MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6
SHA3-384 hash: 41481eb5ff65736dd399814dc675b65bbb96d74a4caec831d4093fa6163beffe220cc3cbbe077c1565fd1d03bb74d74d
SHA1 hash: 60195650bb33eaed745d02ce20b4bd775ea9c108
MD5 hash: 777b523753dfd477e0cb553892e403b9
humanhash: may-social-harry-angel
File name:777B523753DFD477E0CB553892E403B9.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:14'250'716 bytes
First seen:2025-05-25 04:55:23 UTC
Last seen:2025-05-25 14:35:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4418a2913fab5c7d6a525e062051fcdc (1 x Amadey)
ssdeep 196608:hosodFvIynowa0hq8c/CDOABjm3NkiBqO5TC7R4FBSwDCUI9Dty:hosW5oBopDO8jm3N5BqO9C7WvSSCU0y
TLSH T1C5E6233BF268A13EC4AE0B3249739610597B7E65681A8C2F03FC784DDF765601E3B616
TrID 49.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
19.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10522/11/4)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon ba7d6179494c6d3a (12 x Rhadamanthys, 9 x AurotunStealer, 3 x Vidar)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://195.82.146.131/HthsDb74/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://195.82.146.131/hthsdb74/index.php https://threatfox.abuse.ch/ioc/1532632/

Intelligence

File Origin
# of uploads :
2
# of downloads :
542
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
www.russillo.com
Verdict:
Malicious activity
Analysis date:
2025-05-21 21:43:07 UTC
Tags:
telegram obfuscated-js arch-exec amadey botnet stealer inno installer delphi
Link:
https://app.any.run/tasks/ca5ba383-99ac-4635-87c0-62261cf2169e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.21726.31194.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6832a39b4912a6b9dd4d2b3f
Tags:
autorun remcos emotet lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Searching for the window
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context expired-cert fingerprint invalid-signature microsoft_visual_cc overlay overlay packed packed packer_detected remcos signed
Link:
https://www.filescan.io/uploads/6832a2ec171e01f9592c843b/reports/ab2dbaed-3646-4742-a80b-332692eb00e3/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/573675e8-626d-49d8-9ede-b240511d78bb
Result
Threat name:
Amadey, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698661
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1698661 Sample: n1PiWKZ7MB.exe Startdate: 25/05/2025 Architecture: WINDOWS Score: 100 104 ae.7.4t.com 2->104 106 t.me 2->106 122 Suricata IDS alerts for network traffic 2->122 124 Found malware configuration 2->124 126 Malicious sample detected (through community Yara rule) 2->126 128 14 other signatures 2->128 10 nudwee.exe 18 2->10         started        15 n1PiWKZ7MB.exe 5 2->15         started        signatures3 process4 dnsIp5 110 195.82.146.131, 49715, 49717, 49719 DREAMTORRENT-CORP-ASRU Russian Federation 10->110 92 C:\Users\user\AppData\Local\Temp\...\v1.exe, PE32 10->92 dropped 94 C:\Users\user\AppData\Local\...\v1[1].exe, PE32 10->94 dropped 140 Antivirus detection for dropped file 10->140 142 Multi AV Scanner detection for dropped file 10->142 144 Found API chain indicative of debugger detection 10->144 17 v1.exe 33 10->17         started        96 C:\Users\user\AppData\Local\...\nudwee.exe, PE32 15->96 dropped 98 C:\Users\user\...\nudwee.exe:Zone.Identifier, ASCII 15->98 dropped 146 Contains functionality to start a terminal service 15->146 148 Found stalling execution ending in API Sleep call 15->148 150 Contains functionality to inject code into remote processes 15->150 21 nudwee.exe 15->21         started        file6 signatures7 process8 dnsIp9 100 ae.7.4t.com 78.47.223.238 HETZNER-ASDE Germany 17->100 102 t.me 149.154.167.99 TELEGRAMRU United Kingdom 17->102 114 Multi AV Scanner detection for dropped file 17->114 116 Encrypted powershell cmdline option found 17->116 118 Tries to harvest and steal browser information (history, passwords, etc) 17->118 23 powershell.exe 22 17->23         started        27 chrome.exe 17->27         started        30 powershell.exe 17->30         started        32 27 other processes 17->32 120 Contains functionality to start a terminal service 21->120 signatures10 process11 dnsIp12 88 C:\Users\user\AppData\...\wddnzclq.cmdline, Unicode 23->88 dropped 130 Writes to foreign memory regions 23->130 132 Compiles code for process injection (via .Net compiler) 23->132 134 Creates a thread in another existing process (thread injection) 23->134 34 csc.exe 3 23->34         started        37 conhost.exe 23->37         started        112 192.168.2.4, 443, 49710, 49715 unknown unknown 27->112 136 Encrypted powershell cmdline option found 27->136 138 Suspicious execution chain found 27->138 39 chrome.exe 27->39         started        90 C:\Users\user\AppData\Local\...\cx1zowhs.0.cs, Unicode 30->90 dropped 42 csc.exe 30->42         started        44 conhost.exe 30->44         started        46 csc.exe 32->46         started        48 csc.exe 32->48         started        50 csc.exe 32->50         started        52 23 other processes 32->52 file13 signatures14 process15 dnsIp16 70 C:\Users\user\AppData\Local\...\wddnzclq.dll, PE32 34->70 dropped 54 cvtres.exe 34->54         started        108 www.google.com 142.250.72.132 GOOGLEUS United States 39->108 72 C:\Users\user\AppData\Local\...\cx1zowhs.dll, PE32 42->72 dropped 74 C:\Users\user\AppData\Local\...\0fgzsdjq.dll, PE32 46->74 dropped 56 cvtres.exe 46->56         started        76 C:\Users\user\AppData\Local\...\1iujiqmw.dll, PE32 48->76 dropped 58 cvtres.exe 48->58         started        78 C:\Users\user\AppData\Local\...\5e1vgkw3.dll, PE32 50->78 dropped 60 cvtres.exe 50->60         started        80 C:\Users\user\AppData\Local\...\zvklsuxt.dll, PE32 52->80 dropped 82 C:\Users\user\AppData\Local\...\re0vsbnr.dll, PE32 52->82 dropped 84 C:\Users\user\AppData\Local\...\psunhgf3.dll, PE32 52->84 dropped 86 7 other malicious files 52->86 dropped 62 cvtres.exe 52->62         started        64 cvtres.exe 52->64         started        66 cvtres.exe 52->66         started        68 5 other processes 52->68 file17 process18
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-05-21 21:38:53 UTC
File Type:
PE (Exe)
Extracted files:
293
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oyr3orei2jatvbhiblrmapltyz7jxejvazql3qgelmgrdtxvppda._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:vidar botnet:dcf87a botnet:dd903b7ce06f955fc31204a3bdcc7264 credential_access defense_evasion discovery spyware stealer trojan
Link:
https://tria.ge/reports/250525-fkqynszpw7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Amadey
Amadey family
Detect Vidar Stealer
Vidar
Vidar family
Malware Config
C2 Extraction:
http://195.82.146.131
https://t.me/eom25t
https://steamcommunity.com/profiles/76561199855598339
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2b153a6-93da-417b-aeee-4c962cac3a2b
Unpacked files
SH256 hash:
7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6
MD5 hash:
777b523753dfd477e0cb553892e403b9
SHA1 hash:
60195650bb33eaed745d02ce20b4bd775ea9c108
Link:
https://www.unpac.me/results/540e4c12-eede-4cbd-b9cd-1959ff4a1f98/
SH256 hash:
51c96ea6739dcb028d9ec0ead04cecaa5137ab0fc67e5b5d1df2e33c1cf17dc3
MD5 hash:
9daa49f31057cf2723c54af3015470e6
SHA1 hash:
f49c83a200086cfdf228104cf3f97a094118020a
Link:
https://www.unpac.me/results/540e4c12-eede-4cbd-b9cd-1959ff4a1f98/
SH256 hash:
d89e5f7baec6f354969a915b569cfafc5cdda51b432421a0ff36c4de3279cb27
MD5 hash:
e7212ee144729de463f177142860558a
SHA1 hash:
f2be9788ab49e5d4dc85740c7c62125bd04c44d9
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/540e4c12-eede-4cbd-b9cd-1959ff4a1f98/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7623b74488d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7623b74488d2413a84e80ae2c03d73c67e9b91350660bdc0c45b0d11cef57bc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW
KERNEL32.dll::GetSystemDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowA

Comments