MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77
SHA3-384 hash: 28b3f08060912f90e8b85395ca553a85c9c753c15a2b0492e99150920fab246166057949e74d8b33127d7d35f92d0a61
SHA1 hash: fd97d5e5080b0130e21f998ed33b47997dd87d84
MD5 hash: 5b1dbccb1977e33fae7e0efa78e96b49
humanhash: oklahoma-mango-potato-five
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'962'496 bytes
First seen:2025-03-08 14:44:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:GbH3jNl9hAMO18bTKiyyGqxcyO1iQwLoFha7:GbHB72buXmA0iVLoFC
Threatray 5'286 similar samples on MalwareBazaar
TLSH T1A8953342E9986DF8DA1E0FF0B45A4F0FF40667E15E51E2BD7CCA71C4ACE08A099D7582
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:092155 Amadey exe


Avatar
iamaachum
http://176.113.115.7/mine/random.exe

Amadey Botnet: 092155
Amadey C2: http://176.113.115.6/Ni9kiput/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-03-08 14:24:13 UTC
Tags:
amadey botnet stealer lumma opendir loader stealc rdp themida autoit auto generic vidar credentialflusher java
Link:
https://app.any.run/tasks/9fa2ac06-6b13-4664-8547-b5d19e6ab546

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cc5cde1a4ca224d3ee2b66
Tags:
vmdetect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67cc57fa3c5f644bd9491a4a/reports/9742ee33-caa8-436b-b514-4f9fdcaad335/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ea483b8-e499-4dc5-a69d-dde94be49b65
Result
Threat name:
Amadey, PureLog Stealer, RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1632641
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download files via bitsadmin
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632641 Sample: random.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 100 134 Found malware configuration 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus detection for URL or domain 2->138 140 24 other signatures 2->140 10 rapes.exe 9 93 2->10         started        15 random.exe 5 2->15         started        17 rapes.exe 2->17         started        19 wscript.exe 2->19         started        process3 dnsIp4 128 176.113.115.6 SELECTELRU Russian Federation 10->128 130 176.113.115.7 SELECTELRU Russian Federation 10->130 110 C:\Users\user\AppData\...\48726a724d.exe, PE32 10->110 dropped 112 C:\Users\user\AppData\...\d8be899fe4.exe, PE32 10->112 dropped 114 C:\Users\user\AppData\...\a2528907a0.exe, PE32 10->114 dropped 120 41 other malicious files 10->120 dropped 184 Contains functionality to start a terminal service 10->184 186 Creates multiple autostart registry keys 10->186 188 Hides threads from debuggers 10->188 21 ReK7Ewx.exe 10->21         started        25 PfOHmro.exe 10->25         started        27 mIrI3a9.exe 10->27         started        34 2 other processes 10->34 116 C:\Users\user\AppData\Local\...\rapes.exe, PE32 15->116 dropped 118 C:\Users\user\...\rapes.exe:Zone.Identifier, ASCII 15->118 dropped 190 Detected unpacking (changes PE section rights) 15->190 192 Tries to evade debugger and weak emulator (self modifying code) 15->192 194 Tries to detect virtualization through RDTSC time measurements 15->194 196 Potentially malicious time measurement code found 15->196 30 rapes.exe 15->30         started        198 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->198 200 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->200 202 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->202 32 EduGeniusX.com 19->32         started        file5 signatures6 process7 dnsIp8 88 C:\Users\user\AppData\Local\Temp\Series.msi, data 21->88 dropped 90 C:\Users\user\AppData\Local\Temp\Salem.msi, data 21->90 dropped 92 C:\Users\user\AppData\...\Responding.msi, data 21->92 dropped 96 8 other malicious files 21->96 dropped 142 Multi AV Scanner detection for dropped file 21->142 144 Writes many files with high entropy 21->144 36 cmd.exe 21->36         started        146 Antivirus detection for dropped file 25->146 148 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->148 150 Found many strings related to Crypto-Wallets (likely being stolen) 25->150 160 3 other signatures 25->160 39 PfOHmro.exe 15 53 25->39         started        43 WerFault.exe 25->43         started        53 2 other processes 25->53 132 185.170.144.38 VDWELLEREE unknown 27->132 94 C:\Users\user\AppData\Roaming\a.exe, PE32 27->94 dropped 162 3 other signatures 27->162 45 powershell.exe 27->45         started        152 Detected unpacking (changes PE section rights) 30->152 154 Contains functionality to start a terminal service 30->154 156 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->156 164 4 other signatures 30->164 158 Tries to download files via bitsadmin 34->158 166 2 other signatures 34->166 47 conhost.exe 34->47         started        49 bitsadmin.exe 1 34->49         started        51 fltMC.exe 1 34->51         started        55 4 other processes 34->55 file9 signatures10 process11 dnsIp12 84 C:\Users\user\AppData\...\Occupation.com, PE32 36->84 dropped 57 Occupation.com 36->57         started        61 cmd.exe 36->61         started        63 conhost.exe 36->63         started        71 10 other processes 36->71 122 101.99.92.190 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 39->122 124 104.26.13.31 CLOUDFLARENETUS United States 39->124 86 C:\Users\user\AppData\Local\...dgeBHO.exe, PE32+ 39->86 dropped 168 Found many strings related to Crypto-Wallets (likely being stolen) 39->168 170 Tries to harvest and steal browser information (history, passwords, etc) 39->170 172 Tries to steal Crypto Currency Wallets 39->172 65 conhost.exe 39->65         started        126 13.92.180.205 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->126 174 Loading BitLocker PowerShell Module 45->174 67 conhost.exe 45->67         started        69 WmiPrvSE.exe 45->69         started        file13 signatures14 process15 file16 98 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 57->98 dropped 100 C:\Users\user\AppData\...duGeniusX.com, PE32 57->100 dropped 102 C:\Users\user\AppData\Local\...\u, data 57->102 dropped 104 C:\Users\user\AppData\Local\...duGeniusX.js, ASCII 57->104 dropped 176 Drops PE files with a suspicious file extension 57->176 178 Writes to foreign memory regions 57->178 180 Writes many files with high entropy 57->180 182 Injects a PE file into a foreign processes 57->182 73 cmd.exe 57->73         started        76 cmd.exe 57->76         started        106 C:\Users\user\AppData\Local\Temp\789919\q, data 61->106 dropped signatures17 process18 file19 108 C:\Users\user\AppData\...duGeniusX.url, MS 73->108 dropped 78 conhost.exe 73->78         started        80 conhost.exe 76->80         started        82 schtasks.exe 76->82         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77/
Threat name:
Win32.Exploit.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-03-08 14:24:15 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ysmhgw4jq4o4il2sfi4j2pzmmozuonsp3cydu3lyrqesz2jvhv3q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
0fbeda64692d967eee2451cedcec0989f226ffceba72d6ccefa61befa14ac70f
Amadey
1500f5d2c76350b29aaa9e46a37881fee4cd125b363d175909d2f5855990b95e
Amadey
3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
Amadey
3d8bd5d204ef586f2958455a4f57cd493580978c83c34759839dcdd5e4d9f120
Amadey
4f21fa7d1daaab88aaa4ffccab5145e36a6ee21ef9da888338f47ed2eafffee1
Amadey
a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb
Amadey
b2137c97af2814ff8fdf50ddd9babc2231c049f08c2b86fdb27b9ccfa80b0946
Amadey
baf0e2efe3d441c4631b40d199edd05b56b49620f60bfd03ece1012fde47b30c
Amadey
dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017
Amadey
ec603a0936ee9833a10b2d9ad971eeab730399ea5b713bd6013550057873cbe8
Amadey
error
Amadey
+ 5'276 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:lumma family:redline family:sectoprat family:vidar botnet:092155 botnet:build 7 botnet:ir7am collection credential_access defense_evasion discovery dropper execution infostealer persistence privilege_escalation pyinstaller rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250308-r4tpfsynx5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Detects Healer an antivirus disabler dropper
Healer
Healer family
Lumma Stealer, LummaC
Lumma family
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Malware Config
C2 Extraction:
http://176.113.115.6
101.99.92.190:40919
https://nebdulaq.digital/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://acatterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://biochextryhub.bet/api
https://q8explorebieology.run/api
https://gadgethgfub.icu/api
https://moderzysics.top/api
https://5ktechmindzs.live/api
https://6codxefusion.top/api
https://7phygcsforum.life/api
https://techspherxe.top/api
https://earthsymphzony.today/api
https://j8arisechairedd.shop/api
https://gmodelshiverd.icu/api
https://catterjur.run/api
https://defaulemot.run/api
https://ycatterjur.run/api
https://xsterpickced.digital/api
https://t.me/l793oy
https://steamcommunity.com/profiles/76561199829660832
Dropper Extraction:
http://176.113.115.7/mine/random.exe
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5fab4f7a-9b13-4f43-9ab5-a8fc9e095aa1
Unpacked files
SH256 hash:
c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77
MD5 hash:
5b1dbccb1977e33fae7e0efa78e96b49
SHA1 hash:
fd97d5e5080b0130e21f998ed33b47997dd87d84
Link:
https://www.unpac.me/results/5e15152a-094e-4ab9-886f-0a5b47bdeeb4/
SH256 hash:
0e465e419ce695346bf45e783ae98567c40560822ff996f4f19db571fc2048fe
MD5 hash:
21a3caf6ef39506f78d02a7881b5fe57
SHA1 hash:
80b1c0ac6e648e4a87a49cd1cc9f9f1f601e185b
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/5e15152a-094e-4ab9-886f-0a5b47bdeeb4/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c498735b8987/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe c498735b89871dc42f522a389d3f2c63b347364fd8b03a6d788c092ce9353d77

(this sample)

  
Link
https://tria.ge/250308-rx1jesymv9
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3460858/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments