MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6
SHA3-384 hash: e7991a9157b9acfe3cb5c51d1e8360a9afe05279c5d9bbe9ffdf071b92d33bbc7e3d10a275c390b2f68c40ca6ae944a6
SHA1 hash: 0d5ddebc7cb9099054ec3d33d4b983ab8791b3cf
MD5 hash: ec2f1afd1e488614c309970954cd4062
humanhash: high-seven-hydrogen-sweet
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:6'526'976 bytes
First seen:2025-05-06 07:05:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:ka3AKRgxnsT2oPj1PQrUetHEv/Uobng6mAmGTTjv5uH4ruJ8iycggI1hlFM6mvRT:k5XxnvoxoDHEv/UorErJG/GSxN
TLSH T15A66330F7FCC8137F47E137508FB21C306747465A2A9D89FBEAA4D8B5AA1A0056B13B5
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6.exe
Verdict:
Malicious activity
Analysis date:
2025-05-06 09:13:50 UTC
Tags:
lumma stealer amadey botnet loader
Link:
https://app.any.run/tasks/0ea8992d-5923-41f5-a68a-49afba9f8231

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6819b56e432e243ac3e47f0e
Tags:
enigmaprotector vmdetect phishing
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for the window
Searching for synchronization primitives
Running batch commands
Searching for analyzing tools
Launching a process
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm CAB crypt explorer installer lolbin microsoft_visual_cc packed packed packer_detected rundll32 runonce sfx xpack
Link:
https://www.filescan.io/uploads/6819b4c28d43c3a878f95122/reports/b58ec6dd-f9c5-4821-8298-bf72e1c0d8d2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6
Malware family:
NirSoft
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9ceb379c-6fcd-410c-96a6-489ee69f72ed
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1681872
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1681872 Sample: random.exe Startdate: 06/05/2025 Architecture: WINDOWS Score: 100 71 185.156.72.96 ITDELUXE-ASRU Russian Federation 2->71 73 vecturar.top 2->73 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Antivirus detection for URL or domain 2->91 93 13 other signatures 2->93 12 random.exe 1 4 2->12         started        15 ramez.exe 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 67 C:\Users\user\AppData\Local\...\y3u42.exe, PE32 12->67 dropped 69 C:\Users\user\AppData\Local\...\3S28X.exe, PE32 12->69 dropped 20 y3u42.exe 1 4 12->20         started        24 3S28X.exe 12->24         started        119 Contains functionality to start a terminal service 15->119 121 Hides threads from debuggers 15->121 123 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->123 125 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->125 signatures6 process7 dnsIp8 53 C:\Users\user\AppData\Local\...\2L3499.exe, PE32 20->53 dropped 55 C:\Users\user\AppData\Local\...\1x99y2.exe, PE32 20->55 dropped 95 Antivirus detection for dropped file 20->95 97 Multi AV Scanner detection for dropped file 20->97 27 2L3499.exe 4 20->27         started        31 1x99y2.exe 1 16 20->31         started        75 vecturar.top 104.21.62.226, 443, 49697, 49698 CLOUDFLARENETUS United States 24->75 99 Detected unpacking (changes PE section rights) 24->99 101 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->101 103 Query firmware table information (likely to detect VMs) 24->103 105 5 other signatures 24->105 file9 signatures10 process11 file12 57 C:\Users\user\AppData\Local\...\ramez.exe, PE32 27->57 dropped 109 Antivirus detection for dropped file 27->109 111 Multi AV Scanner detection for dropped file 27->111 113 Detected unpacking (changes PE section rights) 27->113 117 7 other signatures 27->117 33 ramez.exe 27->33         started        59 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 31->59 dropped 61 C:\Users\user\AppData\Local\...\cecho.exe, PE32 31->61 dropped 63 C:\Users\user\AppData\Local\...63SudoLG.exe, PE32+ 31->63 dropped 65 2 other malicious files 31->65 dropped 115 Contains functionality to detect sleep reduction / modifications 31->115 36 cmd.exe 1 31->36         started        signatures13 process14 signatures15 77 Antivirus detection for dropped file 33->77 79 Multi AV Scanner detection for dropped file 33->79 81 Detected unpacking (changes PE section rights) 33->81 85 6 other signatures 33->85 83 Uses cmd line tools excessively to alter registry or file data 36->83 38 cmd.exe 1 36->38         started        41 conhost.exe 36->41         started        process16 signatures17 107 Uses cmd line tools excessively to alter registry or file data 38->107 43 cmd.exe 1 38->43         started        45 conhost.exe 38->45         started        47 NSudoLG.exe 38->47         started        49 29 other processes 38->49 process18 process19 51 tasklist.exe 43->51         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2025-05-05 20:22:48 UTC
File Type:
PE (Exe)
Extracted files:
130
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytpwa2cgvs7buug36ulcoiloyltbba6mta5cyv3werv2k534623a._file
Verdict:
malicious
Label(s):
admintool_nsudo
Create hunting rule
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:8d33eb defense_evasion discovery persistence trojan
Link:
https://tria.ge/reports/250506-hwpabsxsa1/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Malware Config
C2 Extraction:
http://185.156.72.96
Verdict:
Malicious
Tags:
stealer redline Win.Trojan.Scar-6903585-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/91f1d0fa-3854-4a95-a842-1cf0d0cee6e4
Unpacked files
SH256 hash:
c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6
MD5 hash:
ec2f1afd1e488614c309970954cd4062
SHA1 hash:
0d5ddebc7cb9099054ec3d33d4b983ab8791b3cf
Link:
https://www.unpac.me/results/a17f9418-5139-4bf4-987b-fe27e0a34f2f/
SH256 hash:
275665e34604baf9c672201513d84c13bc3a96eb61097f9d38718572dda3272f
MD5 hash:
bfc95d2ae6ca1381c5e2a78966fcf227
SHA1 hash:
95e6d3a7a61c4a882eafb1a699f130ca885c2a1e
Link:
https://www.unpac.me/results/a17f9418-5139-4bf4-987b-fe27e0a34f2f/
SH256 hash:
b1dad27fc29640076cb46280b7cbceb5d15d0323eae464d8e83d7b1794f450e2
MD5 hash:
446fd91a1c4cd9057ed9f52a7a9ffb4b
SHA1 hash:
91d9f0d0984dbc7d399b51a5232fb8ca92c4c15d
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/a17f9418-5139-4bf4-987b-fe27e0a34f2f/
SH256 hash:
26c3804209c360ef8770e8dbb790d77fff8ee092696c8a56829e8953114fbab6
MD5 hash:
830639843822304a226e2de1998220b9
SHA1 hash:
b20354631d724d2f4851722ecb46760e3a7717e8
Link:
https://www.unpac.me/results/a17f9418-5139-4bf4-987b-fe27e0a34f2f/
SH256 hash:
0321940272408cca02e178489c326d67894db2c0f51ffa6c3c2a64799ad5cf85
MD5 hash:
4d66d4e0e3bc93a6976161c23a4c4669
SHA1 hash:
2abc77e04a529d8a81326222f3dc76c04ff4de28
Link:
https://www.unpac.me/results/a17f9418-5139-4bf4-987b-fe27e0a34f2f/
SH256 hash:
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567
MD5 hash:
426ccb645e50a3143811cfa0e42e2ba6
SHA1 hash:
3c17e212a5fdf25847bc895460f55819bf48b11d
Link:
https://www.unpac.me/results/a17f9418-5139-4bf4-987b-fe27e0a34f2f/
SH256 hash:
f469e4b98e5ea155f758374edda3ab3296c155d2d41cdb3fef245f4d6837d2ff
MD5 hash:
2f96e5debea18290cd6cdb433ede59b9
SHA1 hash:
f5f645c1e01227664bfc0a93e4d25cd1c23e9c7e
Link:
https://www.unpac.me/results/a17f9418-5139-4bf4-987b-fe27e0a34f2f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c4df606846ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe c4df606846acbe1a50dbf51627216ec2e61083cc983a2c5776246ba5777cf6b6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3533504/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments