MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434
SHA3-384 hash: 875ad11461c3d804b25b72519de250d0d63901176e71d6e7c6857cc9311f7822f23e2cf00d482d1aff35397ececa2a93
SHA1 hash: 3a640a03af8d94039a9a1e347a8ed618b5709267
MD5 hash: 435489aaa6f0d9c295944ee0b33a750a
humanhash: april-william-fillet-pasta
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'155'520 bytes
First seen:2025-04-11 07:17:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:ZR6edUA+KucJm4mutf3Q/FIEP4VeyAVO4v:D9GARfc4Vtf3eFIgsG
Threatray 1 similar samples on MalwareBazaar
TLSH T17BA5124988D1DCC6EF08E37637513EA927179548BA820B48D085D5FE6B5F3D3E08B4AB
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-11 07:23:50 UTC
Tags:
amadey botnet stealer loader lumma credentialflusher rdp themida
Link:
https://app.any.run/tasks/965cd5ab-4084-498f-8e9b-5827c0d35b46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1813/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f8c9051dba888a93d03ee2
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67f8c1f7eb7eb0aee04389f7/reports/ac5be5b5-d22b-4124-a1f5-8d1b5d826d95/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4497a2e7-0de5-4645-939f-b47545d38304
Result
Threat name:
Amadey, LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1662884
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1662884 Sample: random.exe Startdate: 11/04/2025 Architecture: WINDOWS Score: 100 96 xcelmodo.run 2->96 98 qu.ap.4t.com 2->98 100 65 other IPs or domains 2->100 132 Suricata IDS alerts for network traffic 2->132 134 Found malware configuration 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 17 other signatures 2->138 10 rapes.exe 60 2->10         started        15 futors.exe 2->15         started        17 random.exe 5 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 104 176.113.115.6, 49691, 49692, 49695 SELECTELRU Russian Federation 10->104 106 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->106 112 2 other IPs or domains 10->112 78 C:\Users\user\AppData\...\7837c26725.exe, PE32 10->78 dropped 80 C:\Users\user\AppData\...\d58999453f.exe, PE32 10->80 dropped 82 C:\Users\user\AppData\...\4384bf8d12.exe, PE32 10->82 dropped 92 26 other malicious files 10->92 dropped 188 Contains functionality to start a terminal service 10->188 190 Hides threads from debuggers 10->190 192 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->192 194 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->194 21 Jgjvasu.exe 10->21         started        24 646feb617a.exe 10->24         started        26 10249db350.exe 10->26         started        37 3 other processes 10->37 108 185.215.113.209 WHOLESALECONNECTIONSNL Portugal 15->108 110 colegiopedagogosch.com 50.116.27.100 LINODE-APLinodeLLCUS United States 15->110 114 2 other IPs or domains 15->114 84 C:\Users\user\AppData\...\0084e1a1c2.exe, PE32 15->84 dropped 86 C:\Users\user\AppData\...\yellowvolciv.exe, PE32+ 15->86 dropped 94 16 other malicious files 15->94 dropped 196 Tries to detect sandboxes / dynamic malware analysis system (file name check) 15->196 29 cr2.exe 15->29         started        31 cr1.exe 15->31         started        40 3 other processes 15->40 88 C:\Users\user\AppData\Local\...\rapes.exe, PE32 17->88 dropped 90 C:\Users\user\...\rapes.exe:Zone.Identifier, ASCII 17->90 dropped 198 Detected unpacking (changes PE section rights) 17->198 200 Tries to evade debugger and weak emulator (self modifying code) 17->200 202 Tries to detect virtualization through RDTSC time measurements 17->202 33 rapes.exe 17->33         started        35 msedge.exe 19->35         started        file6 signatures7 process8 dnsIp9 140 Multi AV Scanner detection for dropped file 21->140 142 Writes to foreign memory regions 21->142 144 Allocates memory in foreign processes 21->144 42 MSBuild.exe 21->42         started        146 Injects a PE file into a foreign processes 24->146 46 MSBuild.exe 24->46         started        116 steamcommunity.com 23.204.10.89 AKAMAI-ASUS United States 26->116 148 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->148 150 Hides threads from debuggers 26->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->152 48 MSBuild.exe 29->48         started        50 MSBuild.exe 31->50         started        154 Detected unpacking (changes PE section rights) 33->154 156 Contains functionality to start a terminal service 33->156 158 Tries to evade debugger and weak emulator (self modifying code) 33->158 164 2 other signatures 33->164 118 212.56.45.254 KCOM-SPNService-ProviderNetworkex-MistralGB United Kingdom 37->118 76 C:\Users\user\AppData\Local\...\futors.exe, PE32 37->76 dropped 160 Found many strings related to Crypto-Wallets (likely being stolen) 37->160 162 Contains functionality to inject code into remote processes 37->162 52 futors.exe 37->52         started        54 conhost.exe 37->54         started        56 MSBuild.exe 40->56         started        58 MSBuild.exe 40->58         started        60 MSBuild.exe 40->60         started        file10 signatures11 process12 dnsIp13 120 qu.ap.4t.com 78.47.105.59 HETZNER-ASDE Germany 42->120 122 127.0.0.1 unknown unknown 42->122 166 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->166 168 Found many strings related to Crypto-Wallets (likely being stolen) 42->168 170 Tries to harvest and steal ftp login credentials 42->170 172 Tries to harvest and steal Bitcoin Wallet information 42->172 62 msedge.exe 42->62         started        65 chrome.exe 42->65         started        67 msedge.exe 42->67         started        124 t.me 149.154.167.99 TELEGRAMRU United Kingdom 46->124 126 elvernwood.digital 104.21.80.1 CLOUDFLARENETUS United States 46->126 174 Attempt to bypass Chrome Application-Bound Encryption 46->174 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->176 178 Query firmware table information (likely to detect VMs) 46->178 180 Tries to harvest and steal browser information (history, passwords, etc) 48->180 182 Tries to steal Crypto Currency Wallets 48->182 128 salaccgfa.top 104.21.79.91 CLOUDFLARENETUS United States 50->128 184 Multi AV Scanner detection for dropped file 52->184 186 Contains functionality to start a terminal service 52->186 130 xcelmodo.run 104.21.15.206 CLOUDFLARENETUS United States 56->130 signatures14 process15 signatures16 204 Monitors registry run keys for changes 62->204 69 msedge.exe 62->69         started        71 chrome.exe 65->71         started        74 msedge.exe 67->74         started        process17 dnsIp18 102 www.google.com 142.250.72.100 GOOGLEUS United States 71->102
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-04-11 07:17:15 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7m4tsje6dif3oano6ma7g5ur52ixvaph5b3xjzd5lldenovkq2a._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434
Amadey
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:092155 defense_evasion discovery trojan
Link:
https://tria.ge/reports/250411-h4f9pasqt5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Malware Config
C2 Extraction:
http://176.113.115.6
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5c975cab-92c5-4008-805b-d1e73220789c
Unpacked files
SH256 hash:
87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434
MD5 hash:
435489aaa6f0d9c295944ee0b33a750a
SHA1 hash:
3a640a03af8d94039a9a1e347a8ed618b5709267
Link:
https://www.unpac.me/results/bc377f36-7c3d-4674-af17-e4504aaa82ef/
SH256 hash:
43eda488f8cd5614e5c73ace670f70d28f542e8caac9b92b0d4336450ae9235e
MD5 hash:
6f51cf29a908e07c4f45bd0ff4db4a16
SHA1 hash:
132419623c9b384086d9e13cfe579efbb6c872ef
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/bc377f36-7c3d-4674-af17-e4504aaa82ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 87d9c9c924f0d05db80d77980f9bb48f748bd40f3f43bba723ead63235d55434

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3460858/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/1813/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments