MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88
SHA3-384 hash: 8d4f0e16a0516ee5ce4e52a089ebec716b0a601b5492a5d0e21d1f1c8dc2edf6d04c78ec40e0d7985c75cba31d4e1d94
SHA1 hash: 17083e26d36e22be188afaeb9e5636244674e789
MD5 hash: 05757e342b4578e37bcadb4a478d1ba2
humanhash: yellow-yellow-mango-neptune
File name:05757e342b4578e37bcadb4a478d1ba2.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'678'656 bytes
First seen:2025-10-02 08:35:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 98304:XvsVAbJlPTF63WWftGhwtb1tA2h5NoaVsDz4409YifxGiZD:kVAbJlPp6GWF2wtbw2h5NomI44MzZ
TLSH T1A3263339EEA29B51C842FB702D7E11F52392624A5B142D0F3CAB62E79171CBEF10D4B5
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://91.92.242.27/kaWt2QXfpPueNM/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.92.242.27/kaWt2QXfpPueNM/index.php https://threatfox.abuse.ch/ioc/1605342/

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
05757e342b4578e37bcadb4a478d1ba2.exe
Verdict:
Malicious activity
Analysis date:
2025-10-02 08:38:11 UTC
Tags:
amadey botnet stealer auto redline unlocker-eject tool rdp arch-exec themida loader auto-startup auto-reg evasion banker grandoreiro autoit remote xworm generic ms-smartcard purecrypter darkvision anti-evasion
Link:
https://app.any.run/tasks/f8d70686-e6cf-4932-b93b-0b549cafa806

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29901/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68de396bb54520161ad4568c
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a service
Launching a service
Restart of the analyzed sample
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Creating a window
Searching for the window
Creating a file
Connection attempt to an infection source
Enabling autorun for a service
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt obfuscated packed packed themidawinlicense xpack zusy
Link:
https://www.filescan.io/uploads/68de397cc564c8e81d0c5f71/reports/4ce3ee76-772b-44af-94fb-fe30eaec61dd/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-28T23:15:00Z UTC
Last seen:
2025-10-02T08:13:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/da68b4ea-e476-4712-9d2a-a8096208f2f7
Result
Threat name:
Amadey, Stealc v2, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1787960
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: PUA - NSudo Execution
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Service Path Modification
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Powershell download and execute
Yara detected Stealc v2
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1787960 Sample: HiYgoaE7fC.exe Startdate: 02/10/2025 Architecture: WINDOWS Score: 100 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Antivirus detection for URL or domain 2->115 117 17 other signatures 2->117 9 HiYgoaE7fC.exe 8 2->9         started        13 HiYgoaE7fC.exe 3 2->13         started        15 svchost.exe 2->15         started        17 7 other processes 2->17 process3 file4 93 C:\Windows\systemhelper.exe, PE32 9->93 dropped 95 C:\Windows\svchosthelper.exe, PE32 9->95 dropped 97 C:\Users\user\AppData\Local\...\svchostam.exe, PE32 9->97 dropped 101 2 other malicious files 9->101 dropped 141 Detected unpacking (changes PE section rights) 9->141 143 Contains functionality to start a terminal service 9->143 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->145 155 2 other signatures 9->155 19 svchostam.exe 4 54 9->19         started        24 systemhelper.exe 9->24         started        26 cmd.exe 1 9->26         started        36 3 other processes 9->36 99 C:\Windows\Temp\svchostam.exe, PE32 13->99 dropped 147 Drops executables to the windows directory (C:\Windows) and starts them 13->147 149 Hides threads from debuggers 13->149 151 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->151 28 svchostam.exe 13->28         started        30 svchosthelper.exe 13->30         started        32 svchosthelper.exe 13->32         started        153 Changes security center settings (notifications, updates, antivirus, firewall) 15->153 34 WerFault.exe 17->34         started        signatures5 process6 dnsIp7 103 94.154.35.25, 49715, 49716, 49729 SELECTELRU Ukraine 19->103 105 178.16.55.189, 49717, 49733, 49740 DUSNET-ASDE Germany 19->105 67 C:\Users\user\AppData\Local\...\FKr5f0o.exe, PE32+ 19->67 dropped 69 C:\Users\user\AppData\Local\...\rWvXzEJ.exe, PE32+ 19->69 dropped 71 C:\Users\user\AppData\Local\...\KDLebyo.exe, PE32 19->71 dropped 79 23 other malicious files 19->79 dropped 119 Multi AV Scanner detection for dropped file 19->119 121 Contains functionality to start a terminal service 19->121 123 Contains functionality to inject code into remote processes 19->123 38 2f34b5X.exe 19->38         started        73 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 24->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\game.exe, PE32 24->75 dropped 77 C:\Users\user\AppData\Local\...\cecho.exe, PE32 24->77 dropped 81 3 other malicious files 24->81 dropped 43 cmd.exe 24->43         started        125 Uses cmd line tools excessively to alter registry or file data 26->125 127 Uses schtasks.exe or at.exe to add and modify task schedules 26->127 129 Uses the nircmd tool (NirSoft) 26->129 45 conhost.exe 26->45         started        47 schtasks.exe 1 26->47         started        49 WerFault.exe 28->49         started        51 conhost.exe 36->51         started        53 conhost.exe 36->53         started        file8 signatures9 process10 dnsIp11 107 178.16.54.175, 49726, 80 DUSNET-ASDE Germany 38->107 109 178.16.53.193 DUSNET-ASDE Germany 38->109 83 C:\Users\user\Documents\zFizcythzkZ8.exe, PE32+ 38->83 dropped 85 C:\Users\user\Documents\qhqtZpFihmsa.exe, PE32+ 38->85 dropped 87 mr5jFfcvZvZar7iVto...38Ox6k48cqPT[1].exe, PE32+ 38->87 dropped 89 YEr2KP0jEBhSDdVcS9...AdHgmKyw7FZq[1].exe, PE32+ 38->89 dropped 131 Multi AV Scanner detection for dropped file 38->131 133 Detected unpacking (changes PE section rights) 38->133 135 Early bird code injection technique detected 38->135 139 10 other signatures 38->139 55 chrome.exe 38->55         started        137 Uses cmd line tools excessively to alter registry or file data 43->137 57 cmd.exe 43->57         started        59 conhost.exe 43->59         started        61 nircmd.exe 43->61         started        63 16 other processes 43->63 91 C:\ProgramData\Microsoft\...\Report.wer, Unicode 49->91 dropped file12 signatures13 process14 process15 65 tasklist.exe 57->65         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-09-29 04:57:27 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ura6oysgzzvh6jvy73zpnj2zm4usrue437hhxjidoamrl7lj7oea._file
Verdict:
malicious
Label(s):
admintool_nsudo
Create hunting rule
unc_loader_051
Create hunting rule
admintool_nircmd
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:darkvision family:deerstealer family:milleniumrat family:njrat family:rhadamanthys family:salatstealer family:stealc family:vidar botnet:avatar botnet:build botnet:c6402af46b8d0b3aebe5991fe2c15dffn botnet:d2a4dc12cb1425d65cfa05953f0c9009n botnet:fbf543 botnet:tr1pernn collection credential_access defense_evasion discovery execution persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/251002-khdyjsyya1/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs net.exe
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Creates new service(s)
Disables service(s)
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Stops running service(s)
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
DarkVision Rat
Darkvision family
DeerStealer
Deerstealer family
Detect SalatStealer payload
Detects Amadey x86-bit Payload
Detects DeerStealer
Detects MilleniumRAT stealer
Detects Rhadamanthys Payload
MilleniumRat
Milleniumrat family
Njrat family
Rhadamanthys
Rhadamanthys family
Salatstealer family
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
njRAT/Bladabindi
salatstealer
Malware Config
C2 Extraction:
http://94.154.35.25
https://steamcommunity.com/profiles/76561198783900411
https://telegram.me/rif0lm
http://162.252.198.81
conference-plate.gl.at.ply.gg:23974
31.57.38.89
http://178.16.54.175
Dropper Extraction:
https://api.chimera-hosting.zip/87rh1c6/hhMcKYKgMFjLeS/VioletClient.exe
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c138162d-4158-41de-a80f-069bbac9564f
Unpacked files
SH256 hash:
a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88
MD5 hash:
05757e342b4578e37bcadb4a478d1ba2
SHA1 hash:
17083e26d36e22be188afaeb9e5636244674e789
Link:
https://www.unpac.me/results/f3becc88-fde5-4ac6-9fae-115b42437397/
SH256 hash:
74c944670f6a57ec91da86ec4456238aa73a7dbd6397fc22fc359f64b4723570
MD5 hash:
cb5f8ffd99bacf26ad38a781b2c00da6
SHA1 hash:
207a61759eef61b337dac64ebdcdf26135b6a9c4
Link:
https://www.unpac.me/results/f3becc88-fde5-4ac6-9fae-115b42437397/
SH256 hash:
8686f6c57c4a9a9d9734b8e0ad0fc6bc9fe7e26929e3527b4f8887616f2d90b9
MD5 hash:
659787d5d062298ead7398c75e0a8eaa
SHA1 hash:
fa3276fb77d5cb72134feb0c01385b89fb5a022e
Link:
https://www.unpac.me/results/f3becc88-fde5-4ac6-9fae-115b42437397/
SH256 hash:
d59a9dab5f753da3afa2efcc619bf4f35923818ae7b2dbf485a53fdc3f020536
MD5 hash:
32f051d3ef57ca025f49a66520a98eb9
SHA1 hash:
2ba873e8807b41ce28f3f225acfdb262f6492b99
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/f3becc88-fde5-4ac6-9fae-115b42437397/
SH256 hash:
c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851
MD5 hash:
a7993e5a520b17fec65435fb4838a08f
SHA1 hash:
18fe6286473a03735e7b701d4bfaf61ad35da7ad
Link:
https://www.unpac.me/results/f3becc88-fde5-4ac6-9fae-115b42437397/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29901/

Comments