MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6426afbc1dd961c9911c57ab9623b75b5449856e5d7d570545b0ea67ea91e18c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6426afbc1dd961c9911c57ab9623b75b5449856e5d7d570545b0ea67ea91e18c
SHA3-384 hash: 26dc73c6febbfcea177f88a6919e40b027ff5b5e3a977119f784f2c5713bb5a446b4642bd552758dde00ba72c3cc3910
SHA1 hash: a82914e42eb4ae9536258248cce6194dd86ad51a
MD5 hash: 7f735d5dad8542e7f864ea8ea7ba115f
humanhash: eleven-cola-mars-jupiter
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'911'808 bytes
First seen:2025-06-19 07:12:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:wZPzSiZPTa1y8+9H2hv+0+YpBfNiwXn10M4oz:wZLS0PTaI79HMv+PYHzXn10M4oz
Threatray 1 similar samples on MalwareBazaar
TLSH T13E95334C8679EEB4C7F108315953D398BBB1BC8B4001BFB9171AB23689A3B19F9125F5
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
422
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-19 08:28:51 UTC
Tags:
amadey botnet stealer themida rdp
Link:
https://app.any.run/tasks/d05ae183-6ec1-4cf4-be48-638181cb47d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10157/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6853e508d1262bb4773b281e
Tags:
vmdetect autorun autoit spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6853b8e466c4b5c0b99ad4ad/reports/b3ef47be-15ee-49fa-ba91-899a365d295f/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/6426afbc1dd961c9911c57ab9623b75b5449856e5d7d570545b0ea67ea91e18c
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f22d4e0d-553f-4a82-9994-e610e1950b7c
Result
Threat name:
Amadey, CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1718342
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1718342 Sample: random.exe Startdate: 19/06/2025 Architecture: WINDOWS Score: 100 52 drive.usercontent.google.com 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Antivirus detection for dropped file 2->66 68 11 other signatures 2->68 9 random.exe 5 2->9         started        13 ramez.exe 2->13         started        15 ramez.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 file5 40 C:\Users\user\AppData\Local\...\ramez.exe, PE32 9->40 dropped 42 C:\Users\user\...\ramez.exe:Zone.Identifier, ASCII 9->42 dropped 84 Detected unpacking (changes PE section rights) 9->84 86 Contains functionality to start a terminal service 9->86 88 Tries to evade debugger and weak emulator (self modifying code) 9->88 90 Tries to detect virtualization through RDTSC time measurements 9->90 19 ramez.exe 16 9->19         started        92 Hides threads from debuggers 13->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->94 96 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->96 signatures6 process7 dnsIp8 54 185.156.72.96, 49689, 49691, 49692 ITDELUXE-ASRU Russian Federation 19->54 56 185.156.72.2, 49732, 80 ITDELUXE-ASRU Russian Federation 19->56 32 C:\Users\user\AppData\...\51ae47097c.exe, PE32 19->32 dropped 34 C:\Users\user\AppData\Local\...\random[1].exe, PE32 19->34 dropped 70 Antivirus detection for dropped file 19->70 72 Multi AV Scanner detection for dropped file 19->72 74 Detected unpacking (changes PE section rights) 19->74 76 7 other signatures 19->76 24 51ae47097c.exe 2 19->24         started        file9 signatures10 process11 file12 36 C:\Users\user\AppData\...\svchost015.exe, PE32 24->36 dropped 38 C:\Users\user\AppData\Local\...\svcE549.tmp, PE32 24->38 dropped 78 Multi AV Scanner detection for dropped file 24->78 80 Writes to foreign memory regions 24->80 82 Found hidden mapped module (file has been removed from disk) 24->82 28 svchost015.exe 34 24->28         started        signatures13 process14 dnsIp15 58 185.156.72.196, 49744, 49749, 80 ITDELUXE-ASRU Russian Federation 28->58 60 drive.usercontent.google.com 142.250.80.65, 443, 49740 GOOGLEUS United States 28->60 44 C:\Users\user\AppData\Local\Temp\...\YCL.exe, PE32 28->44 dropped 46 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 28->46 dropped 48 C:\Users\user\AppData\Local\...\dll[1], PE32 28->48 dropped 50 C:\Users\user\AppData\Local\...\soft[1], PE32 28->50 dropped file16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6426afbc1dd961c9911c57ab9623b75b5449856e5d7d570545b0ea67ea91e18c
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6426afbc1dd961c9911c57ab9623b75b5449856e5d7d570545b0ea67ea91e18c/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-06-19 04:09:23 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqtk7pa53fq4tei4k6vzmi5xlnketblolv6vobkfwdvgp2ur4gga._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
bdf3bd6b10e0a05951bfe972ecc559c153bb2c84ddb7fcacbf3094bbc0a58d21
Amadey
error
Amadey
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:lumma family:njrat family:quasar family:stealc family:vidar family:xworm botnet:7085c8e5628b8b90bd7ee38c361de968 botnet:8d33eb botnet:google chrome botnet:hacked botnet:logsdillercloud collection credential_access cryptone defense_evasion discovery execution loader packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250619-h49w1abk9s/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Detect Xworm Payload
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
http://185.156.72.96
https://equidn.xyz/xapq/api
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://baviip.xyz/twiw/api
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://trqqe.xyz/xudu/api
https://shootef.world/api
https://stochalyqp.xyz/alfp
https://peppinqikp.xyz/xaow
45.91.200.135
185.244.219.98
https://t.me/wm33in
https://steamcommunity.com/profiles/76561199867001399
66.63.187.164:8594
66.63.187.164:8596
66.63.187.164:8595
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6c4b7efd-2fb0-40c7-ab9d-6d1a569f6891
Unpacked files
SH256 hash:
6426afbc1dd961c9911c57ab9623b75b5449856e5d7d570545b0ea67ea91e18c
MD5 hash:
7f735d5dad8542e7f864ea8ea7ba115f
SHA1 hash:
a82914e42eb4ae9536258248cce6194dd86ad51a
Link:
https://www.unpac.me/results/2601021a-b0b2-48b9-9ce7-fb3e806b19cf/
SH256 hash:
0c19908c87bdefc782af664aae42b50f4dee4303f001a6a09411d2509bb51d71
MD5 hash:
af99fb1694c869a5fe41ab6461b0f462
SHA1 hash:
a9617fc85b8381d573676fcd59a2c3142483f7cf
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/2601021a-b0b2-48b9-9ce7-fb3e806b19cf/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6426afbc1dd9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6426afbc1dd961c9911c57ab9623b75b5449856e5d7d570545b0ea67ea91e18c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_062025
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34.
Reference:https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 6426afbc1dd961c9911c57ab9623b75b5449856e5d7d570545b0ea67ea91e18c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550737/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10157/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments