MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1237713c768d18107cf5378fb387412bb905c4503f66ce8c15c644091b19ba7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1237713c768d18107cf5378fb387412bb905c4503f66ce8c15c644091b19ba7
SHA3-384 hash: 6ed32397031c7065557860ddc095ebf7d80b8343bf4d1d9c0e259615fe32280d7ca82542efb8277a7595fb969078034a
SHA1 hash: 2195c679ef35a95be66afb39a534877bba86b96c
MD5 hash: f37900e7e8144f9d7f085f8732746d74
humanhash: arkansas-fish-fifteen-orange
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:3'004'416 bytes
First seen:2025-06-02 07:26:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:o/U4ZTdF8Rcsi3rUDvPQE68xLfseWzNswifjKunu1xmI:o84ZTdF8RcsWePQE68OeEXifHc
TLSH T187D56D92B40BB1CFC85E2B758527DDCA581D17B94B1548C3A87D68BEFD63CC022B6D28
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-02 08:11:15 UTC
Tags:
amadey botnet stealer loader lumma auto-reg telegram asyncrat rat gcleaner pentagon evasion github rdp themida cybergate vidar auto generic
Link:
https://app.any.run/tasks/5bb53ec9-2e6c-49ef-bcc0-d7935ca12b47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6835/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683d548dacf88f5815eb1bc8
Tags:
vmdetect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/683d5284fd02ed5e05931dd9/reports/ee4a7cc2-0212-49db-b654-e07825b7160a/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/b1237713c768d18107cf5378fb387412bb905c4503f66ce8c15c644091b19ba7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/34191a16-9f31-4d48-9007-941ad6e25f8d
Result
Threat name:
Amadey, AsyncRAT, CyberGate, LummaC Stea, LummaC Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703776
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AsyncRAT
Yara detected CyberGate RAT
Yara detected LummaC Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected VenomRAT
Yara detected Xmrig cryptocurrency miner
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1703776 Sample: random.exe Startdate: 02/06/2025 Architecture: WINDOWS Score: 100 115 Found malware configuration 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for dropped file 2->119 121 19 other signatures 2->121 7 ramez.exe 1 69 2->7         started        12 random.exe 5 2->12         started        14 svchost.exe 2->14         started        16 10 other processes 2->16 process3 dnsIp4 107 185.156.72.96 ITDELUXE-ASRU Russian Federation 7->107 109 185.156.72.2 ITDELUXE-ASRU Russian Federation 7->109 111 77.83.207.69 DINET-ASRU Russian Federation 7->111 69 C:\Users\user\AppData\...\7def729a32.exe, PE32+ 7->69 dropped 71 C:\Users\user\AppData\...\0dd2f41726.exe, PE32 7->71 dropped 73 C:\Users\user\AppData\...\dcce8f69da.exe, PE32 7->73 dropped 79 33 other malicious files 7->79 dropped 161 Contains functionality to start a terminal service 7->161 163 Creates multiple autostart registry keys 7->163 165 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->165 177 3 other signatures 7->177 18 OpenWith.exe 7->18         started        23 sGe7ljJ.exe 7->23         started        25 q4LTl2d.exe 7->25         started        33 9 other processes 7->33 75 C:\Users\user\AppData\Local\...\ramez.exe, PE32 12->75 dropped 77 C:\Users\user\...\ramez.exe:Zone.Identifier, ASCII 12->77 dropped 167 Detected unpacking (changes PE section rights) 12->167 169 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->169 171 Tries to evade debugger and weak emulator (self modifying code) 12->171 173 Tries to detect virtualization through RDTSC time measurements 12->173 27 ramez.exe 12->27         started        175 Changes security center settings (notifications, updates, antivirus, firewall) 14->175 29 MpCmdRun.exe 14->29         started        113 20.190.135.18 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->113 31 WerFault.exe 16->31         started        file5 signatures6 process7 dnsIp8 81 158.51.99.19 NETINF-PRIMARY-ASUS Reserved 18->81 83 213.239.239.164 HETZNER-ASDE Germany 18->83 89 8 other IPs or domains 18->89 55 C:\Users\user\AppData\Local\...\s9ewZ.exe, PE32+ 18->55 dropped 57 C:\Users\user\AppData\Local\...\]uF4FBknn.exe, PE32+ 18->57 dropped 123 Early bird code injection technique detected 18->123 125 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->125 127 Query firmware table information (likely to detect VMs) 18->127 139 9 other signatures 18->139 35 chrome.exe 18->35         started        141 3 other signatures 23->141 37 MSBuild.exe 23->37         started        41 conhost.exe 23->41         started        59 C:\directory\CyberGate\install\server.exe, PE32 25->59 dropped 129 Creates an undocumented autostart registry key 25->129 143 3 other signatures 25->143 43 explorer.exe 25->43 injected 131 Detected unpacking (changes PE section rights) 27->131 133 Contains functionality to start a terminal service 27->133 135 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->135 145 4 other signatures 27->145 45 conhost.exe 29->45         started        85 208.95.112.1 TUT-ASUS United States 33->85 87 179.43.141.35 PLI-ASCH Panama 33->87 91 2 other IPs or domains 33->91 61 C:\Users\user\AppData\Local\Temp\...\YCL.exe, PE32 33->61 dropped 63 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 33->63 dropped 65 C:\Users\user\AppData\Local\...\saren.exe, PE32 33->65 dropped 67 2 other malicious files 33->67 dropped 137 Found strings related to Crypto-Mining 33->137 147 3 other signatures 33->147 47 MSBuild.exe 33->47         started        49 MSBuild.exe 33->49         started        51 MSBuild.exe 33->51         started        53 5 other processes 33->53 file9 signatures10 process11 dnsIp12 93 104.21.58.135 CLOUDFLARENETUS United States 37->93 95 104.69.113.12 AKAMAI-ASUS United States 37->95 149 Query firmware table information (likely to detect VMs) 37->149 151 Tries to harvest and steal ftp login credentials 37->151 153 Tries to harvest and steal browser information (history, passwords, etc) 37->153 155 Tries to steal from password manager 37->155 97 149.154.167.99 TELEGRAMRU United Kingdom 47->97 99 195.82.147.188 DREAMTORRENT-CORP-ASRU Russian Federation 47->99 157 Tries to steal Crypto Currency Wallets 47->157 101 172.67.152.100 CLOUDFLARENETUS United States 49->101 103 23.64.158.119 AKAMAI-ASUS United States 49->103 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->159 105 104.40.69.76 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->105 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b1237713c768d18107cf5378fb387412bb905c4503f66ce8c15c644091b19ba7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1237713c768d18107cf5378fb387412bb905c4503f66ce8c15c644091b19ba7/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-06-02 03:57:24 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=werxoe6hndiycb6pkn4pwoduck5zaxcfap3gz2gblrsebenrtotq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:lumma family:pentagonstealer family:redline family:xworm botnet:8d33eb botnet:nicodrip botnet:venom clients credential_access defense_evasion discovery infostealer persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250602-janbksgn5w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Downloads MZ/PE file
Uses browser remote debugging
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma family
Pentagon Stealer
Pentagonstealer family
RedLine
RedLine payload
Redline family
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect Xworm Payload
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
http://185.156.72.96
151.242.63.190:7000
193.124.205.63:4449
https://stealer.cy
https://https://t.me/pizdenka202020/api
https://autogearw.live/tapsz
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://harumseeiw.top/tqmn
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://witchdbhy.run/pzal
https://battlefled.top/gaoi
193.233.237.109:1912
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/91adaa28-d479-43bc-945f-ffd5229e2e52
Unpacked files
SH256 hash:
b1237713c768d18107cf5378fb387412bb905c4503f66ce8c15c644091b19ba7
MD5 hash:
f37900e7e8144f9d7f085f8732746d74
SHA1 hash:
2195c679ef35a95be66afb39a534877bba86b96c
Link:
https://www.unpac.me/results/29db214e-4bcb-4a6c-bc48-2d9a6a7f2a94/
SH256 hash:
cf0907fb6bd2efd03f9bf9060cead7be747e696f92b3e2ec0a500ef2dc577228
MD5 hash:
3cb4ac4d2b20c7795c3e299c73354c67
SHA1 hash:
b1c5d6428e9a2e489edde2aafb13881e8e60c0f1
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/29db214e-4bcb-4a6c-bc48-2d9a6a7f2a94/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1237713c768/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1237713c768d18107cf5378fb387412bb905c4503f66ce8c15c644091b19ba7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe b1237713c768d18107cf5378fb387412bb905c4503f66ce8c15c644091b19ba7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550737/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6835/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments