MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2
SHA3-384 hash: 4c7ecacf86ce2e612da2fe6d39c305cd5f6187ca2063d32c57099ebf32be97cdf650a12fe1cc2b0f82559541e594ebf1
SHA1 hash: 0581743f15c4374043f8873709226090aec5e756
MD5 hash: a925bbd5bc50cfff6069c5ab5fbc4495
humanhash: early-jupiter-california-wyoming
File name:amnew.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:425'984 bytes
First seen:2025-07-31 12:20:39 UTC
Last seen:2025-08-02 22:29:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e7280afbf80c2800b272220ce0718da (37 x Amadey, 2 x RedLineStealer, 1 x CredentialFlusher)
ssdeep 6144:hPUIrO0NCh31Alxujw54YsnLiO1ptnvT0lAkuW8GUi/83FrPKoTIf504AOfn2/jd:hPUIrO0NChSlMw4vn7T0lAnW8BK8j
TLSH T1CC945C217813D032D66191721FB9FFF585ADA8259B7109DB7BC00F769E202E26A31F39
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://45.141.233.196/ho4lu3dk/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.141.233.196/ho4lu3dk/index.php https://threatfox.abuse.ch/ioc/1562884/

Intelligence

File Origin
# of uploads :
3
# of downloads :
122
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
e4826b858a916d7c31bb2b646ac4e8dab3a89fea2731451b6fcdbd2de1b9bc1e.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-07-31 12:50:31 UTC
Tags:
lumma stealer themida loader amadey auto redline botnet auto-reg telegram arch-exec rdp stealc gcleaner vidar evasion quasar rat lclipper clipper
Link:
https://app.any.run/tasks/9cab3d00-9f70-4443-9e0e-a2318188df8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18079/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b5fc1af3050dc8d32beca
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey amadey anti-debug base64 fingerprint lolbin microsoft_visual_cc netsh wmic
Link:
https://www.filescan.io/uploads/688b5fc401e814b1f00a949e/reports/74f3afc7-8267-41c7-9bce-99bbf700b9a4/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/240dd19b-b4a7-4799-9863-eb3c7fcfcc96
Result
Threat name:
Amadey, LummaC Stealer, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1747784
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potentially malicious time measurement code found
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1747784 Sample: amnew.exe Startdate: 31/07/2025 Architecture: WINDOWS Score: 100 144 sakkati-business.icu 2->144 146 ocsp.sectigo.com 2->146 148 10 other IPs or domains 2->148 166 Suricata IDS alerts for network traffic 2->166 168 Found malware configuration 2->168 170 Antivirus detection for dropped file 2->170 172 13 other signatures 2->172 13 amnew.exe 5 2->13         started        17 msiexec.exe 2->17         started        20 huran.exe 2->20         started        22 8 other processes 2->22 signatures3 process4 dnsIp5 114 C:\Users\user\AppData\Local\...\huran.exe, PE32 13->114 dropped 116 C:\Users\user\...\huran.exe:Zone.Identifier, ASCII 13->116 dropped 220 Contains functionality to start a terminal service 13->220 222 Contains functionality to inject code into remote processes 13->222 24 huran.exe 28 13->24         started        132 crl.comodoca.com.cdn.cloudflare.net 172.64.149.23, 49712, 49714, 49715 CLOUDFLARENETUS United States 17->132 118 C:\Windows\Installer\MSIA250.tmp, PE32 17->118 dropped 120 C:\Windows\Installer\MSI4923.tmp, PE32 17->120 dropped 122 C:\...\fleetdeck_agent_svc.exe, PE32 17->122 dropped 29 fleetdeck_agent_svc.exe 17->29         started        31 msiexec.exe 17->31         started        33 msiexec.exe 17->33         started        134 9.9.9.9 QUAD9-AS-1US United States 22->134 136 8.8.8.8 GOOGLEUS United States 22->136 138 8 other IPs or domains 22->138 35 WerFault.exe 22->35         started        file6 signatures7 process8 dnsIp9 150 sakkati-business.icu 45.95.168.70, 443, 49705 GIGANET-HUGigaNetInternetServiceProviderCoHU Croatia (LOCAL Name: Hrvatska) 24->150 152 45.141.233.196, 49689, 49690, 49691 ASDETUKhttpwwwheficedcomGB Bulgaria 24->152 154 allfile.ink 104.21.32.1, 49719, 80 CLOUDFLARENETUS United States 24->154 106 C:\Users\user\AppData\Local\...\promotion.exe, PE32 24->106 dropped 108 C:\Users\user\AppData\Local\Temp\...\d.exe, PE32 24->108 dropped 110 C:\Users\user\AppData\Local\...\1212411.exe, PE32+ 24->110 dropped 112 7 other malicious files 24->112 dropped 218 Contains functionality to start a terminal service 24->218 37 promotion.exe 24->37         started        40 1212411.exe 24->40         started        43 12321.exe 24->43         started        49 2 other processes 24->49 45 powershell.exe 29->45         started        47 powershell.exe 29->47         started        file10 signatures11 process12 dnsIp13 100 C:\Users\user\AppData\Local\...\promotion.tmp, PE32 37->100 dropped 52 promotion.tmp 37->52         started        190 Writes to foreign memory regions 40->190 192 Allocates memory in foreign processes 40->192 194 Injects a PE file into a foreign processes 40->194 55 MSBuild.exe 40->55         started        58 MSBuild.exe 43->58         started        61 MSBuild.exe 43->61         started        196 Loading BitLocker PowerShell Module 45->196 63 conhost.exe 45->63         started        65 conhost.exe 47->65         started        140 ip-api.com 208.95.112.1, 49693, 49696, 80 TUT-ASUS United States 49->140 142 159.100.17.226, 49694, 49697, 9999 DE-FIRSTCOLOwwwfirst-colonetDE Germany 49->142 102 C:\Users\user\AppData\...behaviorgraphoogleChrome.exe, PE32+ 49->102 dropped 198 Antivirus detection for dropped file 49->198 200 Multi AV Scanner detection for dropped file 49->200 202 Potentially malicious time measurement code found 49->202 67 cmd.exe 1 49->67         started        file14 signatures15 process16 dnsIp17 96 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 52->96 dropped 98 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->98 dropped 69 promotion.exe 52->69         started        174 Query firmware table information (likely to detect VMs) 55->174 176 Tries to harvest and steal ftp login credentials 55->176 178 Tries to harvest and steal browser information (history, passwords, etc) 55->178 180 Tries to steal from password manager 55->180 158 mastwin.in 45.61.165.8, 443, 49701, 49703 ASN-QUADRANET-GLOBALUS United States 58->158 182 Tries to steal Crypto Currency Wallets 58->182 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->184 186 Uses ping.exe to sleep 67->186 188 Uses ping.exe to check the status of other devices and networks 67->188 72 cmd.exe 1 67->72         started        75 conhost.exe 67->75         started        file18 signatures19 process20 file21 104 C:\Users\user\AppData\Local\...\promotion.tmp, PE32 69->104 dropped 77 promotion.tmp 69->77         started        204 Uses ping.exe to sleep 72->204 81 GoogleChrome.exe 14 72->81         started        84 conhost.exe 72->84         started        86 PING.EXE 1 72->86         started        signatures22 process23 dnsIp24 160 95.216.253.60, 49723, 49726, 80 HETZNER-ASDE Germany 77->160 162 ipapi.co 104.26.8.44, 443, 49724 CLOUDFLARENETUS United States 77->162 124 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 77->124 dropped 126 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 77->126 dropped 128 C:\Users\user\AppData\Local\...\T6ZODER8L.exe, PE32+ 77->128 dropped 130 C:\Users\user\AppData\Local\...\2VG5AZSL.exe, PE32+ 77->130 dropped 88 T6ZODER8L.exe 77->88         started        92 2VG5AZSL.exe 77->92         started        164 Potentially malicious time measurement code found 81->164 file25 signatures26 process27 dnsIp28 156 38.180.152.36 COGENT-174US United States 88->156 206 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 88->206 208 Query firmware table information (likely to detect VMs) 88->208 210 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 88->210 216 6 other signatures 88->216 94 WerFault.exe 88->94         started        212 Antivirus detection for dropped file 92->212 214 Binary is likely a compiled AutoIt script file 92->214 signatures29 process30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/a925bbd5bc50cfff6069c5ab5fbc4495
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 14:41:54 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfhtponiiqxliyz2ic35ib4mt4xd3hyjyzti5niyxudreahsdkra._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:f5cb85 discovery execution persistence ransomware spyware stealer
Link:
https://tria.ge/reports/250731-pjfkzshp9z/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Blocklisted process makes network request
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Lumma family
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
http://45.141.233.196
https://cezgroup.contact/xlak/api
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://stockwises.eu/xiut/api
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d3f56de7-20d3-4f4a-938a-e674c573f96a
Unpacked files
SH256 hash:
814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2
MD5 hash:
a925bbd5bc50cfff6069c5ab5fbc4495
SHA1 hash:
0581743f15c4374043f8873709226090aec5e756
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/b47b7961-3508-4706-b30b-dcfe3f2da6bc/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/814f37b9a844/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MAL_Win_Amadey_Jun25
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34
Reference:https://0x0d4y.blog/amadey-targeted-analysis/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_amadey_062025
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34.
Reference:https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 814f37b9a8442eb4633a40b7d4078c9f2e3d9f09c6668eb518bd071200f21aa2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3593645/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/18079/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
ADVAPI32.dll::RevertToSelf
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipGetImageEncoders
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetSidIdentifierAuthority
ADVAPI32.dll::ImpersonateLoggedOnUser
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
ADVAPI32.dll::LookupAccountNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments