MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca51ced33b27e131a1c8cf55138dbbf6254d007a406e9f0e22d0b754e46fb37d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca51ced33b27e131a1c8cf55138dbbf6254d007a406e9f0e22d0b754e46fb37d
SHA3-384 hash: d938fd7544adfab0f90f21e097112a69d5a63fded8f7791d3166c44a3134db75e3d37023d7eac9558be3d34949849093
SHA1 hash: 95696eb7c122e2925dfa50de5d5759949b19116f
MD5 hash: 57d5e76b55203b251b8ff7b2a718daf8
humanhash: florida-cardinal-pasta-glucose
File name:57d5e76b55203b251b8ff7b2a718daf8.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'942'848 bytes
First seen:2025-05-03 07:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:e3KNYx7s7GeVF/hw7yctrDMwQxjTs6yg9BJ+K37BObIFLvgKvrShyCujD:e3jx7Be7avrDMwQxtB4uBObIWjhv+
Threatray 15 similar samples on MalwareBazaar
TLSH T1EA36332F7BED8121F47F87B004F7218317B07896EBA9935726A37D5B04B2304E662792
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
57d5e76b55203b251b8ff7b2a718daf8.exe
Verdict:
Malicious activity
Analysis date:
2025-05-03 07:10:40 UTC
Tags:
lumma stealer amadey botnet loader auto-reg lockbit3 ransomware auto-sch credentialflusher rdp putty rmm-tool telegram phishing arch-scr gcleaner auto generic pastebin
Link:
https://app.any.run/tasks/1abde285-bdcd-40c2-9a01-f0401a79af06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Amadey-9986882-0
Create hunting rule

Win.Downloader.Amadey-9986883-0
Create hunting rule

Win.Downloader.Amadey-9987078-0
Create hunting rule

Win.Downloader.Amadey-9987097-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6815c15a4355f44aee68e741
Tags:
phishing autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for the window
Searching for synchronization primitives
Running batch commands
Launching a process
Launching a service
Connection attempt
Sending an HTTP POST request
Searching for analyzing tools
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context CAB explorer installer lolbin microsoft_visual_cc packed packed packer_detected rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/6815c05fb880b22541a9c21e/reports/d5e83539-1b1e-4a90-a45c-32c7c84a09e2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ca51ced33b27e131a1c8cf55138dbbf6254d007a406e9f0e22d0b754e46fb37d
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bc94a02-ee7f-4b76-954e-102aa2db2435
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1680457
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses cmd line tools excessively to alter registry or file data
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1680457 Sample: RgZINPoP1G.exe Startdate: 03/05/2025 Architecture: WINDOWS Score: 100 76 vecturar.top 2->76 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 Antivirus detection for URL or domain 2->94 96 14 other signatures 2->96 12 RgZINPoP1G.exe 1 4 2->12         started        15 ramez.exe 2->15         started        19 svchost.exe 2->19         started        21 6 other processes 2->21 signatures3 process4 dnsIp5 62 C:\Users\user\AppData\Local\...\c2z71.exe, PE32 12->62 dropped 64 C:\Users\user\AppData\Local\...\3p22A.exe, PE32 12->64 dropped 23 c2z71.exe 1 4 12->23         started        27 3p22A.exe 1 12->27         started        82 185.156.72.96, 80 ITDELUXE-ASRU Russian Federation 15->82 86 Contains functionality to start a terminal service 15->86 88 Changes security center settings (notifications, updates, antivirus, firewall) 19->88 84 127.0.0.1 unknown unknown 21->84 file6 signatures7 process8 dnsIp9 56 C:\Users\user\AppData\Local\...\2N8059.exe, PE32 23->56 dropped 58 C:\Users\user\AppData\Local\...\1W41G2.exe, PE32 23->58 dropped 104 Antivirus detection for dropped file 23->104 30 1W41G2.exe 1 16 23->30         started        34 2N8059.exe 4 23->34         started        78 80.64.18.219, 49732, 80 RU-TAGNET-ASRU Russian Federation 27->78 80 vecturar.top 104.21.62.226, 443, 49716, 49724 CLOUDFLARENETUS United States 27->80 60 C:\...\RRO07E9UTF0EZ3OLDCB7TCKH0MOCVF2.exe, PE32 27->60 dropped 106 Detected unpacking (changes PE section rights) 27->106 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->108 110 Query firmware table information (likely to detect VMs) 27->110 112 11 other signatures 27->112 file10 signatures11 process12 file13 66 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 30->66 dropped 68 C:\Users\user\AppData\Local\...\cecho.exe, PE32 30->68 dropped 70 C:\Users\user\AppData\Local\...70SudoLG.exe, PE32+ 30->70 dropped 74 2 other malicious files 30->74 dropped 116 Antivirus detection for dropped file 30->116 118 Multi AV Scanner detection for dropped file 30->118 120 Detected unpacking (changes PE section rights) 30->120 122 Contains functionality to detect sleep reduction / modifications 30->122 36 cmd.exe 1 30->36         started        72 C:\Users\user\AppData\Local\...\ramez.exe, PE32 34->72 dropped 124 Contains functionality to start a terminal service 34->124 126 Contains functionality to inject code into remote processes 34->126 39 ramez.exe 34->39         started        signatures14 process15 signatures16 98 Uses cmd line tools excessively to alter registry or file data 36->98 41 cmd.exe 1 36->41         started        44 conhost.exe 36->44         started        100 Multi AV Scanner detection for dropped file 39->100 102 Contains functionality to start a terminal service 39->102 process17 signatures18 114 Uses cmd line tools excessively to alter registry or file data 41->114 46 cmd.exe 41->46         started        48 conhost.exe 41->48         started        50 NSudoLG.exe 41->50         started        52 23 other processes 41->52 process19 process20 54 tasklist.exe 46->54         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ca51ced33b27e131a1c8cf55138dbbf6254d007a406e9f0e22d0b754e46fb37d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca51ced33b27e131a1c8cf55138dbbf6254d007a406e9f0e22d0b754e46fb37d/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-03 07:06:10 UTC
File Type:
PE (Exe)
Extracted files:
129
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zji45uz3e7qtdioiz5krhdn36ysu2ad2ibxj6drc2c3vjzdpwn6q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
16df3e9b71970d96a72495b3a51e4430fb3cae6943bc4097a8debb8efa28e081
Amadey
4b25e03ff9a76fe9f6598496d0ddb075b6c6325831c8c9cce3181490226ec16d
Amadey
7125136dde681c46704e7747e4611a956d49f3d5b2cc2af13a21dc42851f5a8c
Amadey
abc0064210d2fd9b3d2bcd93eb84413ebbe627e12cccd2cc97729fa8521983e2
Amadey
d64e9fa0413e7c5c528a80b5f1c6e59959c69637a16d44f5fc9e359c7400c8c2
Amadey
error
Amadey
+ 5 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:healer family:lockbit family:lumma family:quasar botnet:8d33eb botnet:default botnet:edge credential_access defense_evasion discovery dropper execution persistence ransomware rat spyware stealer themida trojan
Link:
https://tria.ge/reports/250503-hw5bjsztfv/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Indicator Removal: File Deletion
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Uses browser remote debugging
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
AsyncRat
Asyncrat family
Detects Healer an antivirus disabler dropper
Healer
Healer family
Lockbit
Lockbit family
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
Rule to detect Lockbit 3.0 ransomware Windows payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.156.72.96
https://brandihx.run/lowp
https://xbrandihx.run/lowp
https://viriatoe.live/laopx
https://exitiumt.digital/xane
https://4lopusculy.top/keaj
https://civitasu.run/werrp
https://scriptao.digital/vpep
https://7praetori.live/vepr
https://disciplipna.top/eqwu
https://vecturar.top/zsia
https://opusculy.top/keaj
https://praetori.live/vepr
https://rdisciplipna.top/eqwu
https://orjinalecza.net/lxaz
https://eczakozmetik.net/qop
https://orijinalecza.org/jub
https://tortoisgfe.top/paxk
https://eczamedikal.org/vax
https://orijinalecza.net/kazd
https://medicalbitkisel.net/juj
https://snakejh.top/adsk
94.26.90.81:4441
94.26.90.81:5437
Dropper Extraction:
http://80.64.18.219/testmine/random.exe
Verdict:
Malicious
Tags:
stealer redline Win.Downloader.Amadey-9986882-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/bbe14a8c-19cd-47c6-bc33-44442c370339
Unpacked files
SH256 hash:
ca51ced33b27e131a1c8cf55138dbbf6254d007a406e9f0e22d0b754e46fb37d
MD5 hash:
57d5e76b55203b251b8ff7b2a718daf8
SHA1 hash:
95696eb7c122e2925dfa50de5d5759949b19116f
Link:
https://www.unpac.me/results/32ece612-5011-49c3-93a2-7503579a7fd3/
SH256 hash:
e12f448068deb32dbb0c69ba880c1323cca1fc53c5d502e550b0837db66b692d
MD5 hash:
4b47db019b1c382fdc3cf47ea6912fd7
SHA1 hash:
c352ba066383b94b76276b94cae91e3320993263
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/32ece612-5011-49c3-93a2-7503579a7fd3/
SH256 hash:
9fcda127014e91f9fa8f8c22acb0dca80b9890e1878e62da3c9d69683dc8edeb
MD5 hash:
98029bce662d6290d11d328eea39b8d6
SHA1 hash:
f91eb6e27346487b45eaadb10001e3629330dd4a
Link:
https://www.unpac.me/results/32ece612-5011-49c3-93a2-7503579a7fd3/
SH256 hash:
d6952dd9ec64ec09d8a9879dff1eedcc640d3874793187ef88de8ac07221d6ab
MD5 hash:
0f30675f769cec877d8613b63f8f41e2
SHA1 hash:
aaa14037b7d51cc80bc6a1566b702f6139d375ba
Link:
https://www.unpac.me/results/32ece612-5011-49c3-93a2-7503579a7fd3/
SH256 hash:
be6f007761cdcd8e168140f07d3571e393e5dc2fc64f916a1f7a1670fe6e6768
MD5 hash:
0106edb3152dfecc3be2038fee864962
SHA1 hash:
2579ddec3aa97adf8ee9ee162a2f1d5d7829e04e
Link:
https://www.unpac.me/results/32ece612-5011-49c3-93a2-7503579a7fd3/
SH256 hash:
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567
MD5 hash:
426ccb645e50a3143811cfa0e42e2ba6
SHA1 hash:
3c17e212a5fdf25847bc895460f55819bf48b11d
Link:
https://www.unpac.me/results/32ece612-5011-49c3-93a2-7503579a7fd3/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca51ced33b27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca51ced33b27e131a1c8cf55138dbbf6254d007a406e9f0e22d0b754e46fb37d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe ca51ced33b27e131a1c8cf55138dbbf6254d007a406e9f0e22d0b754e46fb37d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3533504/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments