MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c3fcf622b4cce3427594c89df6f1723b85dc252023c8d3c880ed39b971de979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c3fcf622b4cce3427594c89df6f1723b85dc252023c8d3c880ed39b971de979
SHA3-384 hash: d36c3d63b97caa618e4e8ee04168db748a0ae7a871b7c17ed27aa8040921384d10d7623f594c75c15702ea0d4faa36ad
SHA1 hash: 48c392051aba5c385707ddaf421c30e25729d4f8
MD5 hash: bcec1a812a549b07aac4eb1677617c24
humanhash: kitten-enemy-wyoming-steak
File name:index.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:3'360'824 bytes
First seen:2025-07-05 10:55:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 98304:FHAGllT3R++TXeHa6fXmwbLrWM52qcY6wcecA:ZAyvVUWwbL6lqYe9
TLSH T116F53341BBC18073D1A2193B97BE7A229D3AB5415F61DADF97C00B58E6704D0EB33BA1
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://91.219.239.20/dF30Hn4m/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.239.20/dF30Hn4m/index.php https://threatfox.abuse.ch/ioc/1553613/

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12404/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686904a3900df8e7f8670c42
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Launching a service
Connection attempt
Sending an HTTP POST request
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm autoit crypto evasive fingerprint fingerprint installer keylogger microsoft_visual_cc overlay overlay packed packer_detected sfx
Link:
https://www.filescan.io/uploads/6869049b6b0fcfc5e2e0109c/reports/1bd39369-5da1-4a59-b8ea-0ad506dfab06/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/7c3fcf622b4cce3427594c89df6f1723b85dc252023c8d3c880ed39b971de979
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5f293c91-d9c4-4f2b-affe-78d9e0b270c2
Result
Threat name:
Amadey, LummaC Stealer, Stealerium, Vida
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1729147
Signature
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected AntiVM5
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected Stealerium
Yara detected Telegram Recon
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1729147 Sample: index.exe Startdate: 05/07/2025 Architecture: WINDOWS Score: 100 113 www.google.com 2->113 115 www-msn-com.a-0003.a-msedge.net 2->115 117 30 other IPs or domains 2->117 125 Suricata IDS alerts for network traffic 2->125 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 22 other signatures 2->131 11 index.exe 6 2->11         started        14 suker.exe 2->14         started        18 6iwhHzOX.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 101 C:\Temper\wyxfGg1y.exe, PE32 11->101 dropped 103 C:\Temper\6iwhHzOX.exe, PE32 11->103 dropped 22 6iwhHzOX.exe 11->22         started        119 176.46.157.50, 49715, 49718, 49730 ESTPAKEE Iran (ISLAMIC Republic Of) 14->119 121 176.46.157.32, 49719, 49731, 49734 ESTPAKEE Iran (ISLAMIC Republic Of) 14->121 105 C:\Users\user\AppData\...\76ae48a4a1.exe, PE32 14->105 dropped 107 C:\Users\user\AppData\...\3dd85513ee.exe, PE32+ 14->107 dropped 109 C:\Users\user\AppData\Local\...\9eteMk9.exe, PE32 14->109 dropped 111 21 other malicious files 14->111 dropped 157 Contains functionality to start a terminal service 14->157 159 Binary is likely a compiled AutoIt script file 18->159 25 o0JTbP07.exe 18->25         started        27 G2uKbjlq.exe 18->27         started        29 cmd.exe 18->29         started        31 cmd.exe 18->31         started        123 127.0.0.1 unknown unknown 20->123 161 Changes security center settings (notifications, updates, antivirus, firewall) 20->161 file6 signatures7 process8 signatures9 149 Multi AV Scanner detection for dropped file 22->149 151 Binary is likely a compiled AutoIt script file 22->151 153 Found API chain indicative of sandbox detection 22->153 33 o0JTbP07.exe 15 22->33         started        36 G2uKbjlq.exe 4 22->36         started        39 cmd.exe 1 22->39         started        51 2 other processes 22->51 41 cmd.exe 25->41         started        155 Contains functionality to start a terminal service 27->155 43 conhost.exe 29->43         started        45 wyxfGg1y.exe 29->45         started        47 conhost.exe 31->47         started        49 schtasks.exe 31->49         started        process10 file11 87 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 33->87 dropped 89 C:\Users\user\AppData\Local\...\cecho.exe, PE32 33->89 dropped 91 C:\Users\user\AppData\Local\...91SudoLG.exe, PE32+ 33->91 dropped 95 2 other malicious files 33->95 dropped 53 cmd.exe 1 33->53         started        93 C:\Users\user\AppData\Local\...\suker.exe, PE32 36->93 dropped 133 Multi AV Scanner detection for dropped file 36->133 135 Contains functionality to start a terminal service 36->135 56 suker.exe 36->56         started        137 Uses cmd line tools excessively to alter registry or file data 39->137 139 Uses schtasks.exe or at.exe to add and modify task schedules 39->139 141 Uses the nircmd tool (NirSoft) 39->141 58 wyxfGg1y.exe 3 39->58         started        61 conhost.exe 39->61         started        63 nircmd.exe 41->63         started        65 conhost.exe 41->65         started        71 3 other processes 41->71 67 conhost.exe 51->67         started        69 schtasks.exe 1 51->69         started        signatures12 process13 file14 143 Uses cmd line tools excessively to alter registry or file data 53->143 73 reg.exe 53->73         started        75 reg.exe 53->75         started        77 conhost.exe 53->77         started        81 14 other processes 53->81 145 Multi AV Scanner detection for dropped file 56->145 147 Contains functionality to start a terminal service 56->147 97 C:\Temper\o0JTbP07.exe, PE32 58->97 dropped 99 C:\Temperbehaviorgraph2uKbjlq.exe, PE32 58->99 dropped 79 cmd.exe 63->79         started        signatures15 process16 process17 83 Conhost.exe 73->83         started        85 Conhost.exe 75->85         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7c3fcf622b4cce3427594c89df6f1723b85dc252023c8d3c880ed39b971de979
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/bcec1a812a549b07aac4eb1677617c24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c3fcf622b4cce3427594c89df6f1723b85dc252023c8d3c880ed39b971de979/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-05 10:55:29 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pq746yrljthdij2zjse563yxeo4f3qssai6i2peib3jzxfy55f4q._file
Result
Malware family:
stealerium
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:stealerium botnet:9fa1e2 credential_access defense_evasion discovery execution persistence stealer trojan
Link:
https://tria.ge/reports/250705-m1bbgsak2y/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Command and Scripting Interpreter: PowerShell
Enumerates processes with tasklist
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Stops running service(s)
Uses browser remote debugging
Amadey
Amadey family
Stealerium
Stealerium family
Malware Config
C2 Extraction:
http://176.46.157.50
https://api.telegram.org/bot7752834125:AAHFvXxMbIKxS_IV7-VoZ_U7lA6F-QbQ_34/sendMessage?chat_id=
https://api.telegram.org/bot8165913918:AAG4HdlwZSMvhTYtugUw4BUz3vx8V36VV3g/sendMessage?chat_id=
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2c5b5baa-413c-419b-8e9f-1ea18ea1d75d
Unpacked files
SH256 hash:
7c3fcf622b4cce3427594c89df6f1723b85dc252023c8d3c880ed39b971de979
MD5 hash:
bcec1a812a549b07aac4eb1677617c24
SHA1 hash:
48c392051aba5c385707ddaf421c30e25729d4f8
Link:
https://www.unpac.me/results/b3c56ff1-5c6e-4212-93f6-d9f0395b268c/
SH256 hash:
f149eeb2069f840ef4f69beb0f89e5ebdd8efb52a4317f08e7bd464db07eec18
MD5 hash:
50359e55171b7f7358f7c78a17b59b41
SHA1 hash:
f05c7d18dd0f0d8ce0273f6fd4876bf5b85679b9
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/b3c56ff1-5c6e-4212-93f6-d9f0395b268c/
SH256 hash:
6dd610a8f8ea57f36713dd1d0c736ea44daaa739ae4f937efa4ac9a86cb00dae
MD5 hash:
6de4f94f7849ae266be2d0288d9eede6
SHA1 hash:
5135ab6a33b27e346b3191f170231e5e103138b9
Link:
https://www.unpac.me/results/b3c56ff1-5c6e-4212-93f6-d9f0395b268c/
SH256 hash:
002f74f19753a3d300d1fbd086305b7a1613bf250a2ebd9487adcbc102976684
MD5 hash:
f5500686c3f4469f191488a0a010a8f0
SHA1 hash:
e0bcb7202a6c0d90b292cc863a242bd98a1c694e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/b3c56ff1-5c6e-4212-93f6-d9f0395b268c/
SH256 hash:
7b78fbe39262ed72ee0c535154c0cb8fec81554f89eb7f3f9f9fc76e4d11ee7e
MD5 hash:
a77c49e80e99c333f3901fda3eb72950
SHA1 hash:
ff48346016025ba96be81fa6e914d1f860875fb3
Link:
https://www.unpac.me/results/b3c56ff1-5c6e-4212-93f6-d9f0395b268c/
SH256 hash:
bd1f4c1b3d7bb873accf04236da2848fb093c3457a3d1d4eb05986aeeebc420a
MD5 hash:
d23dbe0f8cbafb87033b9a7f01472ce3
SHA1 hash:
1c621b91969feead4e4531a93167d9d559030998
Link:
https://www.unpac.me/results/b3c56ff1-5c6e-4212-93f6-d9f0395b268c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 7c3fcf622b4cce3427594c89df6f1723b85dc252023c8d3c880ed39b971de979

(this sample)

Gh0stRAT

Executable exe eda5ae523ff53c369fb98629d2b57bead3f0b78b5cf2dac6fdcc97368700efd7

Cape
Cape
https://www.capesandbox.com/analysis/12404/
  
URLhaus
https://urlhaus.abuse.ch/url/3573994/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 eda5ae523ff53c369fb98629d2b57bead3f0b78b5cf2dac6fdcc97368700efd7
  
Dropping
MD5 c09e1df9e635eda1c24a2159cdfc5d7a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments