MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 14

Intelligence 14 IOCs YARA 18 File information Comments

SHA256 hash:	a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e
SHA3-384 hash:	e31d520fbb19a2c0de55f3968cfbb7dc1efac6fb628ed2a59edaffe867906f94726f1b08f85427146ab340079a3fa5ea
SHA1 hash:	50bbcd0c8dd4f40ac0527bab0a72c7517aa00e3a
MD5 hash:	dd5f9bac1ec51c8b418c2053db6df47f
humanhash:	hawaii-whiskey-sink-nevada
File name:	Set-Up.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	9'195'616 bytes
First seen:	2025-09-23 18:28:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c534b02e08f3fa891c9f65a4018cfdd2 (1 x Amadey)
ssdeep	98304:OjolLFpAZ21GPmXTgeAkPwpeCNQVS1r0llHTb7j2A+65PDZJ28mbmm9:Ojk9GuXTXPwrJEP7j2A+0LZwXmm9
Threatray	25 similar samples on MalwareBazaar
TLSH	T17396BF12B205963FC027063999BBD7501A3BBF726A32894737E47A4C4F36D806D3A797
TrID	62.3% (.EXE) Inno Setup installer (107240/4/30) 24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	aachum
Tags:	46-62-200-245 6598d3 ACRStealer Amadey exe

iamaachum

https://cludchpfile.click/?uid=296&sid=298&lp=X2WocBGbiO => https://mega.nz/file/f8xF0ISB#lJrSDaOS-I3fEh1wwh63LF1-o89FUlx1Rainmwj66wo

ACRStealer C2: 46.62.200.245
Amadey Botnet: 6598d3
Amadey C2: http://mi.snowfieldupriver.com/kaWt2QXfpPueNM/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Set-Up.exe

Verdict:

Malicious activity

Analysis date:

2025-09-23 18:23:24 UTC

Tags:

delphi

Link:

https://app.any.run/tasks/3f2ebec4-0bc8-410d-ab51-3908327e0b16

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/28690/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d2e59e67bec058d2819783

Tags:

injection dropper smtp

Result

Verdict:

Malware

Maliciousness:

Behaviour

Adding an access-denied ACE

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Connection attempt to an infection source

Forced shutdown of a browser

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi fingerprint invalid-signature keylogger overlay overlay packed signed

Link:

https://www.filescan.io/uploads/68d2e70905398d990aefbb4f/reports/33aaddf2-58a6-4328-814d-7b4fdf2acfd6/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-23T13:47:00Z UTC

Last seen:

2025-09-23T13:47:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Agentb.tljl BSS:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8304efd1-46f5-4319-bd5c-b49543c5c746

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1782821

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to hide a thread from the debugger

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

57%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e/

Verdict:

Malicious

Threat:

Trojan.Win32

Link:

https://tip.neiki.dev/file/a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-09-23 18:23:26 UTC

File Type:

PE (Exe)

AV detection:

12 of 37 (32.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uxttdgwvrippht2cvwpxaibogl3au6bv2qs4grdnxhh47a3h4rha._file

Verdict:

malicious

Label(s):

unc_loader_053

amaterastealer

Amadey

3ca14211184fb7bd98ec259b95f389ee119d8ad59809a850f0b3770b86d806c2

Amadey

6963444573688ae892457da0d70c8708610cc72fb2629a7eec4144e7fd495914

Amadey

8d3634a77504cb0eee0f0f853bebaeb501a8147e104eb0f381a93b497272e34f

Amadey

8d4f37bead508e9d0f38c3cd9c09f4bd869e9610c8b74c40d9ed70b8f04762fb

Amadey

8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae

Amadey

a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e

Amadey

error

Amadey

+ 15 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/250923-w448eavtfw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Badlisted process makes network request

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e0619932-7dea-449a-97b9-bb3724624707

Unpacked files

SH256 hash:

a5e7319ad58a1ef3cf42ad9f70202e32f60a7835d425c3446db9cfcf8367e44e

MD5 hash:

dd5f9bac1ec51c8b418c2053db6df47f

SHA1 hash:

50bbcd0c8dd4f40ac0527bab0a72c7517aa00e3a

Link:

https://www.unpac.me/results/56d31103-661b-4953-b37a-d0aaafde968b/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	attack_India Create hunting rule

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang Create hunting rule

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	WIN_WebSocket_Base64_C2_20250726 Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.