MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 19

Intelligence 19 IOCs YARA 17 File information Comments

SHA256 hash:	5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9
SHA3-384 hash:	e21ec7a477aac5362bffd54c9d0fd253a5c655323b4d2a826da052606b0a0bc93e2aadd2c1025a63abb94c3fa13d188f
SHA1 hash:	842e8301a0cfb1bec1afdb498209272cead65504
MD5 hash:	cdcb6e875f6c6f5b327c986b5771d772
humanhash:	diet-xray-zulu-arkansas
File name:	lool.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	1'403'904 bytes
First seen:	2025-08-22 22:53:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:I223BgU9yJCB/5gy2tOYmMVyWHRUMtW2jjZ9MO6+kyRzA0NJFoqFQHgMmXt2B41k:2BPy65gVtUkUMt9jbMH+ky5ASHosCgHc
TLSH	T12F55124BB78B56F0D5404B3AC1C7D40083ACEB96FBA7C60B758D2B650B427EA567424F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	AntiSkidding
Tags:	Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

3c7d3ca1de4ecd064565db8727922c56.exe

Verdict:

Malicious activity

Analysis date:

2025-08-22 14:49:56 UTC

Tags:

lumma stealer github auto-reg loader amadey botnet auto-startup rdp

Link:

https://app.any.run/tasks/f22b3812-73cd-424a-b4ec-dcfe039b9f43

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23100/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a8f4f8e9d9dbcfd96d2829

Tags:

phishing virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Connection attempt to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 net_reactor obfuscated packed packed

Link:

https://www.filescan.io/uploads/68a8f4fa7137d6845838a0d0/reports/ba85742d-dbf3-4010-b3d9-7b0e1b6ee65d/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-22T15:06:00Z UTC

Last seen:

2025-08-22T15:06:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Lumma.HTTP.Download Trojan.Agentb.TCP.C&C HEUR:Trojan-Downloader.MSIL.Deyma.gen Trojan-PSW.MSIL.PureLogs.sb Trojan-Downloader.Win32.Deyma.sb Trojan.Win32.Vimditator.sb Trojan.MSIL.Inject.sb PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Agent Backdoor.Win32.Androm

Link:

https://opentip.kaspersky.com/5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9/results?tab=lookup

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cbabaa39-0c25-4f85-9c1b-16eaa0fb99fa

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.50 Win 32 Exe x86

Link:

https://app.malva.re/file/cdcb6e875f6c6f5b327c986b5771d772

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9/

Verdict:

Malicious

Threat:

Family.AMADEY

Link:

https://tip.neiki.dev/file/5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9

Threat name:

ByteCode-MSIL.Spyware.AsyncRAT

Status:

Malicious

First seen:

2025-08-22 17:30:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l5qpgnveviy7nwl3jqqw34cd5koesyzoyvern7ouuas2sdwh4hmq._file

Verdict:

malicious

Label(s):

amadey

Similar samples:

error

Amadey

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey botnet:9a8fe7 discovery persistence trojan

Link:

https://tria.ge/reports/250822-2t9b9sek7v/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Amadey

Amadey family

Malware Config

C2 Extraction:

http://microsoft-telemetry.cc

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c59efc5a-88e9-4a9d-bc06-7c71438f65e1

Unpacked files

SH256 hash:

5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9

MD5 hash:

cdcb6e875f6c6f5b327c986b5771d772

SHA1 hash:

842e8301a0cfb1bec1afdb498209272cead65504

Link:

https://www.unpac.me/results/d70035ea-6fc3-4371-9b28-7d870a19e628/

SH256 hash:

61105dda241f19eff3a4e7abc6eccffb75d42354dbd1d0c11d86db5fb4c47951

MD5 hash:

4c8518ea40b5f55ce7df02dd6bd8c575

SHA1 hash:

08756df7b4e2379adf2a71bc469e8175253f2f4a

Link:

https://www.unpac.me/results/d70035ea-6fc3-4371-9b28-7d870a19e628/

SH256 hash:

e50f749662443c5c26bf964541418b86d3e5db17fcb1cbd876cbe095f7db06e4

MD5 hash:

a2e25f2cca965951f0973aa554c21353

SHA1 hash:

25bd03a29c392208860bae87a81e8d7964af3c03

Detections:

Amadey

Link:

https://www.unpac.me/results/d70035ea-6fc3-4371-9b28-7d870a19e628/

Parent samples :

c1fcdbc77e5ab2ebfbf3bd0adc2d81bd64ed2dfdacccfea9783003cf950ac36b
5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9

SH256 hash:

d1bbe1dfefee276fc6da05c5b6aed64a4d03f91c6cebe6109715324e9844d081

MD5 hash:

d016e2976d78bd83bf367ca0f003c0b8

SHA1 hash:

25fd379938e7409c394fd7d2bdc90d689d517171

Link:

https://www.unpac.me/results/d70035ea-6fc3-4371-9b28-7d870a19e628/

SH256 hash:

cc2b13b4aaf087886118bf4ff9d0821942d6578ceee10cd8bb7412c5f8b97fe4

MD5 hash:

a0abf7f8fffa510d7aaaeca751828fec

SHA1 hash:

47dc346162afabbf4a3ada71ef3b463617616db6

Link:

https://www.unpac.me/results/d70035ea-6fc3-4371-9b28-7d870a19e628/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5f60f336a4aa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f60f336a4aa31f6d97b4c216df043ea9c49632ec54916fdd4a025a90ec7e1d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MAL_Win_Amadey_Jun25 Create hunting rule
Author:	0x0d4y
Description:	This rule detects intrinsic patterns of Amadey version 5.34
Reference:	https://0x0d4y.blog/amadey-targeted-analysis/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETDLLMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	win_amadey_062025 Create hunting rule
Author:	0x0d4y
Description:	This rule detects intrinsic patterns of Amadey version 5.34.
Reference:	https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23100/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample