MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5751e2875e02115604baafe3870714275faf46021f716c7f8d506b2c48bee457. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5751e2875e02115604baafe3870714275faf46021f716c7f8d506b2c48bee457
SHA3-384 hash: feff93edd1561ad933ae2dff0876be512252f9bdee79f6a9253e402bbb1bee630d34189f74e3b09468df37195f945036
SHA1 hash: c448f6aff20463d9d5b9dd72fb448917b9f2e064
MD5 hash: b619a300030a85b7a72255c20cbb5325
humanhash: leopard-failed-sixteen-three
File name:b619a300030a85b7a72255c20cbb5325.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:3'053'568 bytes
First seen:2025-03-26 15:07:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:g2pYjSdWzHGTd5G8byxK3l4FBxVOeE/cH/:JOhzmZ5GilUcO
TLSH T18CE53BA2A94AB5CFD08F177A942BCD82995D43FD0B2245C3D9ACB4BE7E63CC111B5C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b619a300030a85b7a72255c20cbb5325.exe
Verdict:
Malicious activity
Analysis date:
2025-03-26 15:24:13 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/1b9d7205-6fad-42bf-a4b5-a77fcf75b94c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e41867cb6d38a89f3e6550
Tags:
vmdetect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e41860f274bf2d8e236f6f/reports/1d47b254-a6da-4dd4-bd32-c2b5f5e16ba0/overview
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/5751e2875e02115604baafe3870714275faf46021f716c7f8d506b2c48bee457
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8d726373-c83d-4e66-85aa-9d25081fa7cb
Result
Threat name:
ScreenConnect Tool, Amadey, DarkVision R
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1649264
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Creates autostart registry keys with suspicious names
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Enables network access during safeboot for specific services
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies security policies related information
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Possible COM Object hijacking
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Binaries Write Suspicious Extensions
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade analysis by execution special instruction (VM detection)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected DarkVision Rat
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1649264 Sample: ATitERlY7I.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 198 Found malware configuration 2->198 200 Malicious sample detected (through community Yara rule) 2->200 202 Antivirus detection for URL or domain 2->202 204 30 other signatures 2->204 10 rapes.exe 1 39 2->10         started        15 ATitERlY7I.exe 1 2->15         started        17 msiexec.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 164 176.113.115.6 SELECTELRU Russian Federation 10->164 166 140.82.113.4 GITHUBUS United States 10->166 172 2 other IPs or domains 10->172 134 C:\Users\user\AppData\Local\...\WLbfHbp.exe, PE32 10->134 dropped 136 C:\Users\user\AppData\Local\...\f73ae_003.exe, PE32 10->136 dropped 138 C:\Users\user\AppData\Local\...\TbV75ZR.exe, PE32 10->138 dropped 148 18 other malicious files 10->148 dropped 258 Contains functionality to start a terminal service 10->258 260 Creates multiple autostart registry keys 10->260 262 Hides threads from debuggers 10->262 280 2 other signatures 10->280 21 f73ae_003.exe 3 1 10->21         started        24 TbV75ZR.exe 10->24         started        27 7IIl2eE.exe 10->27         started        39 5 other processes 10->39 168 176.113.115.7 SELECTELRU Russian Federation 15->168 170 172.64.80.1 CLOUDFLARENETUS United States 15->170 140 C:\Users\...\Y51F5R8RTSY3X5EIVUZFK6OH6ZM.exe, PE32 15->140 dropped 264 Detected unpacking (changes PE section rights) 15->264 266 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->266 268 Query firmware table information (likely to detect VMs) 15->268 282 3 other signatures 15->282 29 Y51F5R8RTSY3X5EIVUZFK6OH6ZM.exe 4 15->29         started        142 C:\Windows\Installer\MSI913A.tmp, PE32 17->142 dropped 144 C:\Windows\Installer\MSI8189.tmp, PE32 17->144 dropped 146 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 17->146 dropped 150 9 other malicious files 17->150 dropped 270 Enables network access during safeboot for specific services 17->270 272 Modifies security policies related information 17->272 31 msiexec.exe 17->31         started        33 msiexec.exe 17->33         started        35 msiexec.exe 17->35         started        274 Benign windows process drops PE files 19->274 276 Changes security center settings (notifications, updates, antivirus, firewall) 19->276 278 Writes many files with high entropy 19->278 37 MpCmdRun.exe 2 19->37         started        file5 signatures6 process7 file8 208 Antivirus detection for dropped file 21->208 210 Multi AV Scanner detection for dropped file 21->210 212 Query firmware table information (likely to detect VMs) 21->212 228 5 other signatures 21->228 41 svchost.exe 3 7 21->41         started        46 cmd.exe 1 21->46         started        98 C:\Users\user\AppData\Local\...\Weekends.vss, data 24->98 dropped 100 C:\Users\user\AppData\...\Strengthening.vss, data 24->100 dropped 112 11 other malicious files 24->112 dropped 214 Writes many files with high entropy 24->214 48 cmd.exe 24->48         started        102 C:\Users\user\AppData\Local\...\Visitor.cab, data 27->102 dropped 104 C:\Users\user\AppData\Local\Temp\Tigers.cab, data 27->104 dropped 106 C:\Users\user\AppData\Local\...\Theology.cab, data 27->106 dropped 114 6 other malicious files 27->114 dropped 50 cmd.exe 27->50         started        108 C:\Users\user\AppData\Local\...\rapes.exe, PE32 29->108 dropped 216 Detected unpacking (changes PE section rights) 29->216 218 Contains functionality to start a terminal service 29->218 220 Tries to evade debugger and weak emulator (self modifying code) 29->220 230 4 other signatures 29->230 52 rapes.exe 29->52         started        54 rundll32.exe 31->54         started        56 conhost.exe 37->56         started        110 C:\Users\user\AppData\Local\...\R1qcWNAGC.hta, HTML 39->110 dropped 222 Contains functionality to hide user accounts 39->222 224 Binary is likely a compiled AutoIt script file 39->224 226 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->226 232 3 other signatures 39->232 58 mshta.exe 39->58         started        60 3 other processes 39->60 signatures9 process10 dnsIp11 160 82.29.67.160 NTLGB United Kingdom 41->160 162 104.26.8.202 CLOUDFLARENETUS United States 41->162 116 C:\Users\user\AppData\Local\...\w32tm.exe, PE32+ 41->116 dropped 118 C:\ProgramData\...\tzutil.exe, PE32+ 41->118 dropped 120 C:\Users\user\AppData\Local\Temp\...\set.bat, PNG 41->120 dropped 234 Creates autostart registry keys with suspicious names 41->234 236 Creates multiple autostart registry keys 41->236 62 tzutil.exe 41->62         started        67 w32tm.exe 41->67         started        69 cmd.exe 41->69         started        238 Adds a directory exclusion to Windows Defender 46->238 71 powershell.exe 46->71         started        73 conhost.exe 46->73         started        122 C:\Users\user\AppData\Local\Temp\...xam.com, PE32 48->122 dropped 79 12 other processes 48->79 240 Drops PE files with a suspicious file extension 50->240 242 Writes many files with high entropy 50->242 75 conhost.exe 50->75         started        244 Detected unpacking (changes PE section rights) 52->244 246 Contains functionality to start a terminal service 52->246 248 Tries to evade debugger and weak emulator (self modifying code) 52->248 256 3 other signatures 52->256 124 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 54->124 dropped 126 C:\...\ScreenConnect.InstallerActions.dll, PE32 54->126 dropped 128 C:\Users\user\...\ScreenConnect.Core.dll, PE32 54->128 dropped 132 4 other malicious files 54->132 dropped 250 Contains functionality to hide user accounts 54->250 252 Suspicious powershell command line found 58->252 254 Tries to download and execute files (via powershell) 58->254 77 powershell.exe 58->77         started        130 C:\Users\user\AppData\Local\...\MSI5AA7.tmp, PE32 60->130 dropped 81 2 other processes 60->81 file12 signatures13 process14 dnsIp15 174 104.168.28.10 AS-COLOCROSSINGUS United States 62->174 176 127.0.0.1 unknown unknown 62->176 152 C:\Windows\Temp\KM5s9h_8128.sys, PE32+ 62->152 dropped 180 Antivirus detection for dropped file 62->180 182 Multi AV Scanner detection for dropped file 62->182 184 Query firmware table information (likely to detect VMs) 62->184 196 2 other signatures 62->196 83 powershell.exe 62->83         started        86 powershell.exe 62->86         started        178 4.28.136.57 LEVEL3US United States 67->178 154 C:\Users\user\AppData\Local\...\4ef72a73.exe, PE32 67->154 dropped 186 Tries to evade analysis by execution special instruction (VM detection) 67->186 188 Writes many files with high entropy 67->188 190 Found direct / indirect Syscall (likely to bypass EDR) 67->190 88 conhost.exe 69->88         started        192 Loading BitLocker PowerShell Module 71->192 156 TempTPHYRBLB1O9CZBK8A5DEKA0OBZRCZLUJ.EXE, PE32 77->156 dropped 194 Powershell drops PE file 77->194 90 conhost.exe 77->90         started        158 C:\Users\user\AppData\Local\Temp\267978\j, data 79->158 dropped file16 signatures17 process18 signatures19 206 Loading BitLocker PowerShell Module 83->206 92 conhost.exe 83->92         started        94 WmiPrvSE.exe 83->94         started        96 conhost.exe 86->96         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5751e2875e02115604baafe3870714275faf46021f716c7f8d506b2c48bee457
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5751e2875e02115604baafe3870714275faf46021f716c7f8d506b2c48bee457/
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 15:03:35 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5i6fb26aiivmbf2v7ryobyue5p26rqcd5ywy74nkbvsysf64rlq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250326-shyxqayqy5/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/581c7193-99b3-4b4b-8f7f-86b1c9c3da17
Unpacked files
SH256 hash:
39f38ba1ba27fb2cf846d1ac576a7a7dfa407cc06653c089922b8b3c6a11f2e3
MD5 hash:
4c7fe7742597f445c5eeba572d74f151
SHA1 hash:
c777591c1d04fcf8768da30b53e38a651aa0844c
Link:
https://www.unpac.me/results/530c0652-fd77-4226-be0b-19c0fc061334/
SH256 hash:
5751e2875e02115604baafe3870714275faf46021f716c7f8d506b2c48bee457
MD5 hash:
b619a300030a85b7a72255c20cbb5325
SHA1 hash:
c448f6aff20463d9d5b9dd72fb448917b9f2e064
Link:
https://www.unpac.me/results/530c0652-fd77-4226-be0b-19c0fc061334/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5751e2875e02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5751e2875e02115604baafe3870714275faf46021f716c7f8d506b2c48bee457

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5751e2875e02115604baafe3870714275faf46021f716c7f8d506b2c48bee457

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452044/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments