MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065
SHA3-384 hash: 26b76b7c36ed149caef07287e46ce7601dc01075f02c11595069889effd556199b82b78760f76219be08da9af578ff70
SHA1 hash: b48a5a4d6c4ecd84eee89b4e100d45d508e26c6b
MD5 hash: 45c3800db283a6ff1c492014f18e8a86
humanhash: oscar-foxtrot-juliet-mountain
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'992'640 bytes
First seen:2025-06-01 17:50:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:+fNnoQJKGLRbYVVJW4mPxn4UmuxpQgQ7GVeDLUnXBp/sK6L:+fpnoGLRbYVziP93muxlQyVefuX/16
Threatray 1 similar samples on MalwareBazaar
TLSH T165D54AA2650972CFD48E17785827CD86A99F43F547244EC3AD2CB4BA7EA3CC112F5C29
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
424
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-01 18:19:42 UTC
Tags:
amadey botnet stealer rdp themida
Link:
https://app.any.run/tasks/4dcc23ef-8019-413f-abb7-926515e80e91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6746/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683c946f668438e362e9e3f6
Tags:
shellcode autorun trojan hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/683c931bfd02ed5e05927092/reports/ab1a371e-d0df-4590-bcb8-4ece47de228d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8de65953-71ef-4543-8b02-b90f1d55c376
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703495
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703495 Sample: random.exe Startdate: 01/06/2025 Architecture: WINDOWS Score: 100 66 witchdbhy.run 2->66 68 stockyslam.top 2->68 70 9 other IPs or domains 2->70 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Antivirus detection for dropped file 2->96 98 11 other signatures 2->98 9 random.exe 5 2->9         started        13 dcc8b6ddfb.exe 2->13         started        15 dcc8b6ddfb.exe 1 2->15         started        17 8 other processes 2->17 signatures3 process4 file5 60 C:\Users\user\AppData\Local\...\ramez.exe, PE32 9->60 dropped 62 C:\Users\user\...\ramez.exe:Zone.Identifier, ASCII 9->62 dropped 126 Detected unpacking (changes PE section rights) 9->126 128 Contains functionality to start a terminal service 9->128 130 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 9->130 150 2 other signatures 9->150 19 ramez.exe 1 16 9->19         started        132 Query firmware table information (likely to detect VMs) 13->132 134 Tries to harvest and steal ftp login credentials 13->134 136 Tries to harvest and steal browser information (history, passwords, etc) 13->136 138 Tries to steal from password manager 13->138 24 L4Z15ZGU3CFWDGTJ8E.exe 13->24         started        26 chrome.exe 13->26         started        28 chrome.exe 13->28         started        36 2 other processes 13->36 140 Tries to steal Crypto Currency Wallets 15->140 142 Hides threads from debuggers 15->142 144 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->144 30 SWWHV1GP3YDCNUX2.exe 15->30         started        32 chrome.exe 15->32         started        34 chrome.exe 15->34         started        38 2 other processes 15->38 146 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->146 148 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->148 signatures6 process7 dnsIp8 72 185.156.72.96, 49681, 49682, 49683 ITDELUXE-ASRU Russian Federation 19->72 74 185.156.72.2, 49714, 49766, 49819 ITDELUXE-ASRU Russian Federation 19->74 56 C:\Users\user\AppData\...\dcc8b6ddfb.exe, PE32 19->56 dropped 58 C:\Users\user\AppData\Local\...\random[1].exe, PE32 19->58 dropped 100 Antivirus detection for dropped file 19->100 102 Multi AV Scanner detection for dropped file 19->102 104 Detected unpacking (changes PE section rights) 19->104 116 3 other signatures 19->116 40 dcc8b6ddfb.exe 1 19->40         started        106 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->106 108 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 24->108 45 chrome.exe 26->45         started        47 chrome.exe 28->47         started        110 Tries to evade debugger and weak emulator (self modifying code) 30->110 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->112 114 Hides threads from debuggers 30->114 76 192.168.2.10, 443, 49681, 49682 unknown unknown 32->76 49 chrome.exe 32->49         started        51 chrome.exe 34->51         started        file9 signatures10 process11 dnsIp12 88 3 other IPs or domains 40->88 64 C:\Users\user\...\RCANXWCJ6NNCD2ROSHG8.exe, PE32 40->64 dropped 152 Antivirus detection for dropped file 40->152 154 Detected unpacking (changes PE section rights) 40->154 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->156 158 6 other signatures 40->158 53 RCANXWCJ6NNCD2ROSHG8.exe 40->53         started        78 142.251.186.106, 443, 49810, 49811 GOOGLEUS United States 45->78 80 142.250.113.106, 443, 49828, 49829 GOOGLEUS United States 47->80 82 www.google.com 142.251.116.99, 443, 49731, 49732 GOOGLEUS United States 49->82 84 142.251.116.147, 443, 49770, 49771 GOOGLEUS United States 51->84 86 ogads-pa.clients6.google.com 142.251.116.95, 443, 49781, 49782 GOOGLEUS United States 51->86 90 2 other IPs or domains 51->90 file13 signatures14 process15 signatures16 118 Antivirus detection for dropped file 53->118 120 Detected unpacking (changes PE section rights) 53->120 122 Contains functionality to start a terminal service 53->122 124 4 other signatures 53->124
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-06-01 10:00:53 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2y6zwkjpfii6k53bcbd4i2tkznpeb7wfsm226qe2shoze43gubsq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065
Amadey
error
Amadey
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:pentagonstealer family:quasar botnet:8d33eb credential_access defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/250601-wfbaeszze1/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Pentagon Stealer
Pentagonstealer family
Quasar RAT
Quasar family
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.156.72.96
https://citellcagt.top/gjtu
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://harumseeiw.top/tqmn
https://diecam.top/laur/api
https://thundeqqbw.bet/aznd
https://stealer.cy
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fbe1e5ec-f79c-478c-8847-1a8bb176398e
Unpacked files
SH256 hash:
d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065
MD5 hash:
45c3800db283a6ff1c492014f18e8a86
SHA1 hash:
b48a5a4d6c4ecd84eee89b4e100d45d508e26c6b
Link:
https://www.unpac.me/results/714e93d3-fec4-4d9e-addb-4ef4f0f5200a/
SH256 hash:
0cfc2d14a1fbeeb2cc2addb2b9705e9e3a604e1de72a25a1de5a2f6fcfc7cecb
MD5 hash:
492be18e79e9a893f76567a09e7906e2
SHA1 hash:
cd12b4574a14bf7d70bb715e9fa4d759554bace7
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/714e93d3-fec4-4d9e-addb-4ef4f0f5200a/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d63d9b292f2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe d63d9b292f2a11e577611047c46a6acb5e40fec59335af409a91dd927366a065

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550737/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6746/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments