MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61dedbd735c22f2f0a15e6ecdea9f9be5c9c1263a5d95d451365d38432ff61a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61dedbd735c22f2f0a15e6ecdea9f9be5c9c1263a5d95d451365d38432ff61a2
SHA3-384 hash: 0c4a31195dbe5fe5c91c7658f1caa06c5bafce22127fddbc2993636508d7495431bce7b2bd087dac7abfd47ce83e253a
SHA1 hash: 19dc3928826c8350ca8f27f083dabaf0b30a269a
MD5 hash: 89976147ca899ad743405d183eff8d03
humanhash: fillet-charlie-stream-dakota
File name:89976147CA899AD743405D183EFF8D03.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'973'056 bytes
First seen:2025-07-27 18:20:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:uB2YD+Yba+/LJf5t81DVvCAwHOgyP+rp3eLj0R12KEmdmgBCw:uWY9/L18hVRNJP+rp35imdmcCw
Threatray 882 similar samples on MalwareBazaar
TLSH T12E363318F6CC41B6FA6587F42EB70357169A3F325756C1A272AF1E8D0CB23A442683D7
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
147.185.221.30:34037

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.185.221.30:34037 https://threatfox.abuse.ch/ioc/1561176/

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
0f5fa722-974f-4e6d-a69a-c62ffca1e644
Verdict:
Malicious activity
Analysis date:
2025-07-24 13:53:27 UTC
Tags:
gcleaner loader lumma stealer autoit python qrcode auto generic websocket arch-doc amadey botnet themida arch-exec auto-reg telegram pastebin miner susp-powershell
Link:
https://app.any.run/tasks/0f5fa722-974f-4e6d-a69a-c62ffca1e644

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17214/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-9942160-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68866df3af3050dc8d319fc3
Tags:
phishing autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Sending an HTTP POST request
Launching a service
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB crypt explorer fingerprint installer lolbin microsoft_visual_cc nanocore overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/68866df5c79df08ef0964dac/reports/8fc984f3-1e0a-4e9a-a3f6-5b584034e83e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/61dedbd735c22f2f0a15e6ecdea9f9be5c9c1263a5d95d451365d38432ff61a2
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23cee723-594b-40fb-a57c-19f69c21b858
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1745141
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1745141 Sample: FpiL7QDULM.exe Startdate: 27/07/2025 Architecture: WINDOWS Score: 100 128 Found malware configuration 2->128 130 Antivirus detection for dropped file 2->130 132 Antivirus / Scanner detection for submitted sample 2->132 134 15 other signatures 2->134 11 FpiL7QDULM.exe 1 4 2->11         started        14 AmBrGIAQ.exe 2->14         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 process3 file4 108 C:\Users\user\AppData\Local\...\2I3092.exe, PE32 11->108 dropped 110 C:\Users\user\AppData\Local\...\1y97m1.exe, PE32 11->110 dropped 21 2I3092.exe 7 11->21         started        24 1y97m1.exe 11->24         started        172 Binary is likely a compiled AutoIt script file 14->172 28 cmd.exe 14->28         started        30 wl29UF2g.exe 14->30         started        32 cmd.exe 14->32         started        34 cmd.exe 14->34         started        174 Changes security center settings (notifications, updates, antivirus, firewall) 17->174 signatures5 process6 dnsIp7 94 C:\oSuE233\hPaFbKM7.exe, PE32 21->94 dropped 96 C:\oSuE233\RchDUIMB.exe, PE32 21->96 dropped 98 C:\oSuE233\AmBrGIAQ.exe, PE32 21->98 dropped 36 cmd.exe 1 21->36         started        122 23.54.187.178 AKAMAI-ASUS United States 24->122 152 Antivirus detection for dropped file 24->152 154 Detected unpacking (changes PE section rights) 24->154 156 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->156 162 4 other signatures 24->162 158 Suspicious powershell command line found 28->158 39 powershell.exe 28->39         started        41 conhost.exe 28->41         started        160 Contains functionality to start a terminal service 30->160 43 conhost.exe 32->43         started        45 RchDUIMB.exe 32->45         started        47 conhost.exe 34->47         started        49 schtasks.exe 34->49         started        file8 signatures9 process10 signatures11 140 Suspicious powershell command line found 36->140 142 Uses cmd line tools excessively to alter registry or file data 36->142 144 Bypasses PowerShell execution policy 36->144 148 2 other signatures 36->148 51 AmBrGIAQ.exe 36->51         started        54 hPaFbKM7.exe 15 36->54         started        57 conhost.exe 36->57         started        146 Loading BitLocker PowerShell Module 39->146 process12 file13 136 Binary is likely a compiled AutoIt script file 51->136 138 Found API chain indicative of sandbox detection 51->138 59 wl29UF2g.exe 62 51->59         started        64 cmd.exe 51->64         started        66 cmd.exe 1 51->66         started        68 cmd.exe 51->68         started        100 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 54->100 dropped 102 C:\Users\user\AppData\Local\...\cecho.exe, PE32 54->102 dropped 104 C:\Users\user\AppData\Local\...104SudoLG.exe, PE32+ 54->104 dropped 106 2 other malicious files 54->106 dropped 70 cmd.exe 1 54->70         started        signatures14 process15 dnsIp16 124 94.154.35.25 SELECTELRU Ukraine 59->124 126 176.46.158.8 ESTPAKEE Iran (ISLAMIC Republic Of) 59->126 112 C:\Users\user\AppData\Local\...\0jsyXSF.exe, PE32 59->112 dropped 114 C:\Users\user\AppData\Local\...\gqTUy7K.exe, PE32+ 59->114 dropped 116 C:\Users\user\AppData\Local\...\hOG67va.exe, PE32 59->116 dropped 118 27 other malicious files 59->118 dropped 164 Contains functionality to start a terminal service 59->164 166 Creates multiple autostart registry keys 59->166 168 Suspicious powershell command line found 64->168 72 powershell.exe 64->72         started        75 conhost.exe 64->75         started        77 RchDUIMB.exe 2 66->77         started        80 conhost.exe 66->80         started        82 conhost.exe 68->82         started        84 schtasks.exe 68->84         started        170 Uses cmd line tools excessively to alter registry or file data 70->170 86 cmd.exe 70->86         started        88 conhost.exe 70->88         started        90 21 other processes 70->90 file17 signatures18 process19 file20 150 Loading BitLocker PowerShell Module 72->150 120 C:\oSuE233\wl29UF2g.exe, PE32 77->120 dropped 92 tasklist.exe 86->92         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/61dedbd735c22f2f0a15e6ecdea9f9be5c9c1263a5d95d451365d38432ff61a2
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/89976147ca899ad743405d183eff8d03
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61dedbd735c22f2f0a15e6ecdea9f9be5c9c1263a5d95d451365d38432ff61a2/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.HTTP
Link:
https://tip.neiki.dev/file/61dedbd735c22f2f0a15e6ecdea9f9be5c9c1263a5d95d451365d38432ff61a2
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 00:19:34 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
20 of 33 (60.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhpnxvzvyixs6cqv43wn5kpzxzojyetduxmv2ritmxjyimx7mgra._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
amadey
Create hunting rule
admintool_nircmd
Create hunting rule
admintool_nsudo
Create hunting rule
Similar samples:
4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5
Amadey
4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f
Amadey
6664c359a0f91246a79782e9c5bb61ae1751091678ff3b5dc4b80cccbf2e2409
Amadey
8cb4dc684a331c5879421bb33f9934bbd3198dc28af448968eb2e4f61d35cfb4
Amadey
91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f
Amadey
99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614
Amadey
9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534
Amadey
c71ab381c16b8f14e2a83fbacecc33895966eb98de97bfe21b97c604241a7d6f
Amadey
error
Amadey
+ 872 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:deerstealer family:lumma family:salatstealer family:xmrig family:xworm botnet:default botnet:fbf543 defense_evasion discovery execution miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250727-wzgljsdm31/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Checks BIOS information in registry
Checks computer location settings
Cryptocurrency Miner
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Detectes NiceHashMiner Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
AsyncRat
Asyncrat family
DeerStealer
Deerstealer family
Detect SalatStealer payload
Detect Xworm Payload
Detects DeerStealer
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Salatstealer family
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
Xworm
Xworm family
salatstealer
xmrig
Malware Config
C2 Extraction:
https://siltapl.fun/xiru
https://royaltbn.xyz/xaoi
https://columnez.shop/xlak
https://mixp.digital/amnt
https://woodenso.top/xaoi
https://foundrr.bet/zuqy
https://potosuz.fun/xiir
https://wagnvp.fun/akjf
https://nanoceus.run/agkr
https://thinkrz.lol/xkad/api
https://integkr.pics/zman
https://aspecqo.top/towp
https://paramkc.lat/zayw
https://severhi.lol/xahb/api
https://smp.rodeo/riww/api
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
http://94.154.35.25
release-deficit.gl.at.ply.gg:34037
85.192.63.194:8848
Verdict:
Malicious
Tags:
Win.Packed.Nanocore-9942160-0 stealer redline
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/77e10565-851c-4b08-8233-2b3b261e109f
Unpacked files
SH256 hash:
61dedbd735c22f2f0a15e6ecdea9f9be5c9c1263a5d95d451365d38432ff61a2
MD5 hash:
89976147ca899ad743405d183eff8d03
SHA1 hash:
19dc3928826c8350ca8f27f083dabaf0b30a269a
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
SH256 hash:
2e0b3c11d7888b2df47e8e356cefc6e61fee9ce3958a54be964eaf74a31f716b
MD5 hash:
81fe4e2e5f0c9c12665f67f0ec708407
SHA1 hash:
b45837307b76ac453443e9e2367162d4fbd9aa66
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
SH256 hash:
3c7959d26a0e983a65a0f0cb9501567ad6b7149f9052e649649d1f4f8390480a
MD5 hash:
d6a28e90544f88191342edd75cd1732b
SHA1 hash:
25f16dc288f9f819b113f090227c32f36704c6d1
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
SH256 hash:
0cbd02a125af3b37114f6abcbbd863bf703dd63be00bf4c8a93757e08302485e
MD5 hash:
96006af83b4acbd1d35260c9520130a6
SHA1 hash:
e2045ba3148b30c248dd20c10b7d8a0686fe35fa
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
SH256 hash:
2efc470ff0a3c79dd134feb7acbef99b1062d167ffa9a5f1ba51396b18721301
MD5 hash:
1f23fa233970a8c24ddc8c99603d8486
SHA1 hash:
cd7c20395f1fcb7a1f0d3ea03325564cfa18a4d8
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
SH256 hash:
96ae98901fff59facae193a37f6b3c38e78d936c1f4da600c544e83b94de5c3a
MD5 hash:
ad9a6508ea684dbbb06fd92ed17fef20
SHA1 hash:
a083c7f7b85278515f756002c7677221a03b77a0
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
SH256 hash:
014b02459889270072b5fb2709aeb0f5593be910b424ece5877fae0aaeeb2b6e
MD5 hash:
64b4ed1dcc892880104a3aa70d12eefc
SHA1 hash:
8fc0f9cf671f6f75560dc7f5a006c3c23a6551e1
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
SH256 hash:
55f5dd6359ece5451716c6e29d1bd05ec3c20624bc8973ea5f5049950af9fba0
MD5 hash:
63b7bc3250e837f3f20602769b2c3161
SHA1 hash:
ecae5eef87a79e004c5b2a341ba1902c7f4e4d7e
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/e6b1cd61-ffb8-4dcc-a12e-c2c004c764a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61dedbd735c22f2f0a15e6ecdea9f9be5c9c1263a5d95d451365d38432ff61a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17214/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments