MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e0929e5127be44a70551d8f40bded4bdbae4ae2557e82514c1ea1fc7732e428. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e0929e5127be44a70551d8f40bded4bdbae4ae2557e82514c1ea1fc7732e428
SHA3-384 hash: 946abd0a201e0c9a2a2e056735068dbee1ca2f525366fff71ec47cacd543ae970869df221d5d37e0e098cd8d981696de
SHA1 hash: cf1e82f37bfdc31aa6f239d3dc62832469f2e0a8
MD5 hash: 5c8a6ffc8c188f20af19e3cc69ae4a81
humanhash: nineteen-vermont-charlie-massachusetts
File name:5c8a6ffc8c188f20af19e3cc69ae4a81.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'879'552 bytes
First seen:2025-03-30 11:41:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:j2e8l0+ZsXG6nx/DitKoR1Wzv8UZbsRuSC37Oz60Pltv/L7GiOFHe8sShhK4fsWx:juYbSKoPWwzR07OzPn3Lml7LfN6
TLSH T182953370FE13B396C32F63BDD8A10A3729BDA5210ADFB1303B7A05711EA6DD67582541
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
622
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
5c8a6ffc8c188f20af19e3cc69ae4a81.exe
Verdict:
Malicious activity
Analysis date:
2025-03-30 11:45:40 UTC
Tags:
amadey botnet stealer loader rdp themida auto generic connectwise rmm-tool stegocampaign evasion remote xworm screenconnect lumma telegram rhadamanthys arch-exec autoit gcleaner payload reverseloader tofsee
Link:
https://app.any.run/tasks/bba284f6-b59c-49fd-9837-e19d96421aa6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e92fc3cfd0a37f830a25fc
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypt microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e92dda631830704a8b4f74/reports/d52aa537-7ad6-4a32-bb23-9271cbd1548f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9e0929e5127be44a70551d8f40bded4bdbae4ae2557e82514c1ea1fc7732e428
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/38606f72-53af-4c56-b74c-de934c415d3e
Result
Threat name:
Amadey, Babadeda, Batch Injector
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1652155
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell download and load assembly
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Babadeda
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652155 Sample: AVCXw0587P.exe Startdate: 30/03/2025 Architecture: WINDOWS Score: 100 107 ofice365.github.io 2->107 109 bitbucket.org 2->109 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 25 other signatures 2->141 12 rapes.exe 3 34 2->12         started        17 AVCXw0587P.exe 5 2->17         started        19 rapes.exe 2->19         started        21 7 other processes 2->21 signatures3 process4 dnsIp5 115 2.59.41.142, 49741, 8080 TIMEWEB-ASRU Russian Federation 12->115 117 176.113.115.6, 49725, 49726, 49728 SELECTELRU Russian Federation 12->117 121 2 other IPs or domains 12->121 93 C:\Users\user\AppData\Local\Temp\...\bot.exe, PE32+ 12->93 dropped 95 C:\Users\user\AppData\Local\...\apple.exe, PE32 12->95 dropped 97 C:\Users\user\AppData\Local\...\kO2IdCz.exe, PE32+ 12->97 dropped 103 7 other malicious files 12->103 dropped 177 Contains functionality to start a terminal service 12->177 179 Hides threads from debuggers 12->179 181 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->181 183 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->183 23 kO2IdCz.exe 12->23         started        27 apple.exe 12->27         started        29 cmd.exe 1 12->29         started        99 C:\Users\user\AppData\Local\...\rapes.exe, PE32 17->99 dropped 101 C:\Users\user\...\rapes.exe:Zone.Identifier, ASCII 17->101 dropped 185 Detected unpacking (changes PE section rights) 17->185 187 Tries to evade debugger and weak emulator (self modifying code) 17->187 189 Tries to detect virtualization through RDTSC time measurements 17->189 31 rapes.exe 17->31         started        191 Antivirus detection for dropped file 19->191 193 Multi AV Scanner detection for dropped file 19->193 195 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->195 119 127.0.0.1 unknown unknown 21->119 197 Changes security center settings (notifications, updates, antivirus, firewall) 21->197 33 MpCmdRun.exe 1 21->33         started        35 WerFault.exe 21->35         started        file6 signatures7 process8 file9 87 C:\Users\user\AppData\...\67e8f4de3ad1d.vbs, ASCII 23->87 dropped 153 Multi AV Scanner detection for dropped file 23->153 37 cmd.exe 23->37         started        89 C:\Users\user\AppData\Local\Temp\ssisd.sys, PE32+ 27->89 dropped 91 C:\Users\user\AppData\Local\Temp\221.exe, PE32 27->91 dropped 155 Sample is not signed and drops a device driver 27->155 40 221.exe 27->40         started        157 Suspicious powershell command line found 29->157 159 Wscript starts Powershell (via cmd or directly) 29->159 161 Bypasses PowerShell execution policy 29->161 42 cmd.exe 2 29->42         started        44 conhost.exe 29->44         started        163 Contains functionality to start a terminal service 31->163 165 Hides threads from debuggers 31->165 167 Tries to detect sandboxes / dynamic malware analysis system (registry check) 31->167 169 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 31->169 46 conhost.exe 33->46         started        signatures10 process11 signatures12 143 Uses cmd line tools excessively to alter registry or file data 37->143 48 wscript.exe 37->48         started        51 conhost.exe 37->51         started        145 Multi AV Scanner detection for dropped file 40->145 147 Detected unpacking (overwrites its own PE header) 40->147 53 cmd.exe 40->53         started        149 Suspicious powershell command line found 42->149 151 Wscript starts Powershell (via cmd or directly) 42->151 55 powershell.exe 20 21 42->55         started        57 conhost.exe 42->57         started        process13 signatures14 123 Suspicious powershell command line found 48->123 125 Wscript starts Powershell (via cmd or directly) 48->125 127 Windows Scripting host queries suspicious COM object (likely to drop second stage) 48->127 129 Suspicious execution chain found 48->129 59 powershell.exe 48->59         started        62 221.exe 53->62         started        65 conhost.exe 53->65         started        131 Query firmware table information (likely to detect VMs) 55->131 133 Found suspicious powershell code related to unpacking or dynamic code loading 55->133 67 wermgr.exe 55->67         started        69 WerFault.exe 55->69         started        process15 file16 171 Suspicious powershell command line found 59->171 173 Found suspicious powershell code related to unpacking or dynamic code loading 59->173 71 powershell.exe 59->71         started        74 conhost.exe 59->74         started        105 C:\Users\user\AppData\Local\Temp\...BC0.bat, ASCII 62->105 dropped 76 cmd.exe 62->76         started        signatures17 process18 dnsIp19 111 ofice365.github.io 185.199.110.153, 443, 49739 FASTLYUS Netherlands 71->111 113 bitbucket.org 104.192.142.25, 443, 49737 AMAZON-AESUS United States 71->113 175 Uses cmd line tools excessively to alter registry or file data 76->175 79 conhost.exe 76->79         started        81 sc.exe 76->81         started        83 sc.exe 76->83         started        85 16 other processes 76->85 signatures20 process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9e0929e5127be44a70551d8f40bded4bdbae4ae2557e82514c1ea1fc7732e428
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e0929e5127be44a70551d8f40bded4bdbae4ae2557e82514c1ea1fc7732e428/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-27 11:26:35 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
25 of 36 (69.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tyestzisppseu4cvdwhubppnjpn24sxckv7ieukmd2q7y5zs4qua._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:quasar botnet:092155 botnet:office04 bootkit defense_evasion discovery execution exploit persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/250330-ntjvqazps8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
GoLang User-Agent
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Possible privilege escalation attempt
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Modifies security service
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
http://176.113.115.6
https://advennture.top/GKsiio
https://byteplusx.digital/aXweAX
https://travewlio.shop/ZNxbHi
https://skynetxc.live/AksoPA
https://pixtreev.run/LkaUz
https://targett.top/dsANGt
https://sparkiob.digital/KeASUp
https://appgridn.live/LEjdAK
https://esccapewz.run/ANSbwqy
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
https://apixtreev.run/LkaUz
https://tsparkiob.digital/KeASUp
goku92ad.zapto.org:5000
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d6e5ec4b-67b4-4eb4-be8a-bc6faa12635a
Unpacked files
SH256 hash:
9e0929e5127be44a70551d8f40bded4bdbae4ae2557e82514c1ea1fc7732e428
MD5 hash:
5c8a6ffc8c188f20af19e3cc69ae4a81
SHA1 hash:
cf1e82f37bfdc31aa6f239d3dc62832469f2e0a8
Link:
https://www.unpac.me/results/8f9f417c-9ffb-490f-a5ba-0944da5cda1b/
SH256 hash:
c7e604f1241dffcb5baa055d2c1a2928a762d367275a1677156fe4f5bded1899
MD5 hash:
5fcdba93dd522652d15ed0a7af7e7ab4
SHA1 hash:
a51fa4191d44b35669b8faaa2c62a88b989c361b
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/8f9f417c-9ffb-490f-a5ba-0944da5cda1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e0929e5127be44a70551d8f40bded4bdbae4ae2557e82514c1ea1fc7732e428

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 9e0929e5127be44a70551d8f40bded4bdbae4ae2557e82514c1ea1fc7732e428

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3460858/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments