MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f
SHA3-384 hash: 74ad3337d0d824702d97109d682cd0d69f479378cbaf090312a2c2f8dd28e0c72482cbc1953d018b91d05646b6bf508f
SHA1 hash: c40fa61d617a9440d9e0f02ebb9a1677c89152f9
MD5 hash: 820c905d2eecac47f9be34e66a208358
humanhash: hotel-hotel-lamp-skylark
File name:820C905D2EECAC47F9BE34E66A208358.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'987'392 bytes
First seen:2025-07-27 17:20:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:XBYlQfhiainc0kc6pNQIT9EhU6JHJAfgRYKK4hyDLp1t:Rzpi9f6pucEU0HFVhyDF1t
TLSH T1C9363309F3E9003AF9AC17B549B203C72B697EB1ED51865A650F2A0C5DF23B866743C7
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
147.185.221.30:34037

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.185.221.30:34037 https://threatfox.abuse.ch/ioc/1561176/

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
_91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f.exe
Verdict:
Malicious activity
Analysis date:
2025-07-27 17:29:17 UTC
Tags:
lumma stealer amadey botnet rdp arch-exec
Link:
https://app.any.run/tasks/4cb385b6-729c-4924-8ef8-5ab3825ebaf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17193/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68865fe50b4775fb21322f6f
Tags:
vmdetect autorun emotet autoit
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Sending an HTTP POST request
Launching a service
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm CAB crypt explorer fingerprint installer lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/68865fdf13488cfd44da7aee/reports/635ffe7b-df14-4868-b890-59417ad01432/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/380c8a00-2606-47b2-ac86-a0e28d17054e
Result
Threat name:
Amadey, LummaC Stealer, Vidar, XWorm, Xm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1745041
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1745041 Sample: fPd7hM2Yaj.exe Startdate: 27/07/2025 Architecture: WINDOWS Score: 100 122 royaltbn.xyz 2->122 124 woodenso.top 2->124 126 8 other IPs or domains 2->126 136 Suricata IDS alerts for network traffic 2->136 138 Found malware configuration 2->138 140 Malicious sample detected (through community Yara rule) 2->140 144 21 other signatures 2->144 11 fPd7hM2Yaj.exe 1 4 2->11         started        14 471ZeAgL.exe 2->14         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 signatures3 142 Performs DNS queries to domains with low reputation 122->142 process4 file5 108 C:\Users\user\AppData\Local\...\2r0677.exe, PE32 11->108 dropped 110 C:\Users\user\AppData\Local\...\1G14X8.exe, PE32 11->110 dropped 21 2r0677.exe 7 11->21         started        25 1G14X8.exe 11->25         started        178 Binary is likely a compiled AutoIt script file 14->178 28 cmd.exe 14->28         started        30 4gaI6h17.exe 14->30         started        32 cmd.exe 14->32         started        34 cmd.exe 14->34         started        180 Changes security center settings (notifications, updates, antivirus, firewall) 17->180 signatures6 process7 dnsIp8 94 C:\DIwd5aX\a4irJxYG.exe, PE32 21->94 dropped 96 C:\DIwd5aX\Pbk0dijA.exe, PE32 21->96 dropped 98 C:\DIwd5aX\471ZeAgL.exe, PE32 21->98 dropped 162 Multi AV Scanner detection for dropped file 21->162 36 cmd.exe 1 21->36         started        128 steamcommunity.com 23.54.187.178, 443, 49714 AKAMAI-ASUS United States 25->128 164 Detected unpacking (changes PE section rights) 25->164 166 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->166 168 Tries to evade debugger and weak emulator (self modifying code) 25->168 174 3 other signatures 25->174 170 Suspicious powershell command line found 28->170 39 powershell.exe 28->39         started        41 conhost.exe 28->41         started        172 Contains functionality to start a terminal service 30->172 43 conhost.exe 32->43         started        45 schtasks.exe 32->45         started        47 conhost.exe 34->47         started        49 Pbk0dijA.exe 34->49         started        file9 signatures10 process11 signatures12 152 Suspicious powershell command line found 36->152 154 Uses cmd line tools excessively to alter registry or file data 36->154 156 Bypasses PowerShell execution policy 36->156 160 2 other signatures 36->160 51 471ZeAgL.exe 36->51         started        54 a4irJxYG.exe 15 36->54         started        57 conhost.exe 36->57         started        158 Loading BitLocker PowerShell Module 39->158 59 tasklist.exe 43->59         started        process13 file14 146 Multi AV Scanner detection for dropped file 51->146 148 Binary is likely a compiled AutoIt script file 51->148 150 Found API chain indicative of sandbox detection 51->150 61 4gaI6h17.exe 54 51->61         started        66 cmd.exe 51->66         started        68 cmd.exe 1 51->68         started        70 cmd.exe 51->70         started        100 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 54->100 dropped 102 C:\Users\user\AppData\Local\...\cecho.exe, PE32 54->102 dropped 104 C:\Users\user\AppData\Local\...104SudoLG.exe, PE32+ 54->104 dropped 106 2 other malicious files 54->106 dropped 72 cmd.exe 54->72         started        signatures15 process16 dnsIp17 130 94.154.35.25, 49716, 49717, 49726 SELECTELRU Ukraine 61->130 132 176.46.158.8, 49722, 49727, 80 ESTPAKEE Iran (ISLAMIC Republic Of) 61->132 134 167.160.161.247 ASN-QUADRANET-GLOBALUS United States 61->134 112 C:\Users\user\AppData\Local\...\gqTUy7K.exe, PE32+ 61->112 dropped 114 C:\Users\user\AppData\Local\...\0jsyXSF.exe, PE32 61->114 dropped 116 C:\Users\user\AppData\Local\...\AK2mfNd.exe, PE32+ 61->116 dropped 118 24 other malicious files 61->118 dropped 182 Multi AV Scanner detection for dropped file 61->182 184 Contains functionality to start a terminal service 61->184 186 Suspicious powershell command line found 66->186 74 powershell.exe 66->74         started        77 conhost.exe 66->77         started        79 Pbk0dijA.exe 2 68->79         started        82 conhost.exe 68->82         started        84 conhost.exe 70->84         started        86 schtasks.exe 70->86         started        188 Uses cmd line tools excessively to alter registry or file data 72->188 88 conhost.exe 72->88         started        90 nircmd.exe 72->90         started        92 20 other processes 72->92 file18 signatures19 process20 file21 176 Loading BitLocker PowerShell Module 74->176 120 C:\DIwd5aX\4gaI6h17.exe, PE32 79->120 dropped signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/820c905d2eecac47f9be34e66a208358
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.HTTP
Link:
https://tip.neiki.dev/file/91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-26 09:18:00 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
27 of 36 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shaijd3m4inzbqcffyqa3amc3khusqw6loybjuzvt7nlcuhgekpq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:deerstealer family:lumma family:xmrig family:xworm botnet:fbf543 defense_evasion discovery execution miner persistence rat stealer trojan upx
Link:
https://tria.ge/reports/250727-vwn1sazydy/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Embeds OpenSSL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Cryptocurrency Miner
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
DeerStealer
Deerstealer family
Detect Xworm Payload
Detects DeerStealer
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
Xworm
Xworm family
xmrig
Malware Config
C2 Extraction:
https://perpenab.icu/xiut
https://royaltbn.xyz/xaoi
https://columnez.shop/xlak
https://mixp.digital/amnt
https://woodenso.top/xaoi
https://foundrr.bet/zuqy
https://onyxistn.bet/xlkg
https://keulkgl.fun/qpdl
https://nanoceus.run/agkr
http://94.154.35.25
release-deficit.gl.at.ply.gg:34037
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/638bd15c-1aaf-48b5-9522-bc7f86cf4be3
Unpacked files
SH256 hash:
91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f
MD5 hash:
820c905d2eecac47f9be34e66a208358
SHA1 hash:
c40fa61d617a9440d9e0f02ebb9a1677c89152f9
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
SH256 hash:
add699e085b6f9d20a7617536e11de0bf057c8e0d8bd48093cbdc891119729e4
MD5 hash:
09fd31aef46dbd6f84c9c9021901bc5a
SHA1 hash:
9bf239ad567f6c68381ae624d5112a6f241e0c34
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
SH256 hash:
339738ea897b5fc0de04e98e26bfa1abd0bd67df26f53ba92fef8e76994994a3
MD5 hash:
340d785d3bfb8ecd7423016d1adbe547
SHA1 hash:
8e99d30807aac7b26433936adca2c8d542e0c6eb
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
SH256 hash:
b2e64cc1df2b31eb4ced1ced76475209b4aa639fe0ff306f214503f9cb6167ea
MD5 hash:
8dd649e62b819519e0bac70b1c68ba48
SHA1 hash:
5626e29afb5b12dac032d7fd8548736ca74ced40
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
SH256 hash:
9b4f77776ea7889f9e79a3528a19ec6266258c29bc24ac8ea96050663cf4133b
MD5 hash:
f3137deec73ca1f83d37459cf402ea7d
SHA1 hash:
bd0a5af23d4c3a1eaace87037ebe342734fa336e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
SH256 hash:
3c7959d26a0e983a65a0f0cb9501567ad6b7149f9052e649649d1f4f8390480a
MD5 hash:
d6a28e90544f88191342edd75cd1732b
SHA1 hash:
25f16dc288f9f819b113f090227c32f36704c6d1
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
SH256 hash:
aa1bea28655ecca11df0690d205c82881893e90bec971672c4b3b848445d79a9
MD5 hash:
a0fdc7e1d49d8e063f7b9d3cd69f94c3
SHA1 hash:
7e79a5e72b75f9ff533bdd32a554d2562361b3e2
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
SH256 hash:
0b561c06f1d9beae2c21dc1c3702b7bd42902f6c9ab382bbe6429599686d0816
MD5 hash:
0d135dedcd4a72c7ad07166a7b685ca5
SHA1 hash:
e3142466cd22af01ef51aab2271cf6fb7002de8d
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/5d183dd6-e4fa-4a3c-901a-4110afadfcd1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91c0848f6ce21b90c0452e200d8182da8f4942de5bb014d3359fdab150e6229f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17193/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments