MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f
SHA3-384 hash: cae19595f9955c6711ce0a104e0ec41c63e2c5dd72aedfb06a7779cb165232fb03a3b2b90b9328421287dc365c24a6e2
SHA1 hash: 1bab43dd447d6097352985652758f560313433eb
MD5 hash: 99a8d3cbe6f6c2c9ab6f420e6933defc
humanhash: diet-fourteen-mobile-happy
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:2'740'927 bytes
First seen:2026-03-09 15:43:14 UTC
Last seen:2026-03-09 17:36:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac4ded70f85ef621e5f8917b250855be (54 x OffLoader, 3 x Tofsee, 3 x QuasarRAT)
ssdeep 49152:kN61T1mUVRGHtuigPt/rYmtasswUJbnbVfTRhx8:kN66UviuPPtzY0arw6pfR8
TLSH T1A7C5E137B28A633EE46E5A3759B2D2205C3B7A61A41F8C1696E44C4CCF2E0601E7F757
TrID 49.2% (.EXE) Inno Setup installer (107240/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika pebin
Reporter Bitsight
Tags:Amadey dropped-by-amadey exe fbf543


Avatar
Bitsight
url: https://qpgroup.top/uploads/Coral_Setup.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://sys32.cc/Mir8s4ZZZru/index.php https://threatfox.abuse.ch/ioc/1762325/

Intelligence

File Origin
# of uploads :
14
# of downloads :
240
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/86b801d2-7fbd-4cb2-8891-37fd785b889e/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-03-09 15:43:49 UTC
Tags:
amadey botnet stealer
Link:
https://app.any.run/tasks/12c4952c-4467-4d6e-b263-2ff3a9146a08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/56861/
Detection(s):
SecuriteInfo.com.FileRepMalware.63231852.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69aeea9ce5dc8e2b2c319771
Tags:
n/a
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.AntiAV.sb Trojan.Win32.AntiAV.ddtm Trojan-PSW.Win32.Lumma.abow Trojan-PSW.Lumma.HTTP.Download Trojan.Win32.Gatak.sb
Link:
https://opentip.kaspersky.com/8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed7808db-4f21-4a8e-a2d7-7e2988fcca5a
Score:
37%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/99a8d3cbe6f6c2c9ab6f420e6933defc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-09 15:44:22 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 24 (66.67%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rpt7lfhyo4zih5q5g7hcjn2jqxsvnhm4colma6ci4fdjvaonh5pq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey defense_evasion discovery execution installer trojan
Link:
https://tria.ge/reports/260309-s53jesf16v/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Amadey
Amadey family
Detects Amadey x86-bit Payload
Unpacked files
SH256 hash:
8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f
MD5 hash:
99a8d3cbe6f6c2c9ab6f420e6933defc
SHA1 hash:
1bab43dd447d6097352985652758f560313433eb
Link:
https://www.unpac.me/results/a397719f-a1c9-4d47-9768-575926b9957b/
SH256 hash:
3d8b648e2c034f8bde785a7308d43aed21c9ca844bf35d7b8ce8f80ee1bd73fa
MD5 hash:
451243808d158de0f4e627e683b3b04b
SHA1 hash:
e889ac8b0372eaa0581993713c9974fa188c2513
Link:
https://www.unpac.me/results/a397719f-a1c9-4d47-9768-575926b9957b/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/a397719f-a1c9-4d47-9768-575926b9957b/
SH256 hash:
646a6e0ca91d52d667a5ff580de21d5a82ddf28fccc0bcef8c87273f84a77467
MD5 hash:
ffdbcb325ed248d51e2f9f0c8d99e573
SHA1 hash:
d7c34147bea4be0b6cc8920f8db474c9ce273d47
Link:
https://www.unpac.me/results/a397719f-a1c9-4d47-9768-575926b9957b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8be7f594f877/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3793129/
Cape
Cape
https://www.capesandbox.com/analysis/56861/

Comments