MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f
SHA3-384 hash: ba62c2f0ab17cb4b50a45f03ed75140df471e2e42fa8681415f7b7a55b432202b255c54bdc55d2cebc91470496b4203a
SHA1 hash: 48545094a360b1abee09d064c5868c9056a73a25
MD5 hash: 9d5e0274ae3fce4ccf671593ed82f12e
humanhash: romeo-angel-asparagus-alaska
File name:li.zip
Download: download sample
Signature Amadey
Create hunting rule
File size:18'967'048 bytes
First seen:2026-03-01 11:59:10 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 393216:cuPkUaf0U0l5ovhqgoIidJwAwNFz7IP3XUyYjdh/r7bs1dQnSOfMqMbEaltGWIr:evml5oJxL2/wDm3XBo/r0DQSOUplqWIr
TLSH T178173320AB6915E7E3F6703A75319107A450B2F8DE23FF8E768CD1FA46D37D29262901
TrID 66.6% (.XPI) Mozilla Firefox browser extension (8000/1/1)
33.3% (.ZIP) ZIP compressed archive (4000/1)
Magika zip
Reporter aachum
Tags:77-238-228-60 ACRStealer ClickFix FakeCaptcha zip


Avatar
iamaachum
https://flowerz.my/li.zip

ACRStealer C2: 77.238.228.60

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
ES ES
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ec7518c4-c83d-4713-9452-9b5f9edd6ec7/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a4299f8fffa866e3b3b79c
Tags:
malware
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
File Type:
zip
Link:
https://opentip.kaspersky.com/a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f/results?tab=lookup
Score:
10%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7fb63febdc4xzse4o4sibhfhcnl3uqsii5ygfumtnusaedvo5hq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/260301-rtqvtadx6h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EternalRocks

HTML Application (hta) hta 1e5dbe753b1b2d61c831e37a6805e93cb568125fd0874203e9d424c5b2a430ee

AmateraStealer

PowerShell (PS) ps1 9f3c3388c6ce825295a8c36a7668a215b4f0defdd2335e9fc29810d4a5a0b1cd

Amadey

zip a7ca1f6ca408c5cbe644e3b92404e5389abdd212423b83168c9b69201075774f

(this sample)

  
Link
https://tria.ge/260301-nxnyvafs5h/behavioral1
  
Dropped by
SHA256 9f3c3388c6ce825295a8c36a7668a215b4f0defdd2335e9fc29810d4a5a0b1cd
  
Delivery method
Distributed via web download
  
Dropped by
MD5 caa3ff32ed8fecd3b15efc1fbb54040d

Comments