MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 998e3d65c6f21e625c375c23b2b11bcf3daed893f71141791e58587ed3500e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 998e3d65c6f21e625c375c23b2b11bcf3daed893f71141791e58587ed3500e23
SHA3-384 hash: 6f1ab784da9c483f4a34039429180f6f1a3e15a40b86c9e06769cf1c3bf7d668f5c09bc5f8dc31d569d90f1bc8aade61
SHA1 hash: c2dee72a6f3382007c8eee07445e5c3890a70a90
MD5 hash: 7cfd9c4f3504d836f9d00b06839379de
humanhash: april-seventeen-apart-solar
File name:7cfd9c4f3504d836f9d00b06839379de.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'593'888 bytes
First seen:2025-02-05 16:42:28 UTC
Last seen:2025-02-05 17:47:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:3pnqLQBbHiqEJsgsEPDiCCEdmM2BpXh9EtMNqBOBZwrrZqPE8:tbibsE2CqEFITyZqP
Threatray 38 similar samples on MalwareBazaar
TLSH T17F758D86AED58B76C6882374C5D31A6CF3EBF008735FD29B24DA16F5588B7128C20779
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
475
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
7cfd9c4f3504d836f9d00b06839379de.exe
Verdict:
Malicious activity
Analysis date:
2025-02-05 16:43:34 UTC
Tags:
purecrypter netreactor amadey
Link:
https://app.any.run/tasks/482124a5-b518-414e-98c7-41494823082e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop28.52944.4145.858.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a3971351193558eb197e9b
Tags:
agenttesla autorun crysan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Restart of the analyzed sample
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dotfuscator dotfuscator invalid-signature obfuscated obfuscated obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67a395278f20777d936bb6e3/reports/6c012e1f-2881-46a4-babd-47754ba66d32/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/998e3d65c6f21e625c375c23b2b11bcf3daed893f71141791e58587ed3500e23
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a07912e0-b817-4086-8ae9-5683b64032d8
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1607540
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1607540 Sample: aZpYzAbOTN.exe Startdate: 05/02/2025 Architecture: WINDOWS Score: 100 47 jlgenfekjlfnvtgpegkwr.xyz 2->47 49 cobolrationumelawrtewarms.com 2->49 51 Found malware configuration 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 59 12 other signatures 2->59 9 aZpYzAbOTN.exe 5 2->9         started        13 wscript.exe 1 2->13         started        15 Gxtuum.exe 2 2->15         started        17 Gxtuum.exe 2->17         started        signatures3 57 Performs DNS queries to domains with low reputation 47->57 process4 file5 39 C:\Users\user\AppData\...\brokerutil.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\...\brokerutil.vbs, ASCII 9->41 dropped 43 C:\Users\...\brokerutil.exe:Zone.Identifier, ASCII 9->43 dropped 67 Contains functionality to start a terminal service 9->67 69 Drops VBS files to the startup folder 9->69 71 Contains functionality to inject code into remote processes 9->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->73 19 aZpYzAbOTN.exe 5 9->19         started        75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->75 23 brokerutil.exe 2 13->23         started        77 Injects a PE file into a foreign processes 15->77 25 Gxtuum.exe 15->25         started        signatures6 process7 file8 35 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 19->35 dropped 37 C:\Users\user\...behaviorgraphxtuum.exe:Zone.Identifier, ASCII 19->37 dropped 61 Contains functionality to start a terminal service 19->61 27 Gxtuum.exe 2 19->27         started        63 Multi AV Scanner detection for dropped file 23->63 65 Machine Learning detection for dropped file 23->65 30 brokerutil.exe 23->30         started        signatures9 process10 signatures11 79 Multi AV Scanner detection for dropped file 27->79 81 Contains functionality to start a terminal service 27->81 83 Machine Learning detection for dropped file 27->83 32 Gxtuum.exe 12 27->32         started        process12 dnsIp13 45 cobolrationumelawrtewarms.com 89.35.131.209, 49737, 49738, 49746 INTERSAT-ASIonRatiunr33RO Romania 32->45
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/998e3d65c6f21e625c375c23b2b11bcf3daed893f71141791e58587ed3500e23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/998e3d65c6f21e625c375c23b2b11bcf3daed893f71141791e58587ed3500e23/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-12-17 23:23:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tghd2zog6ipgexbxlqr3fmi3z4625wet64iuc6i6lbmh5u2qbyrq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
003b43813ec5522429efc587a873871a2d6fc14c4c9c6008a7d27bce0920db19
Amadey
48156752f6d6ae585d0058643156f6744700cfa263513f2e9365c8122d65c6bc
Amadey
77f2a6a87fd5aca73be774e267907427277d863f335fea09ccfb4b693d5a0287
Amadey
998e3d65c6f21e625c375c23b2b11bcf3daed893f71141791e58587ed3500e23
Amadey
a3fd7cf1118e49f338df1468c7a29992c0c3ae0a70aac065a6ff5f99622d48bc
Amadey
d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b
Amadey
error
Amadey
+ 28 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey discovery trojan
Link:
https://tria.ge/reports/250205-t797qavmax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Amadey
Amadey family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b92fa17-4816-4088-b1a6-473bdf2a5021
Unpacked files
SH256 hash:
998e3d65c6f21e625c375c23b2b11bcf3daed893f71141791e58587ed3500e23
MD5 hash:
7cfd9c4f3504d836f9d00b06839379de
SHA1 hash:
c2dee72a6f3382007c8eee07445e5c3890a70a90
Link:
https://www.unpac.me/results/7a6b062b-691d-4fcc-acc7-9580daf46267/
SH256 hash:
b6aabefea92c30cc736ebfd9d8a76f5a7ac527d001e0704520f9bf8f6e8d6f0c
MD5 hash:
cab05293d80cdc0a4fffbc5c800febe9
SHA1 hash:
55e35b3a7c8b6ee62dd7fc01b10ea85a1de6ad29
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7a6b062b-691d-4fcc-acc7-9580daf46267/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/7a6b062b-691d-4fcc-acc7-9580daf46267/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/7a6b062b-691d-4fcc-acc7-9580daf46267/
SH256 hash:
ca88a597ed2127de7a2cb2f5b3e82d61035e9e2d5714ec5c0ae1659ef1c13df7
MD5 hash:
1508a5d67bf9beb497b97cc5eff91c5e
SHA1 hash:
69c93e632d29fda0f093eacdadd434066f307343
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/7a6b062b-691d-4fcc-acc7-9580daf46267/
SH256 hash:
dd3c5472a868599c3d6b26e99a8798c1872016db45a7b0efca1a0209e8150f6a
MD5 hash:
d70892e6c6d3dc4784b5e059f0be5bb4
SHA1 hash:
f17e795cf6e72dba52e7d8ff4858ddee5cb68ca4
Link:
https://www.unpac.me/results/7a6b062b-691d-4fcc-acc7-9580daf46267/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/998e3d65c6f21e625c375c23b2b11bcf3daed893f71141791e58587ed3500e23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments