MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d65d87ab0447ebd71d228e52749c97bb1e732b8a2f4c31537b08bff29fc27768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	d65d87ab0447ebd71d228e52749c97bb1e732b8a2f4c31537b08bff29fc27768
SHA3-384 hash:	61bb752f1a1203ca9696f79a8c83d484326e956cb2d39e25663f249830756044810d476bcbd564541b847fe929550240
SHA1 hash:	59e419657487ea25c9b595a588e9dda925df7093
MD5 hash:	23651958582a81e31bc320af26c67bc4
humanhash:	table-coffee-sodium-london
File name:	23651958582a81e31bc320af26c67bc4.ps1
Download:	download sample
Signature	Amadey Create hunting rule
File size:	673'661 bytes
First seen:	2025-01-08 07:43:38 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	12288:RY2Hsquh5a/bhCgWqiWHIcWzMkVjkMAkxZ7wyz3Zm2+:GYsqWHV5jkMZUyzE2+
Threatray	39 similar samples on MalwareBazaar
TLSH	T1D8E47C3A8517BEBE3A2E3E8C50083D491C686ED74768D558EFC9A536B2C9280DD7C4F4
Magika	powershell
Reporter	abuse_ch
Tags:	Amadey ps1

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.PowerShell.Obfus-9.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=677e2df8ffdcee13ec86f3ef

Tags:

virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex net obfuscated

Link:

https://www.filescan.io/uploads/677e2cc20466b81a6b3bac77/reports/e5655b3d-324f-49fc-8df6-867a4a2f2692/overview

Verdict:

Malicious

Labled as:

Trojan[Dropper]/Agent.a

Link:

https://www.hybrid-analysis.com/sample/d65d87ab0447ebd71d228e52749c97bb1e732b8a2f4c31537b08bff29fc27768

Result

Threat name:

Amadey

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1585769

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Writes to foreign memory regions

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d65d87ab0447ebd71d228e52749c97bb1e732b8a2f4c31537b08bff29fc27768

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d65d87ab0447ebd71d228e52749c97bb1e732b8a2f4c31537b08bff29fc27768/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2zoypkyei7v5ohjcrzjhjhexxmphgk4kf5gdcu33bc77fh6co5ua._file

Verdict:

malicious

Label(s):

amadey

Amadey

32e6d8538c6b1d47942918cef259a80e70f06feb0145d6e41d44ec5917435391

Amadey

49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0

Amadey

8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd

Amadey

c847c70bdc3eecede3b89f4d7c88ad538271ea92fcfc3e6bb2ea6e22b83d4d61

Amadey

d2886d86ef67a3550a4aadcf623aa785fddcd3af754b3035229647f186005b1c

Amadey

d65d87ab0447ebd71d228e52749c97bb1e732b8a2f4c31537b08bff29fc27768

Amadey

error

Amadey

+ 29 additional samples on MalwareBazaar

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey botnet:03013e discovery execution trojan

Link:

https://tria.ge/reports/250108-jktaksspem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Amadey

Amadey family

Malware Config

C2 Extraction:

http://185.11.61.104

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

ps1 d65d87ab0447ebd71d228e52749c97bb1e732b8a2f4c31537b08bff29fc27768

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3351842/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample