MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23
SHA3-384 hash: e2e18bfdaca99752a321c74a45a48a0531eac527b9c06369e9c76b97b7c0998cc63abca1103cb44792d2322caee29163
SHA1 hash: db7ab91601819d7dc6bd3c076e85cd4c633621ca
MD5 hash: ce0bcc44ea12579d6e67eb2e35977ed0
humanhash: happy-uncle-lactose-beer
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:209'408 bytes
First seen:2025-11-20 19:15:52 UTC
Last seen:2025-11-20 20:31:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8af2b17e2f8f1077c28e206bff6c6ae2 (1 x Amadey)
ssdeep 3072:05t4GGe5OuDUXIwWJsOcjyxabn56RBJ9F9trH+CUqPA3ci6FZitXudEYQ2YYj5PL:pLe1DOGWOcB4Btry+0czvitXudE+Rp
TLSH T17724132528CC0127C8AE80F47B5E45FD6D09742805FDE9C9039D85A3ADBBB13E6254FD
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey dropped-by-amadey exe fbf543 UPX


Avatar
Bitsight
url: http://178.16.55.189/files/6161197876/6vjeZ1o.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.92.243.129/0gjSy4hf3/index.php https://threatfox.abuse.ch/ioc/1647443/
File size (compressed) :209'408 bytes
File size (de-compressed) :530'432 bytes
Format:win64/pe
Unpacked file: d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7

Intelligence

File Origin
# of uploads :
4
# of downloads :
85
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-11-20 19:16:17 UTC
Tags:
amadey botnet stealer rdp upx
Link:
https://app.any.run/tasks/ebbc7239-9786-4487-9c81-f7c3f1459c13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38883/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691f69038cf6736ec0afd2f7
Tags:
autorun spawn small hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc packed packed packed upx
Link:
https://www.filescan.io/uploads/691f69025d3feebe12d62f65/reports/b33eeef9-0361-44ef-a4a8-55264e6be69d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23
Result
Gathering data
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76461d5b-14cd-428a-b6a1-93606d5fe4d4
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/ce0bcc44ea12579d6e67eb2e35977ed0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-11-20 19:16:20 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
14 of 36 (38.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbvnim5hbfwl47ni4miogume6ugz6epq3nj2mkk77qaiggkxlyrq._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan upx
Link:
https://tria.ge/reports/251120-xyx3ksf17e/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
UPX packed file
Checks computer location settings
Executes dropped EXE
Amadey
Amadey family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e85b2aca-de50-499f-9405-d9b30027f8af
Unpacked files
SH256 hash:
a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23
MD5 hash:
ce0bcc44ea12579d6e67eb2e35977ed0
SHA1 hash:
db7ab91601819d7dc6bd3c076e85cd4c633621ca
Link:
https://www.unpac.me/results/3d0f97d8-2d1b-40cb-97a2-64a2e6c646f4/
SH256 hash:
d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7
MD5 hash:
29b58e4c5564acf75084b291d87a5b25
SHA1 hash:
cbdea9e92a3c6ea2ce467b7fa70d778049c23def
Link:
https://www.unpac.me/results/3d0f97d8-2d1b-40cb-97a2-64a2e6c646f4/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a86ad433a709/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23

(this sample)

Amadey

Executable exe d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3713081/
Cape
Cape
https://www.capesandbox.com/analysis/38883/
  
Dropping
SHA256 d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7
  
Dropping
MD5 29b58e4c5564acf75084b291d87a5b25

Comments