MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd
SHA3-384 hash: 1f875b552d98f53582e397a157bfbeb34c4f2cd92cc968621bcd5d179bec17e0016d1c92919bcb593ab6f6661b73c5b2
SHA1 hash: 0adcdfcbd05ead568691347de088773e0c20f612
MD5 hash: 7b90bc045ca05781d505a13a7e29c6ba
humanhash: dakota-rugby-lamp-grey
File name:v999f8.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:950'272 bytes
First seen:2025-06-22 08:34:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3132b97acae9eb7f3053e4d14c497a51 (12 x LummaStealer, 3 x Stealc, 1 x StormKitty)
ssdeep 24576:GnvTjgMTmGC3HCjFsatx448Icsatx448I:KHqCjFsatx44Vcsatx44V
TLSH T17915DF29A2A163E9FD2740B945525281B576B93283386FEF43E4E3335F177C01E2E729
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
459
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
988c326320529b1a5079a10fad9d3f6f1a091df8206d5171b099197dc1ae0fcf.bin
Verdict:
Malicious activity
Analysis date:
2025-06-22 02:07:41 UTC
Tags:
loader amadey botnet stealer lumma rdp auto stealc python evasion quasar rat auto-reg autoit lclipper clipper telegram smokeloader smoke netreactor vidar screenconnect rmm-tool
Link:
https://app.any.run/tasks/1d17577c-8695-4b33-b14e-a1e1b2d07edf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10488/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.7419.10474.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6857c1aeb06783b9ebd695c6
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6949b6fa-6fe2-416b-9689-91b50af4c204
Result
Threat name:
AsyncRAT, LummaC Stealer, Njrat, Quasar,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1720197
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Compiles code for process injection (via .Net compiler)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Quasar RAT
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1720197 Sample: v999f8.exe Startdate: 22/06/2025 Architecture: WINDOWS Score: 100 101 baviip.xyz 2->101 103 t.me 2->103 105 39 other IPs or domains 2->105 121 Suricata IDS alerts for network traffic 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for dropped file 2->125 129 18 other signatures 2->129 10 v999f8.exe 1 2->10         started        signatures3 127 Performs DNS queries to domains with low reputation 101->127 process4 signatures5 137 Writes to foreign memory regions 10->137 139 Allocates memory in foreign processes 10->139 141 Injects a PE file into a foreign processes 10->141 13 MSBuild.exe 55 10->13         started        18 MSBuild.exe 10->18         started        20 conhost.exe 10->20         started        process6 dnsIp7 115 t.me 149.154.167.99, 443, 49681 TELEGRAMRU United Kingdom 13->115 117 f3.xo.mastermaths.com.sg 195.201.254.239, 443, 49682, 49683 HETZNER-ASDE Germany 13->117 119 2 other IPs or domains 13->119 93 C:\Users\user\AppData\Local\...\ss542[1].exe, PE32 13->93 dropped 95 C:\Users\user\AppData\Local\...\n84991[1].exe, PE32 13->95 dropped 97 C:\Users\user\AppData\Local\...\l8890f[1].exe, PE32+ 13->97 dropped 99 7 other malicious files 13->99 dropped 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->143 145 Encrypted powershell cmdline option found 13->145 147 Tries to harvest and steal ftp login credentials 13->147 149 3 other signatures 13->149 22 powershell.exe 22 13->22         started        26 chrome.exe 13->26         started        29 powershell.exe 22 13->29         started        31 27 other processes 13->31 file8 signatures9 process10 dnsIp11 89 C:\Users\user\AppData\...\wlrp0sww.cmdline, Unicode 22->89 dropped 131 Writes to foreign memory regions 22->131 133 Compiles code for process injection (via .Net compiler) 22->133 135 Creates a thread in another existing process (thread injection) 22->135 33 csc.exe 3 22->33         started        36 conhost.exe 22->36         started        113 192.168.2.10, 138, 1649, 443 unknown unknown 26->113 38 chrome.exe 26->38         started        41 csc.exe 29->41         started        43 conhost.exe 29->43         started        91 C:\Users\user\AppData\Local\...\wywe5ybl.0.cs, Unicode 31->91 dropped 45 csc.exe 31->45         started        47 csc.exe 31->47         started        49 csc.exe 31->49         started        51 21 other processes 31->51 file12 signatures13 process14 dnsIp15 71 C:\Users\user\AppData\Local\...\wlrp0sww.dll, PE32 33->71 dropped 53 cvtres.exe 1 33->53         started        107 apis.google.com 38->107 109 www.google.com 142.251.40.100, 443, 49700, 49704 GOOGLEUS United States 38->109 111 3 other IPs or domains 38->111 73 C:\Users\user\AppData\Local\...\mckcmhu4.dll, PE32 41->73 dropped 55 cvtres.exe 41->55         started        75 C:\Users\user\AppData\Local\...\oo2vm2i4.dll, PE32 45->75 dropped 57 cvtres.exe 45->57         started        77 C:\Users\user\AppData\Local\...\20s14i1q.dll, PE32 47->77 dropped 59 cvtres.exe 47->59         started        79 C:\Users\user\AppData\Local\...\vhpmcvwn.dll, PE32 49->79 dropped 61 cvtres.exe 49->61         started        81 C:\Users\user\AppData\Local\...\x11po1sg.dll, PE32 51->81 dropped 83 C:\Users\user\AppData\Local\...\wrt5goza.dll, PE32 51->83 dropped 85 C:\Users\user\AppData\Local\...\tdj1ubw0.dll, PE32 51->85 dropped 87 5 other malicious files 51->87 dropped 63 cvtres.exe 51->63         started        65 cvtres.exe 51->65         started        67 cvtres.exe 51->67         started        69 5 other processes 51->69 file16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/7b90bc045ca05781d505a13a7e29c6ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-21 22:33:49 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmtso6cu2gn5eak5llyuh7yx4fdgx32rftodyknj5mtc5s5lyc6q._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:quasar family:vidar family:xworm botnet:f75200b07dd43d1c5af8a9dbd1186356 botnet:google chrome botnet:hacked credential_access cryptone defense_evasion discovery packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250622-kjwvraylw5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Detect Vidar Stealer
Detect Xworm Payload
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/l07tp
https://steamcommunity.com/profiles/76561199869630181
66.63.187.164:8594
66.63.187.164:8596
66.63.187.164:8595
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/15a155d4-d27a-4e28-a62d-dacdb4545f65
Unpacked files
SH256 hash:
9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd
MD5 hash:
7b90bc045ca05781d505a13a7e29c6ba
SHA1 hash:
0adcdfcbd05ead568691347de088773e0c20f612
Link:
https://www.unpac.me/results/4fe5a965-40c6-46ef-b027-3be2eb2a1281/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 9b27277854d19bd2015d5af143ff17e1466bef512cdc3c29a9eb262ecbabc0bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3562395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10488/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CreateMenu
USER32.dll::CreateWindowExW

Comments