MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 13

Intelligence 13 IOCs YARA 15 File information Comments

SHA256 hash:	aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb
SHA3-384 hash:	5a6c57d4312fcb6ac7122c27f42afa00787d13d2613077359f0b58fba24648e12fad9ea6f151a6e990021ec6dcec1750
SHA1 hash:	281a9997ac902cecf6748496d8b5e687e6ebfe70
MD5 hash:	32dda9f2e60718811e8e8308a620ea85
humanhash:	jig-island-low-hamper
File name:	file
Download:	download sample
Signature	Amadey Create hunting rule
File size:	202'240 bytes
First seen:	2025-12-03 21:13:16 UTC
Last seen:	2025-12-03 22:28:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9d20241135260a6283527b95f11fc551 (2 x Amadey, 1 x SVCStealer)
ssdeep	3072:CLkiHgZn7CNFBneOI7Aeq63oNZErKypSiDX9I24+lgNd+s0PWMelS:CLkiHC7JOI7+5ZErWk9IHDd+sUK
Threatray	150 similar samples on MalwareBazaar
TLSH	T114148C243680C072E4B7027145FC9B32597DBE620BB15ADBB3E80F9D8AB45D26B31767
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	a3dacb Amadey dropped-by-amadey exe

Bitsight

url: http://62.60.226.159/xx.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

amadey

ID:

File name:

_aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb.exe

Verdict:

Malicious activity

Analysis date:

2025-12-03 21:14:29 UTC

Tags:

auto-reg loader clipper diamotrix crypto-regex stealc stealer auto svc auto-sch amadey botnet rdp upx

Link:

https://app.any.run/tasks/59798af7-fce8-47d0-8153-1256c0c4ba17

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42375/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6930a826264b106bd646b593

Tags:

ransomware autorun trojan sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Enabling the 'hidden' option for files in the %temp% directory

Searching for the window

Using the Windows Management Instrumentation requests

Running batch commands

Creating a file

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Searching for synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Launching a process

Creating a window

Moving a recently created file

Creating a file in the mass storage device

Enabling autorun with the shell\open\command registry branches

Connection attempt to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Enabling threat expansion on mass storage devices

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint lolbin microsoft_visual_cc update

Link:

https://www.filescan.io/uploads/6930a7efff25e40750d28006/reports/eda5ac5d-5070-4fd9-9a50-00f211796699/overview

Verdict:

Malicious

Labled as:

Worm/SillyShareCopy

Link:

https://www.hybrid-analysis.com/sample/aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-03T18:17:00Z UTC

Last seen:

2025-12-03T18:18:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/51f812c5-7a7a-438c-b4f0-9307ce888af1

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/32dda9f2e60718811e8e8308a620ea85

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vlikmdfyny5fnpgtk3dflg4sytoeuguwb5aj7nezz53mtnkat7nq._file

Verdict:

malicious

Label(s):

unc_loader_073

stealc

Amadey

79b120acdb37fd5b5fa927a6ffb370d5a7cbc8039f2e9b31831029d0f16bc38b

Amadey

9b7ebcd4b27ace0f237f2ccab58503340be62a43112f9c537d16f42d40abb715

Amadey

a86ad433a7096cbe7da8e310e35184f50d9f11f0db53a6295ffc008319575e23

Amadey

error

Amadey

+ 140 additional samples on MalwareBazaar

Result

Malware family:

svcstealer

Score:

10/10

Tags:

family:amadey family:stealc family:svcstealer botnet:vvc discovery downloader execution installer persistence pyinstaller spyware stealer trojan upx

Link:

https://tria.ge/reports/251203-z3zhbagn3w/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

Detects Pyinstaller

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Drops autorun.inf file

Drops file in System32 directory

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Amadey

Amadey family

Stealc

Stealc family

SvcStealer, Diamotrix

Svcstealer family

Malware Config

C2 Extraction:

http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
http://196.251.107.23

Unpacked files

SH256 hash:

aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

MD5 hash:

32dda9f2e60718811e8e8308a620ea85

SHA1 hash:

281a9997ac902cecf6748496d8b5e687e6ebfe70

Link:

https://www.unpac.me/results/242cfa3d-eb5f-4340-9171-237dfea6f511/

SH256 hash:

d763cd1997ae0474453f3059c0a817dc5fcf182759398a6c36cac9c8360ef56e

MD5 hash:

5e46a657320c2c4e2fd2249e3ab67cca

SHA1 hash:

57209d40948eef2375c6532f80de854555e69f18

Link:

https://www.unpac.me/results/242cfa3d-eb5f-4340-9171-237dfea6f511/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	bumblebee_win_generic Create hunting rule
Author:	_kphi

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3724484/

Cape

https://www.capesandbox.com/analysis/42375/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample