MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea
SHA3-384 hash: 90e715e5aef55875800a8f2aa85daea5bee26d6aab2dd463bdae055071a865980311c8a40b57e275c1deeb02d9e267fe
SHA1 hash: fe75fe678a6e9b6edcffb197d584032700de2b77
MD5 hash: f6c20a18afeac04964a6ccad6be59731
humanhash: west-floor-xray-iowa
File name:SecuriteInfo.com.Trojan.MulDrop31.10006.25251.21183
Download: download sample
Signature Amadey
Create hunting rule
File size:425'472 bytes
First seen:2025-04-23 11:37:00 UTC
Last seen:2025-04-23 12:52:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e7280afbf80c2800b272220ce0718da (37 x Amadey, 2 x RedLineStealer, 1 x CredentialFlusher)
ssdeep 6144:5iUuGdolfFd313lcnGpPpnbJoHtbspmZfkCw3uWgGUS/T+WiU+9GTA/nw4AOS2j9:5iUuGdolfFd1lGkpbCVkCweWgB7L9j
Threatray 140 similar samples on MalwareBazaar
TLSH T19B945C217813D032D66291721F79FFF585ADA8259B7109DB7BC00F769A202E27A31F39
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
464
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a6fded84e3b5a831874aa2379c4cfac4.exe
Verdict:
Malicious activity
Analysis date:
2025-04-23 11:33:27 UTC
Tags:
lumma stealer loader amadey botnet fileshare telegram
Link:
https://app.any.run/tasks/d959e2af-1520-400f-9612-466b55d49d8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3659/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop31.10006.25251.21183.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6808caf53d067f8483985c1f
Tags:
enigmaprotector vmdetect autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt
Sending an HTTP POST request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey amadey fingerprint lolbin microsoft_visual_cc netsh wmic
Link:
https://www.filescan.io/uploads/6808d0f11c0e4b306dfecc56/reports/f5649e53-a74b-4f76-a745-2a545b413a0c/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/534a0f50-2144-4177-acb5-12d0123017cb
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1671975
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1671975 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 23/04/2025 Architecture: WINDOWS Score: 100 86 pastebin.com 2->86 88 owlflright.digital 2->88 90 25 other IPs or domains 2->90 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Antivirus detection for URL or domain 2->114 118 17 other signatures 2->118 12 msiexec.exe 2->12         started        16 SecuriteInfo.com.Trojan.MulDrop31.10006.25251.21183.exe 5 2->16         started        18 saved.exe 2->18         started        signatures3 116 Connects to a pastebin service (likely for C&C) 86->116 process4 file5 72 C:\Windows\Installer\MSIB5F6.tmp, PE32 12->72 dropped 74 C:\Windows\Installer\MSIB549.tmp, PE32 12->74 dropped 76 C:\Windows\Installer\MSIB3F1.tmp, PE32 12->76 dropped 82 96 other malicious files 12->82 dropped 144 Drops PE files with benign system names 12->144 78 C:\Users\user\AppData\Local\...\saved.exe, PE32 16->78 dropped 80 C:\Users\user\...\saved.exe:Zone.Identifier, ASCII 16->80 dropped 146 Contains functionality to start a terminal service 16->146 148 Contains functionality to inject code into remote processes 16->148 20 saved.exe 7 55 16->20         started        signatures6 process7 dnsIp8 92 185.39.17.163, 49692, 49693, 49695 RU-TAGNET-ASRU Russian Federation 20->92 94 185.39.17.162, 49694, 49696, 49705 RU-TAGNET-ASRU Russian Federation 20->94 56 C:\Users\user\AppData\...\b1be09143d.exe, PE32 20->56 dropped 58 C:\Users\user\AppData\...\2caee83f50.exe, PE32 20->58 dropped 60 C:\Users\user\AppData\...\a203e619bf.exe, PE32 20->60 dropped 62 18 other malicious files 20->62 dropped 120 Multi AV Scanner detection for dropped file 20->120 122 Contains functionality to start a terminal service 20->122 124 Creates multiple autostart registry keys 20->124 25 21c3cc0e1f.exe 1 16 20->25         started        29 8be84eb771.exe 20->29         started        31 msiexec.exe 20->31         started        file9 signatures10 process11 file12 64 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 25->64 dropped 66 C:\Users\user\AppData\Local\...\cecho.exe, PE32 25->66 dropped 68 C:\Users\user\AppData\Local\...68SudoLG.exe, PE32+ 25->68 dropped 70 2 other malicious files 25->70 dropped 128 Antivirus detection for dropped file 25->128 130 Multi AV Scanner detection for dropped file 25->130 132 Detected unpacking (changes PE section rights) 25->132 134 Contains functionality to detect sleep reduction / modifications 25->134 33 cmd.exe 1 25->33         started        136 Writes to foreign memory regions 29->136 138 Allocates memory in foreign processes 29->138 140 Injects a PE file into a foreign processes 29->140 36 MSBuild.exe 29->36         started        signatures13 process14 dnsIp15 100 Uses cmd line tools excessively to alter registry or file data 33->100 39 cmd.exe 1 33->39         started        42 conhost.exe 33->42         started        96 t.me 149.154.167.99, 443, 49698 TELEGRAMRU United Kingdom 36->96 98 meerkaty.digital 172.67.216.186, 443, 49700, 49703 CLOUDFLARENETUS United States 36->98 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->102 104 Query firmware table information (likely to detect VMs) 36->104 106 Tries to harvest and steal ftp login credentials 36->106 108 3 other signatures 36->108 signatures16 process17 signatures18 126 Uses cmd line tools excessively to alter registry or file data 39->126 44 Unlocker.exe 39->44         started        47 7z.exe 39->47         started        50 cmd.exe 39->50         started        52 31 other processes 39->52 process19 file20 142 Multi AV Scanner detection for dropped file 44->142 84 C:\Users\user\AppData\Local\...\Unlocker.exe, PE32 47->84 dropped 54 tasklist.exe 50->54         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2025-04-23 11:11:52 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zz27txw6nvhjgve5gw4bncmbco3l56vz54fk36eutveipqwdjpva._file
Verdict:
malicious
Label(s):
admintool_putty
Create hunting rule
amadey
Create hunting rule
Similar samples:
0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2
Amadey
296497459462840bf9e8874e312088c4a85aae75d460d0d5bcc75a9d582343eb
Amadey
42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff
Amadey
46b2de15860d23bb541610209f307d5007f3811b0cdfcf3860f3a7d76ae42d5b
Amadey
8b0b20727462c5f3d5a4ace630d9690528dcefa79407480db3abde2455f700d8
Amadey
cc8607b4d2293f00f6e33b0869459019ba27813ecabb1ea884c23cca9c0f0d61
Amadey
ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa
Amadey
error
Amadey
f767fa2879dc1d53e423e63f9d7773611002594c63fcfc0f02cf42bdee5b4731
Amadey
+ 130 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:f272e9 discovery
Link:
https://tria.ge/reports/250423-nrbrbswxfy/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Malware Config
C2 Extraction:
http://185.39.17.163
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/016cfc19-a217-4be1-bf86-630bcb19defc
Unpacked files
SH256 hash:
ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea
MD5 hash:
f6c20a18afeac04964a6ccad6be59731
SHA1 hash:
fe75fe678a6e9b6edcffb197d584032700de2b77
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/6b15c185-f88b-4942-83ad-976bcd18d71e/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce75f9dede6d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3518548/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3517219/
  
URLhaus
https://urlhaus.abuse.ch/url/3522545/
Cape
Cape
https://www.capesandbox.com/analysis/3659/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
ADVAPI32.dll::RevertToSelf
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipGetImageEncoders
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetSidIdentifierAuthority
ADVAPI32.dll::ImpersonateLoggedOnUser
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
ADVAPI32.dll::LookupAccountNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments