MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65
SHA3-384 hash: e9156d32bee209787a0553f61939123cbbf3db9594f0ca1d7c6a7d08d1e9618ae431fffc99c1e63ef6dd29b39e513de5
SHA1 hash: 82c65fd8b1b296003dea002dd0a640a23063fb23
MD5 hash: 75feb5227095b1fdb72953933df3e907
humanhash: wolfram-speaker-robert-quiet
File name:75feb5227095b1fdb72953933df3e907.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:3'191'296 bytes
First seen:2025-02-27 19:26:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:bwS/EH+l/uCNZlZ0ws0642Yu6EM1+ZdWSAv4W1UF/LYYmID4:bNEHIlZ01069Yu6EncA/wID
Threatray 1 similar samples on MalwareBazaar
TLSH T1B8E55B72A524A2EFD0CA26B49927CF82A95F03B50F1048D7E82D6079ED73FC61175C6E
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
440
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2b25d2ac600b978ac8e9f009b438441084f5f511efa5ea6684a9825a8ebbf858
Verdict:
Malicious activity
Analysis date:
2025-02-26 17:50:50 UTC
Tags:
amadey botnet stealer lumma loader exfiltration credentialflusher stealc rdp themida gcleaner netreactor telegram vidar screenconnect remote golang auto generic
Link:
https://app.any.run/tasks/71bc1cb6-c67c-4b1f-b745-bfe878f22486

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c0bd084e50050b2e6edcaa
Tags:
vmdetect phishing
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm crypt obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67c0bca8b32a56d0c2cd3866/reports/3521e0d0-7ec9-47d2-94e4-2e4a29f7658b/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1b370625-fb29-4640-a822-8795960a39c5
Result
Threat name:
Amadey, LummaC Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1625948
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1625948 Sample: mY6CDWkfHp.exe Startdate: 27/02/2025 Architecture: WINDOWS Score: 100 143 ucfe216f06739d06fc580f3c4069.dl.dropboxusercontent.com 2->143 145 strawpeasaen.fun 2->145 147 23 other IPs or domains 2->147 181 Suricata IDS alerts for network traffic 2->181 183 Found malware configuration 2->183 185 Malicious sample detected (through community Yara rule) 2->185 187 34 other signatures 2->187 12 rapes.exe 2->12         started        17 mY6CDWkfHp.exe 15 2->17         started        19 Adobe QT32 Server.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 dnsIp5 167 176.113.115.6 SELECTELRU Russian Federation 12->167 119 C:\Users\user\AppData\...\e0f62bda7a.exe, PE32 12->119 dropped 121 C:\Users\user\AppData\...\7843f425ae.exe, PE32 12->121 dropped 123 C:\Users\user\AppData\...\4b9dcb8117.exe, PE32 12->123 dropped 131 36 other malicious files 12->131 dropped 253 Creates multiple autostart registry keys 12->253 23 27JinXS.exe 12->23         started        27 FydOzyQ.exe 12->27         started        29 b9e7606325.exe 12->29         started        42 4 other processes 12->42 169 176.113.115.7, 49732, 80 SELECTELRU Russian Federation 17->169 171 185.7.214.51, 49734, 9080 DELUNETDE France 17->171 173 disobilittyhell.live 188.114.96.3, 443, 49714, 49716 CLOUDFLARENETUS European Union 17->173 125 C:\Users\user\...\XO0DTGMROF249CTNK83L1U.exe, PE32+ 17->125 dropped 127 C:\Users\user\...\R6FHL4GKCC9LF8OF.exe, PE32 17->127 dropped 129 C:\Users\user\...\75R7KRPEA67SGYM9.exe, PE32 17->129 dropped 255 Detected unpacking (changes PE section rights) 17->255 257 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->257 259 Query firmware table information (likely to detect VMs) 17->259 269 7 other signatures 17->269 31 75R7KRPEA67SGYM9.exe 30 17->31         started        33 R6FHL4GKCC9LF8OF.exe 4 17->33         started        35 XO0DTGMROF249CTNK83L1U.exe 14 4 17->35         started        261 Maps a DLL or memory area into another process 19->261 38 cmd.exe 19->38         started        263 Multi AV Scanner detection for dropped file 21->263 265 Contains functionality to start a terminal service 21->265 267 Found direct / indirect Syscall (likely to bypass EDR) 21->267 40 cmd.exe 21->40         started        file6 signatures7 process8 dnsIp9 103 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 23->103 dropped 197 Detected unpacking (changes PE section rights) 23->197 219 5 other signatures 23->219 44 Gxtuum.exe 23->44         started        199 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->199 201 Injects a PE file into a foreign processes 27->201 54 2 other processes 27->54 105 C:\Users\user\AppData\Local\...\2pGbRAK2s.hta, HTML 29->105 dropped 203 Creates HTA files 29->203 57 2 other processes 29->57 107 C:\Users\user\svml_dispmd.dll, PE32 31->107 dropped 109 C:\Users\user\msvcr100.dll, PE32 31->109 dropped 111 C:\Users\user\msvcp100.dll, PE32 31->111 dropped 117 19 other malicious files 31->117 dropped 205 Multi AV Scanner detection for dropped file 31->205 207 Drops PE files to the user root directory 31->207 47 Adobe QT32 Server.exe 25 31->47         started        113 C:\Users\user\AppData\Local\...\rapes.exe, PE32 33->113 dropped 209 Contains functionality to start a terminal service 33->209 211 Contains functionality to inject code into remote processes 33->211 50 rapes.exe 33->50         started        149 edge-block-www-env.dropbox-dns.com 162.125.64.15 DROPBOXUS United States 35->149 151 www-env.dropbox-dns.com 162.125.65.18 DROPBOXUS United States 35->151 213 Encrypted powershell cmdline option found 35->213 215 Bypasses PowerShell execution policy 35->215 59 2 other processes 35->59 115 C:\Users\user\AppData\Local\Temp\lqxbir, PE32 38->115 dropped 221 2 other signatures 38->221 61 2 other processes 38->61 52 conhost.exe 40->52         started        217 Attempt to bypass Chrome Application-Bound Encryption 42->217 63 7 other processes 42->63 file10 signatures11 process12 dnsIp13 227 Detected unpacking (changes PE section rights) 44->227 229 Tries to detect sandboxes and other dynamic analysis tools (window names) 44->229 231 Tries to evade debugger and weak emulator (self modifying code) 44->231 251 3 other signatures 44->251 133 C:\Users\user\AppData\...\svml_dispmd.dll, PE32 47->133 dropped 135 C:\Users\user\AppData\...\msvcr100.dll, PE32 47->135 dropped 137 C:\Users\user\AppData\...\msvcp100.dll, PE32 47->137 dropped 141 19 other malicious files 47->141 dropped 65 Adobe QT32 Server.exe 47->65         started        233 Contains functionality to start a terminal service 50->233 159 foresctwhispers.top 104.21.80.1 CLOUDFLARENETUS United States 54->159 235 Tries to harvest and steal ftp login credentials 54->235 237 Tries to harvest and steal browser information (history, passwords, etc) 54->237 239 Suspicious powershell command line found 57->239 241 Tries to download and execute files (via powershell) 57->241 68 powershell.exe 57->68         started        72 conhost.exe 57->72         started        74 schtasks.exe 57->74         started        76 conhost.exe 59->76         started        243 Found direct / indirect Syscall (likely to bypass EDR) 61->243 78 WerFault.exe 61->78         started        161 api.advisewise.me 116.202.176.139 HETZNER-ASDE Germany 63->161 163 t.me 149.154.167.99 TELEGRAMRU United Kingdom 63->163 165 3 other IPs or domains 63->165 139 C:\Temp\quMNp6gH5.hta, HTML 63->139 dropped 245 Query firmware table information (likely to detect VMs) 63->245 247 Creates HTA files 63->247 249 Tries to steal Crypto Currency Wallets 63->249 80 chrome.exe 63->80         started        82 conhost.exe 63->82         started        file14 signatures15 process16 dnsIp17 175 Maps a DLL or memory area into another process 65->175 177 Found direct / indirect Syscall (likely to bypass EDR) 65->177 84 cmd.exe 65->84         started        153 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 68->153 101 TempRE4049Q5Q1XHQ0OKYYVUITSSPDBAANZP.EXE, PE32 68->101 dropped 179 Powershell drops PE file 68->179 88 conhost.exe 68->88         started        155 192.168.2.5, 443, 49707, 49709 unknown unknown 80->155 157 239.255.255.250 unknown Reserved 80->157 file18 signatures19 process20 file21 97 C:\Users\user\AppData\Local\Temp\xsqktixy, PE32 84->97 dropped 99 C:\Users\user\...\servicebrowserv5.exe, PE32 84->99 dropped 189 Uses schtasks.exe or at.exe to add and modify task schedules 84->189 191 Writes to foreign memory regions 84->191 193 Found hidden mapped module (file has been removed from disk) 84->193 195 Switches to a custom stack to bypass stack traces 84->195 90 servicebrowserv5.exe 84->90         started        93 conhost.exe 84->93         started        signatures22 process23 signatures24 223 Switches to a custom stack to bypass stack traces 90->223 225 Found direct / indirect Syscall (likely to bypass EDR) 90->225 95 WerFault.exe 90->95         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-02-26 13:20:35 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvhe5l65jjdou7ewkv2ybr6dt4oykc5qw3wr3x5prbhkpntv35sq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65
Amadey
error
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:systembc family:vidar botnet:092155 botnet:a4d2cd botnet:ir7am credential_access defense_evasion discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/250227-x6c3dawvat/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Control Panel
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
SystemBC
Systembc family
Vidar
Vidar family
Malware Config
C2 Extraction:
http://176.113.115.6
https://t.me/l793oy
https://steamcommunity.com/profiles/76561199829660832
http://cobolrationumelawrtewarms.com
http://�������� jlgenfekjlfnvtgpegkwr.xyz
towerbingobongoboom.com
93.186.202.3
Dropper Extraction:
http://185.215.113.16/mine/random.exe
Verdict:
Malicious
Tags:
c2 lumma_stealer stealer lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/bf713f3b-7db4-4164-b5da-5eebab0e05f1
Unpacked files
SH256 hash:
22e8c1e8c2588a228e8c2b39684d6442dfa888128230a8d1bce9fdba32909538
MD5 hash:
22b814278d325ee1ba21d662a150c86d
SHA1 hash:
db48373b41eec028c6c292bc714c0fdd66b243ae
Link:
https://www.unpac.me/results/bd9e18e5-dff8-4880-ac46-52ae4682be31/
SH256 hash:
6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65
MD5 hash:
75feb5227095b1fdb72953933df3e907
SHA1 hash:
82c65fd8b1b296003dea002dd0a640a23063fb23
Link:
https://www.unpac.me/results/bd9e18e5-dff8-4880-ac46-52ae4682be31/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d4e4eafdd4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452044/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments