MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CredentialFlusher

Vendor detections: 18

Intelligence 18 IOCs YARA 3 File information Comments

SHA256 hash:	9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1
SHA3-384 hash:	c0de37d3b891926ec560c65fe08c0bce073a806e2076f5eacd422f69a84ec891208263458b360df7e6a37604401f4b72
SHA1 hash:	30b4a3ab13486ef8edac22680ef477b2950ff3d2
MD5 hash:	56a242f08ca73b24442570a698152551
humanhash:	spring-bakerloo-lake-georgia
File name:	random.exe
Download:	download sample
Signature	CredentialFlusher Create hunting rule
File size:	4'656'640 bytes
First seen:	2025-05-09 19:52:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	98304:h5ag4KBkd/xd1ACrapOyftC6oYKCiqsDKQHvFTyHw2fg0:h5vk/hBaYyvPKC8KGNuP
Threatray	1'899 similar samples on MalwareBazaar
TLSH	T10D2633A7BA982C32D6A413755DF902E70D71BE00F4688267D3786D0914B33B52DB63BB
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10522/11/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	aachum
Tags:	8d33eb Amadey exe

iamaachum

185.156.72.121/download.php

Amadey Botnet: 8d33eb
Amadey C2: http://185.156.72.96/te4h2nus/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

448

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

random.exe

Verdict:

Malicious activity

Analysis date:

2025-05-10 06:19:32 UTC

Tags:

amadey botnet stealer lumma loader telegram putty rmm-tool arch-exec gcleaner auto-sch evasion rdp miner auto generic credentialflusher

Link:

https://app.any.run/tasks/27584748-8d9b-4cca-8d1b-ed8e1870937c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

Win.Downloader.Amadey-9986882-0

Win.Downloader.Amadey-9987078-0

Win.Downloader.Amadey-9987097-0

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681e5dc6e16384d6a7035e52

Tags:

autorun emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Creating a file

Creating a window

Searching for synchronization primitives

Running batch commands

Searching for analyzing tools

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Launching a service

Using the Windows Management Instrumentation requests

Connection attempt to an infection source

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context amadey amadey anti-vm CAB explorer fingerprint fingerprint installer lolbin microsoft_visual_cc netsh packed packed packer_detected redcap rundll32 runonce sfx stealer wmic

Link:

https://www.filescan.io/uploads/681e5d24bab2591d06555e12/reports/8c5581e0-9df2-4601-a163-9c3ffd8d8344/overview

Verdict:

Malicious

Labled as:

Crifi.Generic

Link:

https://www.hybrid-analysis.com/sample/9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/52521f54-2e3d-44af-8404-722b61e4e56c

Result

Threat name:

Amadey, LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1685998

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1/

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-05-09 19:53:10 UTC

File Type:

PE (Exe)

Extracted files:

181

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tth6s2funooegblnlt7ge2be6wdpcf4r4iqwcjrgi76wp5pqltyq._file

Verdict:

malicious

Label(s):

amadey

CredentialFlusher

296497459462840bf9e8874e312088c4a85aae75d460d0d5bcc75a9d582343eb

CredentialFlusher

42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff

CredentialFlusher

46b2de15860d23bb541610209f307d5007f3811b0cdfcf3860f3a7d76ae42d5b

CredentialFlusher

8b0b20727462c5f3d5a4ace630d9690528dcefa79407480db3abde2455f700d8

CredentialFlusher

cc8607b4d2293f00f6e33b0869459019ba27813ecabb1ea884c23cca9c0f0d61

CredentialFlusher

ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa

CredentialFlusher

error

CredentialFlusher

f767fa2879dc1d53e423e63f9d7773611002594c63fcfc0f02cf42bdee5b4731

CredentialFlusher

+ 1'889 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:amadey family:lumma botnet:8d33eb defense_evasion discovery execution exploit persistence stealer trojan

Link:

https://tria.ge/reports/250509-ylz7vayway/

Behaviour

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry key

Runs net.exe

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Time Discovery

Drops file in Windows directory

Launches sc.exe

AutoIT Executable

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Adds Run key to start application

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Looks up external IP address via web service

Power Settings

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection

Looks for VMWare Tools registry key

Possible privilege escalation attempt

Stops running service(s)

Looks for VirtualBox Guest Additions in registry

Amadey

Amadey family

Disables service(s)

Lumma Stealer, LummaC

Lumma family

Modifies WinLogon for persistence

Malware Config

C2 Extraction:

http://185.156.72.96
https://searchilyo.run/gsna
https://voznessxyy.life/bnaz
https://insidegrah.run/ieop
https://homewappzb.top/tqba
https://dclatteqrpq.digital/kljz
https://descenrugb.bet/woap
https://grizzlqzuk.live/qhbu
https://ninepicchf.bet/lznd
https://snakejh.top/adsk
https://meteorplyp.live/lekp
https://zmedtipp.live/mnvzx
https://interpwthc.digital/juab
https://clatteqrpq.digital/kljz
https://overcovtcg.top/juhd
https://blackswmxc.top/bgry
https://8ninepicchf.bet/lznd
https://cblackljjwc.run/banj

Verdict:

Malicious

Tags:

stealer redline Win.Downloader.Amadey-9986882-0 external_ip_lookup

YARA:

win_redline_wextract_hunting_oct_2023

Link:

https://app.threat.zone/submission/2d40b179-9087-4878-b05b-c2906869b918

Unpacked files

SH256 hash:

9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1

MD5 hash:

56a242f08ca73b24442570a698152551

SHA1 hash:

30b4a3ab13486ef8edac22680ef477b2950ff3d2

Link:

https://www.unpac.me/results/18cda323-8b02-4e78-82fd-d00d1fa331be/

SH256 hash:

0ed4abc903f5c11606b27166556f4a2ecfd9dea0b5f43162593d775fd5fac279

MD5 hash:

2a5c7e619d947523d80c2ebbcc323d61

SHA1 hash:

38438178ceac364e1fec3ad768614bfb63382194

Link:

https://www.unpac.me/results/18cda323-8b02-4e78-82fd-d00d1fa331be/

SH256 hash:

a966a60870d64912a68200485bca325dc4054a13fe2cdb7447052924e7125771

MD5 hash:

3d5647f9b9d441b39a0a0b7a8c31dfb1

SHA1 hash:

874d27267eb23ff8c1004c1b3698a67472cab4fb

Detections:

Amadey

Link:

https://www.unpac.me/results/18cda323-8b02-4e78-82fd-d00d1fa331be/

SH256 hash:

bb15eaee551d0bf201b42a00476319350b5c625bd44695557060fa76ce57f333

MD5 hash:

30a218f0529482bd64d7ab911f9a4eaf

SHA1 hash:

195c608bf9ba98037b8dd6b81f5c839893ddf135

Link:

https://www.unpac.me/results/18cda323-8b02-4e78-82fd-d00d1fa331be/

SH256 hash:

f3b6dff711282defe959d5b140cd437b1a89592e2dda03dbabeaa43b025035a6

MD5 hash:

9b4fb0523dd94af801f27dfdeb8c1a49

SHA1 hash:

44c7ca9abf32b3eeb8f436717437da61c74e12a2

Link:

https://www.unpac.me/results/18cda323-8b02-4e78-82fd-d00d1fa331be/

SH256 hash:

cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

MD5 hash:

426ccb645e50a3143811cfa0e42e2ba6

SHA1 hash:

3c17e212a5fdf25847bc895460f55819bf48b11d

Link:

https://www.unpac.me/results/18cda323-8b02-4e78-82fd-d00d1fa331be/

SH256 hash:

5153b60b002a0b82848661b6dc00df9e184ef2a3f800aac3e90f2f868b403c46

MD5 hash:

f99323ccbdf71989e975c21ef85ebe10

SHA1 hash:

bd71d9c530579b5944bfdd1a6a3b1b4f52f4eab3

Link:

https://www.unpac.me/results/18cda323-8b02-4e78-82fd-d00d1fa331be/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9ccfe968b46b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_redline_wextract_hunting_oct_2023 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CredentialFlusher

exe 9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1

(this sample)

Link

https://tria.ge/250509-ya661sythy/behavioral1

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::EqualSid ADVAPI32.dll::FreeSid
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetDriveTypeA KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::GetWindowsDirectoryA KERNEL32.dll::GetSystemDirectoryA KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryInfoKeyA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample