MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0
SHA3-384 hash: a67e60490719000483f5ee183761f73f939713fdeb6fb85275054b2a4d4b56b6667536119a05d97c5d339d9d7cf6e810
SHA1 hash: daa8c33e3bb0fd2e9e110e51add443e1c22cd1f3
MD5 hash: 20804890273fa0387262be080ed29b18
humanhash: ten-steak-eight-gee
File name:20804890273fa0387262be080ed29b18.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'122'240 bytes
First seen:2025-02-18 17:54:20 UTC
Last seen:2025-02-18 19:29:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:/B8o1FVx0yYWCNKlxIGZNv3IkpIu3U6+:5fzMWrZrpIuk
Threatray 9 similar samples on MalwareBazaar
TLSH T194A522A4BAB3AD4CFC95D4B6F561E97BCDD1C1232AC7983A820CD342C507A12BF65970
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
430
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ffa05200d7a741017eb476eef981b041.exe
Verdict:
Malicious activity
Analysis date:
2025-02-18 06:35:17 UTC
Tags:
amadey botnet stealer loader lumma stealc credentialflusher gcleaner themida auto generic rdp
Link:
https://app.any.run/tasks/02173a11-d1f0-4cd3-b11d-fca4c16e117f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop29.6918.2514.17500.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b4cabaa0fd713c335b9463
Tags:
vmdetect spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm anti-vm microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67b4c98d991985e0a95b6794/reports/49e9edd8-134b-4ec9-853a-5bef8aa11a59/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6abb6808-966b-4f5b-8b69-bc014d70e024
Result
Threat name:
Amadey, GCleaner, Healer AV Disabler, Lu
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1618231
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Found suspicious ZIP file
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Drops script at startup location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected GCleaner
Yara detected Healer AV Disabler
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1618231 Sample: ok2W3lr6k5.exe Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 126 45.91.200.135 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 2->126 128 wildpadventures.tech 2->128 130 14 other IPs or domains 2->130 162 Suricata IDS alerts for network traffic 2->162 164 Found malware configuration 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 29 other signatures 2->168 10 skotes.exe 2 44 2->10         started        15 ok2W3lr6k5.exe 5 2->15         started        17 skotes.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 144 185.215.113.16, 50024, 50038, 50039 WHOLESALECONNECTIONSNL Portugal 10->144 146 185.215.113.43, 49975, 49976, 49980 WHOLESALECONNECTIONSNL Portugal 10->146 148 185.215.113.75, 49977, 49982, 49994 WHOLESALECONNECTIONSNL Portugal 10->148 110 C:\Users\user\AppData\...\4bce5e7aa2.exe, PE32 10->110 dropped 112 C:\Users\user\AppData\...\f5626ea7b0.exe, PE32 10->112 dropped 114 C:\Users\user\AppData\Local\...\Bjkm5hE.exe, PE32 10->114 dropped 120 13 other malicious files 10->120 dropped 226 Creates multiple autostart registry keys 10->226 228 Hides threads from debuggers 10->228 230 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->230 21 61d8b46c76.exe 10->21         started        25 2654b7db1a.exe 10->25         started        27 powershell.exe 10->27         started        38 4 other processes 10->38 116 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->116 dropped 118 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->118 dropped 232 Detected unpacking (changes PE section rights) 15->232 234 Tries to evade debugger and weak emulator (self modifying code) 15->234 236 Tries to detect virtualization through RDTSC time measurements 15->236 29 skotes.exe 15->29         started        238 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->238 240 Suspicious powershell command line found 19->240 242 Tries to download and execute files (via powershell) 19->242 31 powershell.exe 19->31         started        34 powershell.exe 19->34         started        36 msedge.exe 19->36         started        40 2 other processes 19->40 file6 signatures7 process8 dnsIp9 104 C:\Users\user\AppData\Local\...\kMcZSCfVA.hta, HTML 21->104 dropped 182 Binary is likely a compiled AutoIt script file 21->182 184 Creates HTA files 21->184 42 mshta.exe 21->42         started        45 cmd.exe 21->45         started        186 Detected unpacking (changes PE section rights) 25->186 202 6 other signatures 25->202 47 BitLockerToGo.exe 25->47         started        106 C:\Users\user\AppData\...\MyPayload.bat, DOS 27->106 dropped 108 C:\Users\...\bs_v91_l10_van_jot_MrAnon.bat, DOS 27->108 dropped 188 Suspicious powershell command line found 27->188 190 Drops script or batch files to the startup folder 27->190 204 3 other signatures 27->204 58 2 other processes 27->58 192 Multi AV Scanner detection for dropped file 29->192 206 2 other signatures 29->206 150 52.101.42.0 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->150 50 powershell.exe 31->50         started        52 conhost.exe 34->52         started        194 Attempt to bypass Chrome Application-Bound Encryption 38->194 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->196 198 Contains functionality to inject code into remote processes 38->198 200 Searches for specific processes (likely to inject) 38->200 54 Bjkm5hE.exe 38->54         started        56 7aencsM.exe 18 38->56         started        60 10 other processes 38->60 file10 signatures11 process12 dnsIp13 208 Suspicious powershell command line found 42->208 210 Tries to download and execute files (via powershell) 42->210 63 powershell.exe 42->63         started        78 2 other processes 45->78 152 185.156.73.73, 50035, 80 RELDAS-NETRU Russian Federation 47->152 154 stormlegue.com 104.21.80.1, 443, 50046, 50049 CLOUDFLARENETUS United States 54->154 212 Query firmware table information (likely to detect VMs) 54->212 214 Found many strings related to Crypto-Wallets (likely being stolen) 54->214 216 Tries to harvest and steal ftp login credentials 54->216 218 Tries to harvest and steal browser information (history, passwords, etc) 54->218 156 5.75.210.149, 443, 49978, 49979 HETZNER-ASDE Germany 56->156 158 127.0.0.1 unknown unknown 56->158 66 chrome.exe 56->66         started        70 msedge.exe 56->70         started        220 Uses schtasks.exe or at.exe to add and modify task schedules 58->220 72 powershell.exe 58->72         started        80 2 other processes 58->80 160 hoyoverse.blog 104.21.112.1, 443, 50000, 50008 CLOUDFLARENETUS United States 60->160 122 C:\TempbehaviorgraphaIRTp9jh.hta, HTML 60->122 dropped 222 Creates HTA files 60->222 224 Tries to steal Crypto Currency Wallets 60->224 74 cmd.exe 60->74         started        76 cmd.exe 60->76         started        82 3 other processes 60->82 file14 signatures15 process16 dnsIp17 124 TempQTQWJDEFIXW1BAYSZKRAVRZNGAILULRE.EXE, PE32 63->124 dropped 84 TempQTQWJDEFIXW1BAYSZKRAVRZNGAILULRE.EXE 63->84         started        87 conhost.exe 63->87         started        132 192.168.2.10, 25, 443, 49975 unknown unknown 66->132 134 239.255.255.250 unknown Reserved 66->134 170 Found many strings related to Crypto-Wallets (likely being stolen) 66->170 89 chrome.exe 66->89         started        92 msedge.exe 70->92         started        136 mta6.am0.yahoodns.net 67.195.228.111 YAHOO-GQ1US United States 72->136 138 microsoft-com.mail.protection.outlook.com 52.101.11.0, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 72->138 140 vanaheim.cn 88.151.117.58, 443, 50044 GOLDEN-ASRU Russian Federation 72->140 172 Suspicious powershell command line found 72->172 94 powershell.exe 72->94         started        96 powershell.exe 74->96         started        98 Conhost.exe 74->98         started        100 powershell.exe 76->100         started        102 powershell.exe 82->102         started        file18 signatures19 process20 dnsIp21 174 Detected unpacking (changes PE section rights) 84->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 84->176 178 Modifies windows update settings 84->178 180 7 other signatures 84->180 142 www.google.com 172.217.16.196, 443, 50004, 50006 GOOGLEUS United States 89->142 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-02-18 09:47:10 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpppxh3tm3o7hnoxaawmttxdp3alx7o4o3vcrvowm7sfmpz4slaa._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
14165c7b3da199b6b30c325c1906d87578ceebe57cda17a1bd87aae2c1aaf06e
Amadey
5c009374f348f2f400ef21390088f346d1c3e1b039821b9b4ab743c5626fb434
Amadey
766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa
Amadey
bbc37083dca97a6e088bf1c58f1f14873b6b6f8a86dc41e8b39d57eeba50384e
Amadey
c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f
Amadey
d0f1b9be7056c7f54b07c1e17f488c4b4a7bafcab68b422ef46770b94bbe63f2
Amadey
e294f1b0ec3cff802aaa8be3fc47aa0c1a56cbdc644467503e5b30122954964d
Amadey
efbfd7a968dc584c166551f171937da09dd94178b8c27e09f5eab73d1641d0d0
Amadey
error
Amadey
feb3e3e1723c3caac7629f6f9ee8591246bd9a8b35ada99da08740d4fcedc93b
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:redline family:sectoprat family:stealc family:vidar botnet:9c9aa5 botnet:cheat botnet:reno bootkit credential_access defense_evasion discovery dropper evasion execution infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250218-whl5psvlds/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Checks system information in the registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Detects Healer an antivirus disabler dropper
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Modifies Windows Defender notification settings
RedLine
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Stealc
Stealc family
Vidar
Vidar family
Malware Config
C2 Extraction:
http://185.215.113.43
https://t.me/g02f04
https://steamcommunity.com/profiles/76561199828130190
103.84.89.222:33791
http://185.215.113.115
Dropper Extraction:
http://185.215.113.16/defend/random.exe
http://185.215.113.16/mine/random.exe
Verdict:
Malicious
Tags:
stealer lumma_stealer c2 win32_amadey
YARA:
n/a
Link:
https://app.threat.zone/submission/5b6f6d78-f4d0-440b-a49b-4d29dc6e36b3
Unpacked files
SH256 hash:
5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0
MD5 hash:
20804890273fa0387262be080ed29b18
SHA1 hash:
daa8c33e3bb0fd2e9e110e51add443e1c22cd1f3
Link:
https://www.unpac.me/results/41540e40-3e4c-4bf3-8034-7c7154fd809d/
SH256 hash:
1285a092bffedf1219c87dbdd7ebc9b853b7fc73f8296b757a1d499df9475d4f
MD5 hash:
2373410db1bb10f8c34971a61af59693
SHA1 hash:
bd3bbe7cff0e9407de81e9ac483350b4c826a1c7
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/41540e40-3e4c-4bf3-8034-7c7154fd809d/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5bdefb9f7366/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5bdefb9f7366ddf3b5d7002cc9cee37ec0bbfddc76ea28d5d667e4563f3c92c0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3072521/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338012/
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments