MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 994065e0f91b950d6b8b8d5cc42817f22506323206740c570fa1db33746c4de1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 994065e0f91b950d6b8b8d5cc42817f22506323206740c570fa1db33746c4de1
SHA3-384 hash: 06eea131c0ef3ed7f9fa71268fa24ba3aa57ec2ef30b765373e2a428cf4993ef780e4d01f9008992da748d809a57c868
SHA1 hash: d5f4c923e9d3d812edab4df85667f45b6c66f358
MD5 hash: 9d1ee858be90e34a8e70bdb8ad2c5e5a
humanhash: chicken-east-artist-west
File name:am.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'543'716 bytes
First seen:2025-08-20 12:50:32 UTC
Last seen:2025-08-20 14:23:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 24576:oVD0244gJEaVEuTnojXUA9NjmpJoxzVJ6xdO0FRRl00Al4scmM:oSFlPMXUA9NKpJo5VJ6xdd7BAKKM
Threatray 1'524 similar samples on MalwareBazaar
TLSH T15B651202BF919B53D1AA0B3859F3A3245730DAA07F574F538254AD60F8867E93F825EC
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 0086cccccccccc00 (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://microsoft-telemetry.cc/cvdfnaFJBmC0/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://microsoft-telemetry.cc/cvdfnaFJBmC0/index.php https://threatfox.abuse.ch/ioc/1571263/

Intelligence

File Origin
# of uploads :
3
# of downloads :
112
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
4fcf4800811bb9eeb679a227190e79620829e9942de2d068c5e3a382bb982180.zip
Verdict:
Malicious activity
Analysis date:
2025-08-20 12:38:22 UTC
Tags:
arch-exec loader lumma stealer autoit purecrypter github miner amadey botnet pureminer netreactor xmrig
Link:
https://app.any.run/tasks/095a39aa-74b0-4600-8f9a-40ff1cf3468b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22477/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.23741635.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a5c4ae8fd55a79c5296f10
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Possible injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68a5c4aaa4bdac9f5ba0b1c2/reports/a873b536-5ba9-4a7f-a8de-7b64a66d7f6c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/994065e0f91b950d6b8b8d5cc42817f22506323206740c570fa1db33746c4de1
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8246c528-2abd-47c8-9e4f-e63a14f2d78a
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1761018
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1761018 Sample: am.exe Startdate: 20/08/2025 Architecture: WINDOWS Score: 100 64 telemety-xbox.lol 2->64 66 telemety-sys.lol 2->66 68 2 other IPs or domains 2->68 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 6 other signatures 2->80 11 am.exe 26 2->11         started        14 explorer.exe 1 2->14         started        16 explorer.exe 1 2->16         started        18 VisioGraphR.bat 2->18         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->58 dropped 20 cmd.exe 1 11->20         started        23 VisioGraphR.bat 14->23         started        process6 signatures7 82 Detected CypherIt Packer 20->82 84 Drops PE files with a suspicious file extension 20->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 20->86 25 cmd.exe 4 20->25         started        28 conhost.exe 20->28         started        process8 file9 52 C:\Users\user\AppData\Local\...\Barbara.pif, PE32 25->52 dropped 54 C:\Users\user\AppData\Local\Temp\51019\B, data 25->54 dropped 30 Barbara.pif 17 25->30         started        35 extrac32.exe 21 25->35         started        37 tasklist.exe 1 25->37         started        39 2 other processes 25->39 process10 dnsIp11 70 microsoft-telemetry.cc 5.252.153.134, 49703, 49704, 49705 WORLDSTREAMNL Russian Federation 30->70 60 C:\Users\user\AppData\...\VisioGraphR.lnk, MS 30->60 dropped 62 C:\Users\user\AppData\...\VisioGraphR.bat, PE32 30->62 dropped 72 Contains functionality to start a terminal service 30->72 41 cmd.exe 2 30->41         started        44 cmd.exe 1 30->44         started        file12 signatures13 process14 file15 56 C:\Users\user\AppData\...\VisioGraphR.url, MS 41->56 dropped 46 conhost.exe 41->46         started        48 conhost.exe 44->48         started        50 schtasks.exe 1 44->50         started        process16
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/994065e0f91b950d6b8b8d5cc42817f22506323206740c570fa1db33746c4de1
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/9d1ee858be90e34a8e70bdb8ad2c5e5a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/994065e0f91b950d6b8b8d5cc42817f22506323206740c570fa1db33746c4de1/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 12:51:42 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfaglyhzdokq224lrvomikax6isqmmrsaz2ayvypuhntg5dmjxqq._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
0d9beb40b14a956556ef97cfa2ac410ec8c7509d35dbd2d050effc8c092e6de9
Amadey
1695039099cdff9bf78f8314bf8b64788b020b5547993ec2c9ec524ad2a4a497
Amadey
21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1
Amadey
2d04c13fd74da6be1a58c55a30a2b753656d6a1aa1b0c6d426fe861f37de47c3
Amadey
3db0bd4805036701a3f31c61a988e14c319638f11a7456d5a6d0e78e6ca793c6
Amadey
3db9393125c88e1e0e9a83755069389cceb4b59bafccbeb0b9c928da78864a0e
Amadey
52f3ef0a1a09634bce792ea5eab5f7b5d87352b9eb39b6164b6a3071fbd4d887
Amadey
6a232c8c2bbdc5d00a6d2aad9e9d748b9f2b02fe0bb158da3ba41f0563ecf54f
Amadey
97740aaf2ebfb2699aded110694ea7522c2c52cb6679d82f929d23d2626e11ef
Amadey
9d1fb3557af008bd1c383ef15f5870f78c6f299ea23781c6b5326d602644fe68
Amadey
error
Amadey
+ 1'514 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:9a8fe7 discovery execution persistence trojan
Link:
https://tria.ge/reports/250820-p3bq5stmv9/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Drops startup file
Executes dropped EXE
Loads dropped DLL
Amadey
Amadey family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://microsoft-telemetry.cc
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/814187cc-d383-4055-aeb5-6481d54f8d79
Unpacked files
SH256 hash:
994065e0f91b950d6b8b8d5cc42817f22506323206740c570fa1db33746c4de1
MD5 hash:
9d1ee858be90e34a8e70bdb8ad2c5e5a
SHA1 hash:
d5f4c923e9d3d812edab4df85667f45b6c66f358
Link:
https://www.unpac.me/results/fe9dd2e8-1db0-42e9-8ef5-5fb7ab1976f0/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/fe9dd2e8-1db0-42e9-8ef5-5fb7ab1976f0/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/fe9dd2e8-1db0-42e9-8ef5-5fb7ab1976f0/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/994065e0f91b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/994065e0f91b950d6b8b8d5cc42817f22506323206740c570fa1db33746c4de1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 994065e0f91b950d6b8b8d5cc42817f22506323206740c570fa1db33746c4de1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/22477/
  
URLhaus
https://urlhaus.abuse.ch/url/3607240/
  
Delivery method
Distributed via web download

Comments