MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 19

Intelligence 19 IOCs 1 YARA 17 File information Comments

SHA256 hash:	83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41
SHA3-384 hash:	a78e553c6ad7c74f3f5a5fa51ca2f56666039110857d04ddf59704f59244c69e4a9636b30527783f9ad6036d8e9700eb
SHA1 hash:	decfdace15341fdf0a054b9773296915db084088
MD5 hash:	f6b62e6d68452a089027895eb53fc0ce
humanhash:	wolfram-cold-vegan-ink
File name:	f6b62e6d68452a089027895eb53fc0ce.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	1'091'584 bytes
First seen:	2025-08-17 15:40:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:Ud4oouMQDcO3yd15Fsd4Vwols8LT7WX+3oPAs1Ys8J:UfVpDBCd1Y4VEST9mtOs
TLSH	T162353398E3E09B26D277067978620B0041D4B503C613B32FEF4925C5FED2ADD45FA66B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
http://telemetrywatson.live/b9kdj3s3C2/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://telemetrywatson.live/b9kdj3s3C2/index.php	https://threatfox.abuse.ch/ioc/1570058/

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

ebaa577c53ef73b559d7fa8f02c176771219db627b0a97af8ebb1220031877b0.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-08-13 20:01:16 UTC

Tags:

gcleaner loader lumma stealer auto autoit telegram auto-startup amadey botnet auto-reg redline inno installer rdp stealc

Link:

https://app.any.run/tasks/db20e5b9-7757-4a9e-ad89-22711acb20c3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21835/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a1f7fa8fd55a79c52877fd

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Connection attempt to an infection source

Query of malicious DNS domain

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypt obfuscated obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68a1f7ffabfbaec31824478a/reports/b39ad142-9400-4aee-9fe6-e7574042cad6/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/38ed927a-039c-4998-8a42-f6bdcef0a62a

Result

Threat name:

Amadey, PureLog Stealer, ResolverRAT

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1758841

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Drops VBS files to the startup folder

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Drops script at startup location

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Yara detected ResolverRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.38 Win 32 Exe x86

Link:

https://app.malva.re/file/f6b62e6d68452a089027895eb53fc0ce

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41/

Verdict:

Malicious

Threat:

Family.AMADEY

Link:

https://tip.neiki.dev/file/83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41

Threat name:

Win32.Trojan.Spynoon

Status:

Malicious

First seen:

2025-08-13 22:29:13 UTC

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qprnuxbrx7evti6ism2ckaz67uh7ueg6q7n764v6twthf45nrvaq._file

Verdict:

malicious

Label(s):

amadey

Similar samples:

error

Amadey

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey botnet:58f169 defense_evasion discovery execution persistence trojan

Link:

https://tria.ge/reports/250817-s4jpxswygv/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Enumerates connected drives

Checks computer location settings

Drops startup file

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Modifies trusted root certificate store through registry

Amadey

Amadey family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/30f4a07c-bd8a-4003-a2d9-5b8ffdaf5c8e

Unpacked files

SH256 hash:

ad993e01e00a9a17743caf00c83d4561a2b7a74018a6e055dca3cdc2e2be9648

MD5 hash:

446534511786b53cc3c95c432130cff4

SHA1 hash:

07d4885189f66fcd1a4929b718d1ceeef5a661cb

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a415966d-8f39-4a42-b977-aa1a5299697e/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/a415966d-8f39-4a42-b977-aa1a5299697e/

SH256 hash:

4e441f92766efc2d3a6a9155161782e2601fde20c1566cda5b9a74b91969de09

MD5 hash:

a965b011529dfeb0e3091a597232dc6c

SHA1 hash:

8b4c1530c58fba4d8b5531be82afa2a546f24d1d

Detections:

Amadey

Link:

https://www.unpac.me/results/a415966d-8f39-4a42-b977-aa1a5299697e/

Parent samples :

031dbb2abab32fa35f27c03c86cb1533dfd46562ab91594f0ae0d4296ee91638
1626d048d160be512ed5e4e9755c924980a09d1759216ff3ea2966a0347d0ce7
83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41

SH256 hash:

3b084296ed042fce589808c1246d8a2e4b3e9fcc99b379c51622fe0d732e5c49

MD5 hash:

edfad0e476329e1b658a63dab415d230

SHA1 hash:

f655ad95729e062a639227145e34163c963f1d0d

Link:

https://www.unpac.me/results/a415966d-8f39-4a42-b977-aa1a5299697e/

SH256 hash:

83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41

MD5 hash:

f6b62e6d68452a089027895eb53fc0ce

SHA1 hash:

decfdace15341fdf0a054b9773296915db084088

Link:

https://www.unpac.me/results/a415966d-8f39-4a42-b977-aa1a5299697e/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/83e2da5c31bf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/83e2da5c31bfc959a3c8933425033efd0ffa10de87dbff72be9da672f3ad8d41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MAL_Win_Amadey_Jun25 Create hunting rule
Author:	0x0d4y
Description:	This rule detects intrinsic patterns of Amadey version 5.34
Reference:	https://0x0d4y.blog/amadey-targeted-analysis/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	win_amadey_062025 Create hunting rule
Author:	0x0d4y
Description:	This rule detects intrinsic patterns of Amadey version 5.34.
Reference:	https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21835/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample