MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs 3 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089
SHA3-384 hash: b7aa56cfec5c5a5476f921067b143528ddee85881bf71581e8077a944bd4aa168048bcb60880f9984a333b259b02282e
SHA1 hash: 079fc6e2011066f19c8dc1eec485415d7904d65b
MD5 hash: 69976693698f8baa72cd9833cc56b5d0
humanhash: single-kilo-mountain-tennessee
File name:1.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'609'728 bytes
First seen:2025-08-31 19:05:26 UTC
Last seen:2025-09-03 12:09:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6209bbfe3114af4a5214392d486d765f (5 x LummaStealer, 1 x Amadey, 1 x Rhadamanthys)
ssdeep 24576:epzw7OzJyp7giHQR/hN/oEGSE8c1aZHo+aowaEoV8dTI9OiXK9CcmRXWZIyjUh:epzwS8hbHQTN/oEG5Bo39HKYcUJ
Threatray 8 similar samples on MalwareBazaar
TLSH T13475F11DE97590D6ECD345B17B5A8111B8227D77CF286AEB42E48B603506EFC0A3F326
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://77.90.153.62/cvdfnaFJBmC0/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://77.90.153.62/cvdfnaFJBmC0/index.php https://threatfox.abuse.ch/ioc/1578835/
http://178.16.53.7/cvdfnaFJBmC1/index.php https://threatfox.abuse.ch/ioc/1578836/
http://176.46.152.47/cvdfnaFJBmC2/index.php https://threatfox.abuse.ch/ioc/1578837/

Intelligence

File Origin
# of uploads :
5
# of downloads :
112
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
edb252f00c97b854dc25794bf760f78619dcb6e752df451b364892bd3255149e.exe
Verdict:
Malicious activity
Analysis date:
2025-08-31 13:32:26 UTC
Tags:
python auto-sch stealer arch-doc clipper diamotrix loader stealc
Link:
https://app.any.run/tasks/0bdead83-12ae-4c19-a16b-43dee523c2a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24393/
Detection(s):
SecuriteInfo.com.Trojan.Inject6.869.10354.5076.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b49d0a3e988eb6ab834fc9
Tags:
ransomware emotet trojan extens
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Sending an HTTP POST request to an infection source
Connection attempt to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68b49d002eee5ca64cacac81/reports/feb7cf1e-075d-40c0-a5f5-b2d44d8d7e2c/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-31T08:35:00Z UTC
Last seen:
2025-08-31T08:35:00Z UTC
Hits:
~100
Detections:
VHO:Trojan.Win32.Injuke.gen Trojan-PSW.Win32.Lumma.vjp Trojan-PSW.Lumma.HTTP.C&C Trojan.Agent.TCP.C&C PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/02fa4ee8-a818-4da9-bad1-024b3df86fed
Result
Threat name:
Diamotrix Clipper, LummaC Stealer, Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768522
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected Diamotrix Clipper
Yara detected LummaC Stealer
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768522 Sample: 1.exe Startdate: 31/08/2025 Architecture: WINDOWS Score: 100 180 despofe.top 2->180 182 t.me 2->182 214 Suricata IDS alerts for network traffic 2->214 216 Found malware configuration 2->216 218 Malicious sample detected (through community Yara rule) 2->218 220 10 other signatures 2->220 14 1.exe 2->14         started        signatures3 process4 signatures5 270 Hijacks the control flow in another process 14->270 272 Contains functionality to inject code into remote processes 14->272 274 Sets debug register (to hijack the execution of another thread) 14->274 276 2 other signatures 14->276 17 1.exe 28 14->17         started        process6 dnsIp7 176 176.46.152.46, 49717, 49723, 80 ESTPAKEE Iran (ISLAMIC Republic Of) 17->176 178 178.16.53.7, 49724, 49725, 49726 DUSNET-ASDE Germany 17->178 118 C:\Users\user\AppData\...\wibjb06kqCzL.exe, PE32+ 17->118 dropped 120 C:\Users\user\AppData\...\bySmhRw7Iu85.exe, PE32+ 17->120 dropped 122 C:\Users\user\AppData\...\WOvKNjI5Mvv0.exe, PE32+ 17->122 dropped 124 3 other malicious files 17->124 dropped 222 Early bird code injection technique detected 17->222 224 Found many strings related to Crypto-Wallets (likely being stolen) 17->224 226 Writes to foreign memory regions 17->226 228 4 other signatures 17->228 22 WOvKNjI5Mvv0.exe 1 17->22         started        26 wibjb06kqCzL.exe 52 17->26         started        28 bySmhRw7Iu85.exe 1 8 17->28         started        30 3 other processes 17->30 file8 signatures9 process10 file11 126 C:\Users\user\Documents\WOvKNjI5Mvv0.exe, PE32+ 22->126 dropped 230 Drops PE files to the document folder of the user 22->230 232 Contains functionality to start a terminal service 22->232 234 Writes to foreign memory regions 22->234 242 2 other signatures 22->242 32 CredentialUIBroker.exe 22->32         started        37 cmd.exe 22->37         started        128 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 26->128 dropped 130 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 26->130 dropped 132 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 26->132 dropped 136 47 other malicious files 26->136 dropped 39 wibjb06kqCzL.exe 26->39         started        134 C:\Users\user\AppData\Roaming\...\System.exe, PE32+ 28->134 dropped 236 Changes memory attributes in foreign processes to executable or writable 28->236 238 Creates multiple autostart registry keys 28->238 240 Contains functionality to inject threads in other processes 28->240 244 2 other signatures 28->244 41 explorer.exe 68 2 28->41 injected signatures12 process13 dnsIp14 172 77.90.153.62, 49730, 49734, 49736 RAPIDNET-DEHaunstetterStr19DE Germany 32->172 174 176.46.152.47, 49729, 49732, 49735 ESTPAKEE Iran (ISLAMIC Republic Of) 32->174 110 C:\Users\user\AppData\Local\Temp\...\8.exe, PE32+ 32->110 dropped 112 C:\Users\user\AppData\Local\Temp\...\3.exe, PE32+ 32->112 dropped 114 C:\Users\user\AppData\Local\Temp\...\1.exe, PE32+ 32->114 dropped 116 6 other malicious files 32->116 dropped 212 Contains functionality to start a terminal service 32->212 43 8.exe 32->43         started        46 zx.exe 32->46         started        49 dd.exe 32->49         started        59 3 other processes 32->59 61 2 other processes 37->61 51 System.exe 9 41->51         started        53 System.exe 9 41->53         started        55 WOvKNjI5Mvv0.exe 41->55         started        57 WOvKNjI5Mvv0.exe 41->57         started        file15 signatures16 process17 file18 246 Multi AV Scanner detection for dropped file 43->246 248 Hijacks the control flow in another process 43->248 250 Modifies the context of a thread in another process (thread injection) 43->250 63 8.exe 43->63         started        138 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 46->138 dropped 140 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 46->140 dropped 142 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 46->142 dropped 150 47 other malicious files 46->150 dropped 67 zx.exe 46->67         started        144 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 49->144 dropped 146 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 49->146 dropped 148 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 49->148 dropped 152 47 other malicious files 49->152 dropped 69 dd.exe 49->69         started        252 Changes memory attributes in foreign processes to executable or writable 51->252 254 Injects code into the Windows Explorer (explorer.exe) 51->254 256 Writes to foreign memory regions 51->256 258 Allocates memory in foreign processes 53->258 260 Creates a thread in another existing process (thread injection) 53->260 262 Injects a PE file into a foreign processes 53->262 264 Contains functionality to start a terminal service 55->264 71 CredentialUIBroker.exe 55->71         started        73 CredentialUIBroker.exe 57->73         started        266 Antivirus detection for dropped file 59->266 75 MSBuild.exe 59->75         started        268 Creates multiple autostart registry keys 61->268 signatures19 process20 dnsIp21 164 C:\Users\user\AppData\...\dyk5zSrpVmEn.exe, PE32+ 63->164 dropped 166 C:\Users\user\AppData\Local\...\a[1].exe, PE32+ 63->166 dropped 168 C:\Users\user\AppData\Local\...\3[1].exe, PE32+ 63->168 dropped 170 3 other malicious files 63->170 dropped 194 Early bird code injection technique detected 63->194 196 Found many strings related to Crypto-Wallets (likely being stolen) 63->196 198 Tries to harvest and steal browser information (history, passwords, etc) 63->198 210 4 other signatures 63->210 78 CwIjaDHqxwCg.exe 63->78         started        82 dyk5zSrpVmEn.exe 63->82         started        84 MPHkkl3OIKmF.exe 63->84         started        95 3 other processes 63->95 200 Contains functionality to start a terminal service 71->200 190 despofe.top 31.220.109.219 AS-HOSTINGERLT Lithuania 75->190 192 t.me 149.154.167.99 TELEGRAMRU United Kingdom 75->192 202 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 75->202 204 Query firmware table information (likely to detect VMs) 75->204 206 Tries to harvest and steal ftp login credentials 75->206 208 Tries to steal from password manager 75->208 86 chrome.exe 75->86         started        89 chrome.exe 75->89         started        91 chrome.exe 75->91         started        93 chrome.exe 75->93         started        file22 signatures23 process24 dnsIp25 154 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 78->154 dropped 156 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 78->156 dropped 158 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 78->158 dropped 162 47 other malicious files 78->162 dropped 278 Multi AV Scanner detection for dropped file 78->278 97 CwIjaDHqxwCg.exe 78->97         started        280 Changes memory attributes in foreign processes to executable or writable 82->280 282 Injects code into the Windows Explorer (explorer.exe) 82->282 284 Writes to foreign memory regions 82->284 286 Creates a thread in another existing process (thread injection) 82->286 160 C:\Users\user\Documents\MPHkkl3OIKmF.exe, PE32+ 84->160 dropped 288 Drops PE files to the document folder of the user 84->288 290 Allocates memory in foreign processes 84->290 292 Injects a PE file into a foreign processes 84->292 99 cmd.exe 84->99         started        101 CredentialUIBroker.exe 84->101         started        184 192.168.2.4, 443, 49709, 49711 unknown unknown 86->184 103 chrome.exe 86->103         started        106 chrome.exe 89->106         started        file26 signatures27 process28 dnsIp29 108 conhost.exe 99->108         started        186 142.251.32.100 GOOGLEUS United States 103->186 188 www.google.com 142.250.81.228 GOOGLEUS United States 106->188 process30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/69976693698f8baa72cd9833cc56b5d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089
Threat name:
Win64.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2025-08-31 15:17:12 UTC
File Type:
PE+ (Exe)
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zon5asqub4armwcw7rzg4a4adq6xk6tdx7ncxc2ghdjl7nzg2ceq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
1a6d1c3ff8846c8521a54fa79dc692e4934ff43edea3787fec746d0f4499917f
Amadey
9dd11cef91d0ff03900e69e0c2a9bec6ea80233fea7c98a8abef3287d35cea11
Amadey
a7231e0f159c28eaeff3a98557c7cd605a504e8fc399253c5dd9f3d8f4148b23
Amadey
b2c3c6e352faa8e7357f6da60e03a4d94421b33802c84445a8c72c8b7cd6b378
Amadey
b75d16f3d805baf49792f7f39c7e4dbd27e2bf134b4519922a23a1bfb0afc092
Amadey
error
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc botnet:30x08x2025 botnet:e3db0b discovery persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/250831-xrt3caar4t/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Malware Config
C2 Extraction:
http://176.46.152.46
http://176.46.152.47
http://178.16.53.7
http://77.90.153.62
https://t.me/quincyplayer6
https://solacdf.top/xiot
https://mastwin.in/qsaz
https://noggs.ru/yopd
https://georgej.ru/plnb
https://oneflof.ru/tids
https://epitherd.ru/zadw
https://backab.ru/lkdo
https://eigwos.ru/wqex
https://kimmenkiz.ru/zldw
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d19d08f7-c25d-4bd8-b1d1-c2e32a131b03
Unpacked files
SH256 hash:
cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089
MD5 hash:
69976693698f8baa72cd9833cc56b5d0
SHA1 hash:
079fc6e2011066f19c8dc1eec485415d7904d65b
Link:
https://www.unpac.me/results/c0ab777d-0196-4496-8a0e-00581983f4a6/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb9bd04a140f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aachum_Stealcv2
Create hunting rule
Author:aachum
Description:Detects new version of Stealc.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:StealcV2
Create hunting rule
Author:Still
Description:attempts to match the instructions found in StealcV2
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/24393/
  
URLhaus
https://urlhaus.abuse.ch/url/3593673/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3590322/
  
URLhaus
https://urlhaus.abuse.ch/url/3615074/

Comments