MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 21

Intelligence 21 IOCs 1 YARA 20 File information Comments

SHA256 hash:	c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c
SHA3-384 hash:	1a81817fcb0485a0a4a5161d068eae20af87b0cab183a79a1466a810811c3e357866072a61da53e52d0607c225869397
SHA1 hash:	9a29c737bb5c2e20edff294217bb36789ccb1253
MD5 hash:	8e00f82eaa1702b6efc6a1f3ff6ddf4f
humanhash:	don-thirteen-johnny-nuts
File name:	random.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	5'086'208 bytes
First seen:	2025-09-19 06:16:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	98304:znx2LMnzhcl0IzC8Kppxux+fn/VcB+jFlNIEIzrBsFUr:z0LMnzheNdKp/ux+PfZlNIEIzrq2r
TLSH	T19D363325EA1FA356E7AA553B49F8173086B942BA2073567C2F02D18FFCB20E4DC35E15
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
http://178.16.54.200/f8nus4b/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://178.16.54.200/f8nus4b/index.php	https://threatfox.abuse.ch/ioc/1593931/

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

random.exe

Verdict:

Malicious activity

Analysis date:

2025-09-19 06:17:34 UTC

Tags:

lumma stealer amadey botnet unlocker-eject tool themida auto-reg loader auto-startup stealc vidar rdp telegram auto coinminer miner generic

Link:

https://app.any.run/tasks/14074c26-1b48-4301-81f9-ea39360893c7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Amadey

Link:

https://www.capesandbox.com/analysis/28240/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ccf56f246a2631bd30f49f

Tags:

phishing delphi cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Creating a file in the Windows directory

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Creating a service

Launching a service

Restart of the analyzed sample

Сreating synchronization primitives

Creating a file in the Windows subdirectories

Searching for synchronization primitives

Running batch commands

Creating a process from a recently created file

Creating a window

Searching for the window

Creating a file

Launching the default Windows debugger (dwwin.exe)

Enabling autorun for a service

Connection attempt to an infection source

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmd lolbin obfuscated packed reconnaissance sc schtasks

Link:

https://www.filescan.io/uploads/68ccf56973af424b47e7200c/reports/b5892690-a9d1-46e7-a321-f8e2ba8a96e8/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-19T04:30:00Z UTC

Last seen:

2025-09-19T04:30:00Z UTC

Hits:

~10

Detections:

Trojan-Downloader.Win32.Deyma.sb HEUR:Trojan-PSW.Win32.Lumma.pef HEUR:Trojan-Downloader.Win32.Deyma.gen HEUR:Trojan-Downloader.MSIL.Deyma.gen Trojan.Nymaim.HTTP.ServerRequest Trojan.Agentb.TCP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.Lumma.HTTP.Download Trojan.BAT.Agent.cot HEUR:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c/results?tab=lookup

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b8f4c423-bb5e-49c5-8389-9e3a4d513f15

Result

Threat name:

LummaC Stealer, Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1780491

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Drops executables to the windows directory (C:\Windows) and starts them

Drops password protected ZIP file

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PUA - NSudo Execution

Sigma detected: Suspicious New Service Creation

Suricata IDS alerts for network traffic

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the nircmd tool (NirSoft)

Yara detected LummaC Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86

Link:

https://app.malva.re/file/8e00f82eaa1702b6efc6a1f3ff6ddf4f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2025-09-19 06:17:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yyphiwddnqknwrkvx2qj6f2lcmr3fa7uq3qgdcvqpybyjrvswewa._file

Verdict:

malicious

Label(s):

admintool_nsudo

admintool_nircmd

unc_loader_051

amadey

Similar samples:

error

Amadey

Result

Malware family:

xworm

Score:

10/10

Tags:

family:donutloader family:lumma family:njrat family:xworm botnet:hacked collection credential_access defense_evasion discovery execution loader persistence rat spyware stealer themida trojan

Link:

https://tria.ge/reports/250919-g1191szq14/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry key

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Launches sc.exe

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks installed software on the system

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Themida packer

Creates new service(s)

Downloads MZ/PE file

Sets service image path in registry

Stops running service(s)

Uses browser remote debugging

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detect Xworm Payload

Detects DonutLoader

Disables service(s)

DonutLoader

Donutloader family

Lumma Stealer, LummaC

Lumma family

Njrat family

Xworm

Xworm family

njRAT/Bladabindi

Malware Config

C2 Extraction:

https://consnbx.su/sawo
https://yunded.com/uwuz
https://sirhirssg.su/xzde
https://prebwle.su/xazd
https://rhussois.su/tatr
https://todoexy.su/xqts
https://acrislegt.su/tazd
https://averiryvx.su/zadr
https://cerasatvf.su/qtpd
178.16.55.70:6000
178.16.55.70:5552

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/96b6b61c-8c60-4e0b-b5e7-11a5ff737a3f

Unpacked files

SH256 hash:

c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c

MD5 hash:

8e00f82eaa1702b6efc6a1f3ff6ddf4f

SHA1 hash:

9a29c737bb5c2e20edff294217bb36789ccb1253

Link:

https://www.unpac.me/results/b498e3ca-ca6a-4e90-b5de-54ef820f49e7/

SH256 hash:

64a7a1c65e21d89d79d65a4bc05c20eac5890be2696a876f2b95aa05635a09e5

MD5 hash:

f1592114fcb4817be04e74f33d5dce4b

SHA1 hash:

e1ea63556e35beef0c6166982be776c83a4ae713

Link:

https://www.unpac.me/results/b498e3ca-ca6a-4e90-b5de-54ef820f49e7/

SH256 hash:

fbbf732e1765baf621fa8d0ffa59993d9ee585969e7787f2cef5044e6edf6b69

MD5 hash:

9b36031ca7bb6f9e262682a6eb88bf56

SHA1 hash:

45263833f3874b7c4941d631c02b51b104029701

Detections:

Amadey

Link:

https://www.unpac.me/results/b498e3ca-ca6a-4e90-b5de-54ef820f49e7/

SH256 hash:

4afdc2a27c0556f95b8f28a8f16f230adf896a5af0f6c4ec05ee54f4215ba8c9

MD5 hash:

6ebfa0a943b7989d4411c73c665aa51b

SHA1 hash:

909797306620fc686069ef8ed46714c2bb6635fd

Link:

https://www.unpac.me/results/b498e3ca-ca6a-4e90-b5de-54ef820f49e7/

SH256 hash:

c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851

MD5 hash:

a7993e5a520b17fec65435fb4838a08f

SHA1 hash:

18fe6286473a03735e7b701d4bfaf61ad35da7ad

Link:

https://www.unpac.me/results/b498e3ca-ca6a-4e90-b5de-54ef820f49e7/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c61e7458636c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c61e7458636c14db4555bea09f174b1323b283f486e0618ab07e0384c6b2b12c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	win_lumma_generic Create hunting rule
Author:	dubfib

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/