MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966
SHA3-384 hash: e0983738b3bd9ea579ea6f0d630cc5d17b7826cad30f2e36fc0ea7d9c776708083d1a82ad0e9c7bb09f6ec6a65f220fc
SHA1 hash: 2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6
MD5 hash: 5e79df97975b488e901487db545d5de8
humanhash: lion-butter-blossom-orange
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:3'109'376 bytes
First seen:2025-02-24 17:44:19 UTC
Last seen:2025-02-26 20:22:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:i+WjSbUYDSYaGUOn1dX1ofNEeCls3Gyjbqd0A1BgKne:iBjSbX2YaGU6dX1ofNEeClXIud0A1OK
TLSH T17DE53A51A44C63DFDA8F2774CA1BCD82985D47B9371126C3A86EA4BDADE7CC013B5C28
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter skocherhan
Tags:Amadey exe


Avatar
skocherhan
http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
49
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
aa883f75bff0257a0fefd5d8d20c6297.exe
Verdict:
Malicious activity
Analysis date:
2025-02-24 13:43:26 UTC
Tags:
auto amadey botnet stealer loader telegram vidar evasion lumma gcleaner stealc credentialflusher themida tofsee generic rdp
Link:
https://app.any.run/tasks/c4aa85f4-267f-422e-98cf-5a64522c8ed9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bcb039a0fd713c335ca19c
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67bcb0303afc3763bec44edc/reports/fd412054-3440-4fca-bece-66d5412e0c93/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33378381-76b6-414f-ad26-ed9d931c8ddc
Result
Threat name:
Amadey, LummaC Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1622960
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1622960 Sample: random.exe Startdate: 24/02/2025 Architecture: WINDOWS Score: 100 120 pirtyoffensiz.bet 2->120 122 fua.4t.com 2->122 124 6 other IPs or domains 2->124 182 Suricata IDS alerts for network traffic 2->182 184 Found malware configuration 2->184 186 Malicious sample detected (through community Yara rule) 2->186 188 18 other signatures 2->188 12 rapes.exe 2->12         started        16 random.exe 13 2->16         started        19 Dashboard.exe 1 2->19         started        21 4 other processes 2->21 signatures3 process4 dnsIp5 134 176.113.115.6, 49749, 49752, 49800 SELECTELRU Russian Federation 12->134 136 github.com 140.82.121.4 GITHUBUS United States 12->136 138 objects.githubusercontent.com 185.199.108.133 FASTLYUS Netherlands 12->138 108 C:\Users\user\AppData\Local\Temp\...\mbg.exe, PE32 12->108 dropped 110 C:\Users\user\AppData\...\9aaa85206f.exe, PE32 12->110 dropped 112 C:\Users\user\AppData\Local\...\Q3swVfO.exe, PE32 12->112 dropped 118 11 other malicious files 12->118 dropped 23 Q3swVfO.exe 12->23         started        27 q3na5Mc.exe 12->27         started        30 bgUvqLl.exe 12->30         started        40 3 other processes 12->40 140 pirtyoffensiz.bet 104.21.42.12, 443, 49731, 49732 CLOUDFLARENETUS United States 16->140 142 176.113.115.7, 49745, 49756, 49816 SELECTELRU Russian Federation 16->142 114 C:\Users\user\...\KBY6EQDY85CRES9Z0.exe, PE32 16->114 dropped 116 C:\Users\user\...behaviorgraphUBPCRGZHOU87R5E7HP.exe, PE32 16->116 dropped 158 Detected unpacking (changes PE section rights) 16->158 160 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->160 162 Query firmware table information (likely to detect VMs) 16->162 174 6 other signatures 16->174 32 KBY6EQDY85CRES9Z0.exe 11 16->32         started        34 GUBPCRGZHOU87R5E7HP.exe 4 16->34         started        164 Maps a DLL or memory area into another process 19->164 166 Found direct / indirect Syscall (likely to bypass EDR) 19->166 36 cmd.exe 2 19->36         started        144 cobolrationumelawrtewarms.com 107.189.27.66 PONYNETUS United States 21->144 168 Multi AV Scanner detection for dropped file 21->168 170 Contains functionality to start a terminal service 21->170 172 Hides threads from debuggers 21->172 38 cmd.exe 2 21->38         started        file6 signatures7 process8 dnsIp9 90 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 23->90 dropped 190 Antivirus detection for dropped file 23->190 192 Detected unpacking (changes PE section rights) 23->192 206 2 other signatures 23->206 42 Gxtuum.exe 23->42         started        126 fua.4t.com 94.130.190.206, 443, 49811, 49823 HETZNER-ASDE Germany 27->126 128 t.me 149.154.167.99, 443, 49799 TELEGRAMRU United Kingdom 27->128 130 127.0.0.1 unknown unknown 27->130 194 Attempt to bypass Chrome Application-Bound Encryption 27->194 208 2 other signatures 27->208 45 chrome.exe 27->45         started        132 embarkiffe.shop 104.21.112.1 CLOUDFLARENETUS United States 30->132 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->196 198 Query firmware table information (likely to detect VMs) 30->198 200 Tries to steal Crypto Currency Wallets 30->200 92 C:\Users\user\msvcr80.dll, PE32 32->92 dropped 94 C:\Users\user\UXCore.dll, PE32 32->94 dropped 96 C:\Users\user\Dashboard.exe, PE32 32->96 dropped 202 Multi AV Scanner detection for dropped file 32->202 204 Drops PE files to the user root directory 32->204 48 Dashboard.exe 6 32->48         started        98 C:\Users\user\AppData\Local\...\rapes.exe, PE32 34->98 dropped 210 2 other signatures 34->210 51 rapes.exe 34->51         started        100 C:\Users\user\AppData\Local\Temp\sbeslx, PE32 36->100 dropped 212 2 other signatures 36->212 57 2 other processes 36->57 102 C:\Users\user\AppData\Local\Temp\qavghwklt, PE32 38->102 dropped 59 2 other processes 38->59 214 3 other signatures 40->214 53 9aaa85206f.exe 40->53         started        55 wKG7rkG.exe 40->55         started        61 4 other processes 40->61 file10 signatures11 process12 dnsIp13 216 Multi AV Scanner detection for dropped file 42->216 218 Detected unpacking (changes PE section rights) 42->218 220 Tries to detect sandboxes and other dynamic analysis tools (window names) 42->220 236 4 other signatures 42->236 146 192.168.2.4, 443, 49731, 49732 unknown unknown 45->146 148 239.255.255.250 unknown Reserved 45->148 63 chrome.exe 45->63         started        84 C:\Users\user\AppData\Roaming\...\msvcr80.dll, PE32 48->84 dropped 86 C:\Users\user\AppData\Roaming\...\UXCore.dll, PE32 48->86 dropped 88 C:\Users\user\AppData\...\Dashboard.exe, PE32 48->88 dropped 222 Switches to a custom stack to bypass stack traces 48->222 66 Dashboard.exe 1 48->66         started        224 Contains functionality to start a terminal service 51->224 226 Query firmware table information (likely to detect VMs) 53->226 228 Tries to harvest and steal ftp login credentials 53->228 230 Tries to harvest and steal browser information (history, passwords, etc) 53->230 150 advertised.life 188.114.96.3 CLOUDFLARENETUS European Union 55->150 232 Tries to steal Crypto Currency Wallets 55->232 69 WerFault.exe 57->69         started        234 Found direct / indirect Syscall (likely to bypass EDR) 59->234 71 WerFault.exe 59->71         started        file14 signatures15 process16 dnsIp17 152 www.google.com 142.250.186.132 GOOGLEUS United States 63->152 154 plus.l.google.com 172.217.16.206 GOOGLEUS United States 63->154 156 apis.google.com 63->156 176 Maps a DLL or memory area into another process 66->176 178 Switches to a custom stack to bypass stack traces 66->178 180 Found direct / indirect Syscall (likely to bypass EDR) 66->180 73 cmd.exe 4 66->73         started        signatures18 process19 file20 104 C:\Users\user\AppData\Local\Temp\ewlulqf, PE32 73->104 dropped 106 C:\Users\user\AppData\...\controlBrowser.exe, PE32 73->106 dropped 238 Writes to foreign memory regions 73->238 240 Found hidden mapped module (file has been removed from disk) 73->240 242 Maps a DLL or memory area into another process 73->242 244 Switches to a custom stack to bypass stack traces 73->244 77 controlBrowser.exe 73->77         started        80 conhost.exe 73->80         started        signatures21 process22 signatures23 246 Switches to a custom stack to bypass stack traces 77->246 248 Found direct / indirect Syscall (likely to bypass EDR) 77->248 82 WerFault.exe 16 77->82         started        process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-02-24 17:45:16 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vi4mqe5k7q3fgl3nr2bg6l3wmwzgylao6l7xhfocciypezamxfta._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250224-wbtk7swkt3/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
stealc stealer c2 lumma lumma_stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/06ce0bee-9d3b-4841-8419-29c41bd59cea
Unpacked files
SH256 hash:
aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966
MD5 hash:
5e79df97975b488e901487db545d5de8
SHA1 hash:
2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6
Link:
https://www.unpac.me/results/57cf815f-6066-4614-860b-b50778b1cdd4/
SH256 hash:
62a44c04e4288acec2bbb2c8d962ac0a9dc941d29e608d2ddf5ff4cd968ce4b2
MD5 hash:
8c7f3510ec6b4ec971eaf042a836394a
SHA1 hash:
365cc574eb39c746c8e3202add054f2074e9469f
Link:
https://www.unpac.me/results/57cf815f-6066-4614-860b-b50778b1cdd4/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa38c813aafc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3337943/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments