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/3b56de52-e7fb-4a18-9420-25f93f792d0f/
Parent samples :
5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7
d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/3b56de52-e7fb-4a18-9420-25f93f792d0f/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/3b56de52-e7fb-4a18-9420-25f93f792d0f/
SH256 hash:
817453e2b7ae878fe1d3db5c3f96acbf282057061aa836ddb088220a7cccbfea
MD5 hash:
38689a48df73c8c8cf70702916416918
SHA1 hash:
61646f575217112b9675991bd078b8c6cafad5fb
Link:
https://www.unpac.me/results/3b56de52-e7fb-4a18-9420-25f93f792d0f/
SH256 hash:
3d1e96410f64e53bbba4ec809aa520d753f2d0c71a45c7aa14f399f7dab3c31a
MD5 hash:
ea579792c0432a9d0dba5cba1bdbb693
SHA1 hash:
8f71fee43f646d6f20ece62c51ca6d6a7409010f
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3b56de52-e7fb-4a18-9420-25f93f792d0f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/573af37432fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254

(this sample)

  
Link
https://tria.ge/250307-qkbtvszzhx
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments