MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 35 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39
SHA3-384 hash: 7f08655b108b948ed76fc4c167af37e0b3bab8ebb0ad8a2746edfec831e3534d3c66fec2be91736c8a4454a40fb452e6
SHA1 hash: 4901fe6e1f29e6ffef8a0891e636af655a97b3ed
MD5 hash: e87971ab932ef2758559645cb9542af6
humanhash: green-hydrogen-spaghetti-robert
File name:E87971AB932EF2758559645CB9542AF6.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:8'839'680 bytes
First seen:2025-10-07 20:10:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 196608:uKHoFOeXf+92mJ4Jaka3xHaKxS5simZlEfzNyGO32c7rZ0MEOIZrN:THoxfm6JaPZaySulArNXG2c7uMEVZr
TLSH T13E9633B4B1247ECFC4EE5DB9874AD10D5083FBFB82DAA6618CD4611C21A521EFF9B118
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
196.251.88.83:5103

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.88.83:5103 https://threatfox.abuse.ch/ioc/1608806/

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
E87971AB932EF2758559645CB9542AF6.exe
Verdict:
Malicious activity
Analysis date:
2025-10-07 20:12:06 UTC
Tags:
amadey botnet stealer auto redline loader stealc vidar themida unlocker-eject tool rdp github evasion rmm-tool netsupport arcstealer arch-exec rustystealer pastebin miner anti-evasion purecrypter auto-startup gcleaner
Link:
https://app.any.run/tasks/dffd5f85-3a59-49d9-9fcc-b14e0e97d599

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31053/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e573d6277c2bd8bc5d9833
Tags:
vmdetect emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a service
Launching a service
Restart of the analyzed sample
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Running batch commands
Creating a window
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Creating a file
Enabling autorun for a service
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt obfuscated packed packed themidawinlicense xpack zusy
Link:
https://www.filescan.io/uploads/68e573d45a3bccf09ebc0df3/reports/bed90f5b-d737-4479-b325-89568bb80ac4/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-04T20:19:00Z UTC
Last seen:
2025-10-07T13:58:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b80bbfcb-df39-4ac1-9f42-a43c4ff90a18
Result
Threat name:
Amadey, Millenuim RAT, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1790994
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: PUA - NSudo Execution
Sigma detected: Suspicious New Service Creation
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Costura Assembly Loader
Yara detected Millenuim RAT
Yara detected Telegram RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1790994 Sample: Dng45wwhNj.exe Startdate: 07/10/2025 Architecture: WINDOWS Score: 100 148 Found malware configuration 2->148 150 Malicious sample detected (through community Yara rule) 2->150 152 Antivirus detection for URL or domain 2->152 154 18 other signatures 2->154 10 Dng45wwhNj.exe 9 2->10         started        14 Dng45wwhNj.exe 4 2->14         started        16 svchosthelper.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 102 C:\Windows\systemhelper.exe, PE32 10->102 dropped 104 C:\Windows\svchosthelper.exe, PE32 10->104 dropped 106 C:\Users\user\AppData\...\svchostmanager.exe, PE32+ 10->106 dropped 112 3 other malicious files 10->112 dropped 206 Detected unpacking (changes PE section rights) 10->206 208 Contains functionality to start a terminal service 10->208 210 Drops executables to the windows directory (C:\Windows) and starts them 10->210 216 2 other signatures 10->216 21 svchostam.exe 2 52 10->21         started        26 systemhelper.exe 10->26         started        28 svchostmanager.exe 14 10->28         started        36 4 other processes 10->36 108 C:\Windows\Temp\svchostmanager.exe, PE32+ 14->108 dropped 110 C:\Windows\Temp\svchostam.exe, PE32 14->110 dropped 212 Hides threads from debuggers 14->212 214 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->214 30 svchostmanager.exe 2 17 14->30         started        32 svchostam.exe 14->32         started        34 svchosthelper.exe 14->34         started        38 2 other processes 14->38 122 40.126.29.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->122 40 3 other processes 18->40 file5 signatures6 process7 dnsIp8 128 94.154.35.25 SELECTELRU Ukraine 21->128 130 178.16.55.189 DUSNET-ASDE Germany 21->130 86 C:\Users\user\AppData\Local\...\VaOMtun.exe, PE32+ 21->86 dropped 88 C:\Users\user\AppData\Local\...\0XKMCfK.exe, PE32 21->88 dropped 90 C:\Users\user\AppData\Local\...\X3RelfF.exe, PE32+ 21->90 dropped 98 26 other files (25 malicious) 21->98 dropped 156 Multi AV Scanner detection for dropped file 21->156 158 Query firmware table information (likely to detect VMs) 21->158 160 Contains functionality to start a terminal service 21->160 42 KMKbPed.exe 21->42         started        45 abMMGV5.exe 21->45         started        48 vQIQY7m.exe 21->48         started        92 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 26->92 dropped 94 C:\Users\user\AppData\Local\Temp\...\game.exe, PE32 26->94 dropped 96 C:\Users\user\AppData\Local\...\cecho.exe, PE32 26->96 dropped 100 3 other malicious files 26->100 dropped 51 cmd.exe 26->51         started        132 149.154.167.99 TELEGRAMRU United Kingdom 28->132 134 49.13.34.131 HETZNER-ASDE Germany 28->134 162 Found many strings related to Crypto-Wallets (likely being stolen) 28->162 178 3 other signatures 28->178 164 Detected unpacking (changes PE section rights) 30->164 166 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->166 180 3 other signatures 30->180 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->168 170 Tries to detect sandboxes / dynamic malware analysis system (registry check) 32->170 53 WerFault.exe 34->53         started        172 Uses cmd line tools excessively to alter registry or file data 36->172 174 Uses schtasks.exe or at.exe to add and modify task schedules 36->174 176 Uses the nircmd tool (NirSoft) 36->176 55 conhost.exe 36->55         started        61 3 other processes 36->61 57 WerFault.exe 38->57         started        59 WerFault.exe 38->59         started        file9 signatures10 process11 dnsIp12 182 Multi AV Scanner detection for dropped file 42->182 184 Injects code into the Windows Explorer (explorer.exe) 42->184 186 Writes to foreign memory regions 42->186 63 explorer.exe 42->63         started        67 cmd.exe 42->67         started        114 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 45->114 dropped 188 Detected unpacking (changes PE section rights) 45->188 190 Tries to detect sandboxes and other dynamic analysis tools (window names) 45->190 192 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->192 204 5 other signatures 45->204 116 116.203.9.134 HETZNER-ASDE Germany 48->116 194 Allocates memory in foreign processes 48->194 196 Creates a thread in another existing process (thread injection) 48->196 198 Injects a PE file into a foreign processes 48->198 200 Found direct / indirect Syscall (likely to bypass EDR) 48->200 202 Uses cmd line tools excessively to alter registry or file data 51->202 69 cmd.exe 51->69         started        71 conhost.exe 51->71         started        73 nircmd.exe 51->73         started        75 8 other processes 51->75 118 172.178.240.162 ATT-INTERNET4US United States 53->118 120 135.234.160.244 LUCENT-CIOUS United States 57->120 file13 signatures14 process15 dnsIp16 136 172.67.199.99 CLOUDFLARENETUS United States 63->136 138 1.1.1.1 CLOUDFLARENETUS Australia 63->138 140 System process connects to network (likely due to code injection or exploit) 63->140 142 Found many strings related to Crypto-Wallets (likely being stolen) 63->142 144 Tries to harvest and steal browser information (history, passwords, etc) 63->144 146 4 other signatures 63->146 77 Acrobat.exe 67->77         started        79 conhost.exe 67->79         started        81 tasklist.exe 69->81         started        signatures17 process18 process19 83 AcroCEF.exe 77->83         started        dnsIp20 124 199.232.210.172 FASTLYUS United States 83->124 126 23.43.57.129 AKAMAI-ASN1EU United States 83->126
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-10-04 22:58:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4u2iqeco54urr3qbgzx34mlnkhrmizrcw6a57bgtw4tw44vlq4q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
vidar
Create hunting rule
unc_loader_051
Create hunting rule
admintool_nsudo
Create hunting rule
admintool_nircmd
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:donutloader family:milleniumrat family:netsupport family:stealc family:xworm botnet:fbf543 botnet:taketol botnet:tr1pernn adware collection credential_access defense_evasion discovery execution installer loader persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/251007-yx26kssnv4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
NSIS installer
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Creates new service(s)
Disables service(s)
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Stops running service(s)
Themida packer
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Looks for VMWare Tools registry key
Sets service image path in registry
Uses browser remote debugging
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Amadey family
Detect Xworm Payload
Detects Amadey x86-bit Payload
Detects DonutLoader
Detects MilleniumRAT stealer
DonutLoader
Donutloader family
MilleniumRat
Milleniumrat family
NetSupport
Netsupport family
Stealc
Stealc family
Xworm
Xworm family
Malware Config
C2 Extraction:
http://94.154.35.25
http://178.16.54.175
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6a44cb71-27fa-4e8e-b457-7154139e9c33
Unpacked files
SH256 hash:
5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39
MD5 hash:
e87971ab932ef2758559645cb9542af6
SHA1 hash:
4901fe6e1f29e6ffef8a0891e636af655a97b3ed
Link:
https://www.unpac.me/results/02046492-7ed7-42ef-878e-09a7d54a861b/
SH256 hash:
319f4255af649c2e4b42a7e6b072a34c32025117aa6138bd14057641bc345e6d
MD5 hash:
71818b20914eb0151b0425fd24616461
SHA1 hash:
8496e92325273644bae8bdfb92cae2e97b8a2d1a
Link:
https://www.unpac.me/results/02046492-7ed7-42ef-878e-09a7d54a861b/
SH256 hash:
f5e215ce8a226b2bf92109f88fc65910a4f61f28002875e2c2f01e72ae5ea2ec
MD5 hash:
96b29965b98098d75fe760ae982ab7bc
SHA1 hash:
fccd87d1c386f56395e3d9076b8cd7a5f9a4eaa1
Link:
https://www.unpac.me/results/02046492-7ed7-42ef-878e-09a7d54a861b/
SH256 hash:
48d805bec404d51b1aa1f556d9670117da30fa92c6fe72831b3268cfcd19cabb
MD5 hash:
5a8f3664fdaec472396691a0d30c6055
SHA1 hash:
9245698d97ad68087e77e219b247a9b5b08ca1c5
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/02046492-7ed7-42ef-878e-09a7d54a861b/
SH256 hash:
c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851
MD5 hash:
a7993e5a520b17fec65435fb4838a08f
SHA1 hash:
18fe6286473a03735e7b701d4bfaf61ad35da7ad
Link:
https://www.unpac.me/results/02046492-7ed7-42ef-878e-09a7d54a861b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f29a4408277/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly, YungBinary
Description:Amadey Payload
Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM names
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM usernames
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MAL_Win_Amadey_Jun25
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34
Reference:https://0x0d4y.blog/amadey-targeted-analysis/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_062025
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34.
Reference:https://0x0d4y.blog/amadey-targeted-analysis/
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.
Rule name:WIN_WebSocket_Base64_C2_20250726
Create hunting rule
Author:dogsafetyforeverone
Description:Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31053/

Comments