MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43
SHA3-384 hash: 0980bc79c78d869db023f2b601b6a54ca2ec8e22684531c1794aa15651e6642e42d0703c7aebf9134c545dde2d3b7c3e
SHA1 hash: 03194c385186d3c30598c5f0ead51b4e1638cdd7
MD5 hash: 1f8f1a5de4f7ca72c5f02eb84ff22917
humanhash: happy-alpha-chicken-arizona
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:5'080'064 bytes
First seen:2025-09-18 12:00:49 UTC
Last seen:2025-09-20 14:18:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 98304:0Kxh1pmniRvew+9r+4G1nHI2uGhRvnE/wHIvO97N:b7pmvwKq4G1o2u+RfCwHKQ7N
Threatray 1'473 similar samples on MalwareBazaar
TLSH T1723633558BF5263AF8BAD03DEDEA045D9F257C40E72FC94E0E405872A92ED04E4D9BC2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
115
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-18 12:12:21 UTC
Tags:
lumma stealer amadey auto redline unlocker-eject tool themida arch-exec rdp
Link:
https://app.any.run/tasks/fc2590a9-bccb-41bf-8bed-41dcc4912281

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28145/
Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cbf53b88b954439247bdf7
Tags:
dropper emotet shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a service
Launching a service
Restart of the analyzed sample
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
Creating a window
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a file
Sending a custom TCP request
Enabling autorun for a service
Connection attempt to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin obfuscated obfuscated packed packed packer_detected schtasks
Link:
https://www.filescan.io/uploads/68cbf5dfdc1cad370d1db47b/reports/79c8e6dd-e849-4197-9522-9ed90b4bd511/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-18T07:15:00Z UTC
Last seen:
2025-09-18T07:15:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d8faefe-63b3-41da-9423-e7990146b20a
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779974
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Drops executables to the windows directory (C:\Windows) and starts them
Drops password protected ZIP file
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: PUA - NSudo Execution
Sigma detected: Suspicious New Service Creation
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1779974 Sample: random.exe Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 11 other signatures 2->87 9 random.exe 9 2->9         started        13 random.exe 4 2->13         started        15 svchost.exe 137 284 2->15         started        17 2 other processes 2->17 process3 file4 67 C:\Windows\systemhelper.exe, PE32 9->67 dropped 69 C:\Windows\svchosthelper.exe, PE32 9->69 dropped 71 C:\Users\user\AppData\...\svchostmanager.exe, PE32 9->71 dropped 77 3 other malicious files 9->77 dropped 103 Drops executables to the windows directory (C:\Windows) and starts them 9->103 19 systemhelper.exe 15 9->19         started        23 cmd.exe 1 9->23         started        25 svchosthelper.exe 9->25         started        32 2 other processes 9->32 73 C:\Windows\Temp\svchostmanager.exe, PE32 13->73 dropped 75 C:\Windows\Temp\svchostam.exe, PE32 13->75 dropped 105 Contains functionality to start a terminal service 13->105 28 svchosthelper.exe 13->28         started        107 Uses cmd line tools excessively to alter registry or file data 15->107 30 WerFault.exe 2 15->30         started        signatures5 process6 dnsIp7 59 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 19->59 dropped 61 C:\Users\user\AppData\Local\...61SudoLG.exe, PE32+ 19->61 dropped 63 C:\Users\user\AppData\Local\...\aJaHGbr.bat, ASCII 19->63 dropped 65 2 other files (none is malicious) 19->65 dropped 91 Multi AV Scanner detection for dropped file 19->91 34 cmd.exe 19->34         started        93 Uses cmd line tools excessively to alter registry or file data 23->93 95 Uses schtasks.exe or at.exe to add and modify task schedules 23->95 97 Uses the nircmd tool (NirSoft) 23->97 37 conhost.exe 23->37         started        39 schtasks.exe 1 23->39         started        79 94.154.35.25, 80 SELECTELRU Ukraine 25->79 99 Contains functionality to start a terminal service 28->99 101 Contains functionality to inject code into remote processes 28->101 41 WerFault.exe 28->41         started        43 conhost.exe 32->43         started        45 conhost.exe 32->45         started        file8 signatures9 process10 signatures11 89 Uses cmd line tools excessively to alter registry or file data 34->89 47 cmd.exe 34->47         started        49 cmd.exe 34->49         started        51 conhost.exe 34->51         started        53 26 other processes 34->53 process12 process13 55 Conhost.exe 47->55         started        57 tasklist.exe 49->57         started       
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/1f8f1a5de4f7ca72c5f02eb84ff22917
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 12:06:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pi7kd6g5743vd5qurrxx3ivkoavnau52pr5bqk42st5pfm5ujjbq._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
admintool_nsudo
Create hunting rule
amadey
Create hunting rule
admintool_nircmd
Create hunting rule
Similar samples:
0046ac156acfd377676b3b6a529e8dd7426d058f20a8ff445d47134b02e5c8c3
Amadey
0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c
Amadey
1db211a355727107916e15b30f1f91bf0630b6bf8d3c0e9ea88a76d8ff3c9ed1
Amadey
2f994afc548d528e56a029cf4481d56a3459d438b46ec38403a977bc7d70dced
Amadey
3ba3ef4cc21a08817b7e7dae3a46f13bd596025ecd2d983a2203e4bd3eeb14c7
Amadey
4a9ea80070aeef34e75107e504544232228ffa9a09e037c778cd264a2c5564d2
Amadey
59a9f58e089576e053f87c747158987d3d6fd80bfd58ce3b82cfa3d3b4966228
Amadey
83c87bb40aa0c4fd4fd0be7eea3bf04fdb197e13e3dbe41178e0139cd7b9623c
Amadey
error
Amadey
+ 1'463 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/250918-n96pesvwgt/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Creates new service(s)
Sets service image path in registry
Stops running service(s)
Disables service(s)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dc4ca855-7c3b-4ba1-bbee-7d482834024e
Unpacked files
SH256 hash:
7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43
MD5 hash:
1f8f1a5de4f7ca72c5f02eb84ff22917
SHA1 hash:
03194c385186d3c30598c5f0ead51b4e1638cdd7
Link:
https://www.unpac.me/results/2b73e3f0-f9ae-460f-ae6c-3eacfee835e1/
SH256 hash:
cdd6ba73fbde77d9936653fc9fe4b83eac935cb9990df067facc9189fb4766b6
MD5 hash:
0d209471c10d18a4e6df44bd3e882b36
SHA1 hash:
1620a8c46649df7ad7372611f007be24ff077628
Link:
https://www.unpac.me/results/2b73e3f0-f9ae-460f-ae6c-3eacfee835e1/
SH256 hash:
44d48e3e02b07a0e73e525df47ce47d284ccd1bbfd9e5587efe73e35575ff388
MD5 hash:
4aefdd53871149f2784dd78c52190416
SHA1 hash:
97261167f7d48c8ca9b8c1e7e721a574d9051663
Link:
https://www.unpac.me/results/2b73e3f0-f9ae-460f-ae6c-3eacfee835e1/
SH256 hash:
9415c4890efc942f4047101fee4dcfb111660ffd5ab4f80ab69530e70735d2d7
MD5 hash:
62c905b2c4296bb3fe0cc887652f45a6
SHA1 hash:
0e78e51b7f47054976960c1e4e77f481b939363b
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/2b73e3f0-f9ae-460f-ae6c-3eacfee835e1/
SH256 hash:
c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851
MD5 hash:
a7993e5a520b17fec65435fb4838a08f
SHA1 hash:
18fe6286473a03735e7b701d4bfaf61ad35da7ad
Link:
https://www.unpac.me/results/2b73e3f0-f9ae-460f-ae6c-3eacfee835e1/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a3ea1f8ddff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 7a3ea1f8ddff3751f6148c6f7da2aa702ad053ba7c7a182b9a94faf2b3b44a43

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3618510/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28145/
  
URLhaus
https://urlhaus.abuse.ch/url/3607426/

Comments