MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2
SHA3-384 hash: 8da66278565ed4bb6d3e72e24ab1760c7256f927df6e2a838b86e8b643dc4b1eb62af7cc13cfc1123b20359980f91a4d
SHA1 hash: c95d4c253627be7f36630f5e933212818de19ed7
MD5 hash: 453e433ce707a2dff379af17e1a7fe44
humanhash: winner-pennsylvania-happy-lactose
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'088'448 bytes
First seen:2025-03-22 12:58:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:r3NOfcJRt0nsMQ8Yry0GO0WqMQvELO6fKM3O:TNt0nsR8Ud7p1O
Threatray 5'822 similar samples on MalwareBazaar
TLSH T1B5A512A897413D61CFD5AB3DF279056F1903323E9FCD657B34362262B4B6902A7C81E2
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:092155 Amadey exe


Avatar
iamaachum
http://176.113.115.7/mine/random.exe

Amadey Botnet: 092155
Amadey C2: http://176.113.115.6/Ni9kiput/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-03-22 12:43:23 UTC
Tags:
amadey stealer botnet lumma darkvision remote loader opendir auto themida rdp rat
Link:
https://app.any.run/tasks/15ee5010-2bb9-42fa-a7db-8b6950fe3708

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67deb3ed518d210202e7ea9c
Tags:
vmdetect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67deb3e4a175d3177344dcb9/reports/384dc9dc-8359-42d4-8dd5-bf6d42aab374/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f86f449c-308d-43ab-87e5-a53f3b13e6d4
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645763
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-22 12:43:24 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vofzapxamletgr7loogqbug364d43o5y2jwpjwwhneomx6fiv7za._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
3ed356b88af2907fcad812a2ca7fb093f31d6f14e5e54889215a60d913627f8a
Amadey
498a9069ed925a5b73352fb97f4e3f95173967269e0e1d64f8dfcf6849f20eb6
Amadey
701221a2e9b9d9c064bab3588492561f69cb610c45dd16a49ce94b4f5d989b43
Amadey
719b90e90ec80dc97228c3bf8116c9a45fd3636a93e4d0c6917fb8de7f719ef8
Amadey
ca4959ce3c1df9fc7cac1f66b99e79523f4486eb99fb3e1e6beab4ee7bdefd8f
Amadey
dcefdcb0308eb805bea44d012871acb60ea7deb8f412299fd59c183c55d5dfaf
Amadey
error
Amadey
+ 5'812 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:skuld family:stealc family:vidar family:xworm botnet:06bcb9 botnet:092155 botnet:trump agilenet bootkit credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer themida trojan upx
Link:
https://tria.ge/reports/250322-p7jybaxkw8/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Drops file in Drivers directory
Sets service image path in registry
Uses browser remote debugging
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Detect Xworm Payload
Skuld family
Skuld stealer
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xworm
Xworm family
Malware Config
C2 Extraction:
http://176.113.115.6
https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E
http://195.82.146.131
httpss.myvnc.com:1907
http://45.93.20.28
Dropper Extraction:
http://196.251.91.42/up/uploads/encryption02.jpg
http://176.113.115.7/mine/random.exe
Gathering data
Unpacked files
SH256 hash:
ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2
MD5 hash:
453e433ce707a2dff379af17e1a7fe44
SHA1 hash:
c95d4c253627be7f36630f5e933212818de19ed7
Link:
https://www.unpac.me/results/71d2387b-08e2-4c5f-8a23-ec228f926f53/
SH256 hash:
2ccf0193244964423de12cedae3269f13136c77da35faacd7f68d44008c616e1
MD5 hash:
1bf601971dc82bcf49661721536a019e
SHA1 hash:
e54ed179190e281dbd4abdde8c3003a40140092a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/71d2387b-08e2-4c5f-8a23-ec228f926f53/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab8b903ee062/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2

(this sample)

  
Link
https://tria.ge/250322-p25ylasydx/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments