MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 18

Intelligence 18 IOCs 1 YARA 7 File information Comments

SHA256 hash:	bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666
SHA3-384 hash:	bfe3a84952f51c204fbca87996fc3ba10e95a3437e8023fc7037d03474e565332c47072fe98a3a794cb86ba7f46ffb3f
SHA1 hash:	d34c1c5c4dac26defd64b39c8a41b54a5452bf0d
MD5 hash:	e6e71811c8019d12f73518872f6fca60
humanhash:	saturn-zulu-connecticut-black
File name:	2025-07-23e6e71811c8019d12f73518872f6fca60ama.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	459'264 bytes
First seen:	2025-07-24 14:20:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	64e90efe1fef3d0c441e2e03b07e8768 (4 x XTinyLoader, 1 x Amadey)
ssdeep	6144:6vBMpF/pkOdNe1teeX85c6hh4vOU4dn7gp/w5DXAauWUGHk/T+QiR8d1TVfYGQAs:EBMpF/pkOdNker22hxU4vDXAdWUuF+K
TLSH	T1AAA45C217813C032D66291711E79FFF685ADB8259B7105DB7BC40F769E202E26A31F3A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
http://85.208.84.41/f7ehhfadDSk/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://85.208.84.41/f7ehhfadDSk/index.php	https://threatfox.abuse.ch/ioc/1560372/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

0f5fa722-974f-4e6d-a69a-c62ffca1e644

Verdict:

Malicious activity

Analysis date:

2025-07-24 13:53:27 UTC

Tags:

gcleaner loader lumma stealer autoit python qrcode auto generic websocket arch-doc amadey botnet themida arch-exec auto-reg telegram pastebin miner susp-powershell

Link:

https://app.any.run/tasks/0f5fa722-974f-4e6d-a69a-c62ffca1e644

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/16616/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68823d3184b37dd61ef152ed

Tags:

autorun emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Creating a process from a recently created file

Сreating synchronization primitives

Creating a file

Connection attempt

Sending an HTTP POST request

Sending a custom TCP request

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

amadey lolbin microsoft_visual_cc netsh obfuscated wmic

Link:

https://www.filescan.io/uploads/688241297bc45bdee1b7cf7a/reports/3648037e-d515-4c91-baf0-26b591d0ba7e/overview

Verdict:

Malicious

Labled as:

Mint.Zard.Generic

Link:

https://www.hybrid-analysis.com/sample/bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0e143e11-617a-4c6e-ba53-58d214e7c960

Result

Threat name:

Amadey

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1743449

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/e6e71811c8019d12f73518872f6fca60

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666/

Verdict:

Malicious

Threat:

VHO:Trojan.Win32.Sdum

Link:

https://tip.neiki.dev/file/bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666

Threat name:

Win32.Trojan.MintZard

Status:

Malicious

First seen:

2025-07-23 18:28:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xo6sq6uz6uq5sn4e5wbjjlg5yzmltfrmd4qtq4m6a7xipb7r6zta._file

Verdict:

malicious

Label(s):

amadey

Similar samples:

error

Amadey

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey discovery trojan

Link:

https://tria.ge/reports/250724-rnm7qszzdt/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Checks computer location settings

Executes dropped EXE

Amadey

Amadey family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/68a964f9-0d83-445c-ad3a-a227b1b54efa

Unpacked files

SH256 hash:

bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666

MD5 hash:

e6e71811c8019d12f73518872f6fca60

SHA1 hash:

d34c1c5c4dac26defd64b39c8a41b54a5452bf0d

Detections:

Amadey

Link:

https://www.unpac.me/results/a87f3261-1fe1-46ec-ab5a-18f2c1d2b51b/

SH256 hash:

994d115922a3ce8324114199fb7d06d7c8276779f83523b66b8c05505b81376e

MD5 hash:

27263a945a112e57aba4e978d89cbf4f

SHA1 hash:

f27dcc81c7ca62455d15526fd77138a77a7bf8a5

Detections:

Amadey

Link:

https://www.unpac.me/results/a87f3261-1fe1-46ec-ab5a-18f2c1d2b51b/

Parent samples :

bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666
8e5e311c0af982943d5e7c6ba8d4dc5436b083f7144e84ecb0981f0010a47126
1e7c2f76cda9a87962bdf277253c135ecf40c0e7cefe782eeb7d0128e55b1aa8
19c1a5da57d92f9068293c6443fbc5c0ae1261b3a796d1cb6d5abfc34661776d
b479f9035cc7f9d479f64dc47af55f32330a2c3d9eb592d1e1f45b7893a3f0c1
60a14371395270b14bf1390d77f5afbccc837fdf30f790a64578045fe78a4bc0
3c573e66b191de9b5f1dd3ec278533a6bba4dd68d6f44735168e0e6075ed00e5
21d33f9239c70349cb43042488ecf98aa79cc0166e0827c866a17b149fd62dab
13bdd724d62c42ea1cc551b06b94626dfbcd07c30830363d3d0ec212feea4860
6a66a4adae504bbbc1645ff0009a3ebd860e0b64762f95f6d9f8567b227c276e
8e1f84225e541eb8ac2067983d9c5d373fe8c5f9f72bda414823b0f4cd63c945
1002fc4c644e879e1f70a75c373151ddddcb41b2619a8e90f64e1fec8086e565

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbbd287a99f521d93784ed8294acddc658b9962c1f2138719e07ee8787f1f666

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	win_amadey_062025 Create hunting rule
Author:	0x0d4y
Description:	This rule detects intrinsic patterns of Amadey version 5.34.
Reference:	https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/16616/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample