MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daeb66d4ad4a9298585c456eae7024a44d90e3d25d7e5522cf40451884383854. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: daeb66d4ad4a9298585c456eae7024a44d90e3d25d7e5522cf40451884383854
SHA3-384 hash: c0b641a92141361c91bcd9d9c034cc0545ad4984913318d89c94f1b55361ffe7280b879fcd1a3f136a8d64f0fff8f658
SHA1 hash: 112b0ebda1f192e30280d56cc202f26096c87d3c
MD5 hash: e94c97add6e37182d6cbeb1b41e819f1
humanhash: jupiter-kilo-red-alanine
File name:E94C97ADD6E37182D6CBEB1B41E819F1.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'955'136 bytes
First seen:2025-08-01 06:50:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:p7xn/HblAg2RcE8pkJPiu/MtMja2Cn0q1ZzTUo/fxl0R0qKUt28aloc:Fxn5ANcsPb/My00q//c7t28uoc
TLSH T1E5363302F7C50062F9A487F40DB10BD316AA79D26F3281F6664B76891DB37E86275F83
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://45.141.233.196/ho4lu3dk/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.141.233.196/ho4lu3dk/index.php https://threatfox.abuse.ch/ioc/1562884/

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
E94C97ADD6E37182D6CBEB1B41E819F1.exe
Verdict:
Malicious activity
Analysis date:
2025-08-01 06:57:03 UTC
Tags:
lumma stealer amadey botnet auto redline loader rdp auto-reg stealc telegram auto-sch auto-startup autoit gcleaner quasar rat evasion
Link:
https://app.any.run/tasks/3e7b34f2-a67d-4c21-a994-13bd19613b9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18240/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-9942160-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688c63ecaf3050dc8d33078f
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB crypt explorer fingerprint installer lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/688c63e532e610908689d7d2/reports/675cb402-ab0f-406d-b708-f2619abfbbff/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/daeb66d4ad4a9298585c456eae7024a44d90e3d25d7e5522cf40451884383854
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5f13afb-e183-4ec2-9c71-3922b5ae407c
Result
Threat name:
Amadey, LummaC Stealer, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1748235
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1748235 Sample: AF2lOnNSWC.exe Startdate: 01/08/2025 Architecture: WINDOWS Score: 100 121 royaltbn.xyz 2->121 123 woodenso.top 2->123 125 17 other IPs or domains 2->125 141 Suricata IDS alerts for network traffic 2->141 143 Found malware configuration 2->143 145 Antivirus detection for dropped file 2->145 149 18 other signatures 2->149 12 AF2lOnNSWC.exe 1 4 2->12         started        15 HWQeR8i0.exe 2->15         started        18 rundll32.exe 2->18         started        signatures3 147 Performs DNS queries to domains with low reputation 121->147 process4 file5 115 C:\Users\user\AppData\Local\...\2M2806.exe, PE32 12->115 dropped 117 C:\Users\user\AppData\Local\...\1r86j2.exe, PE32 12->117 dropped 20 2M2806.exe 7 12->20         started        24 1r86j2.exe 12->24         started        189 Binary is likely a compiled AutoIt script file 15->189 27 cmd.exe 15->27         started        29 MRBA8uzS.exe 15->29         started        31 cmd.exe 15->31         started        33 cmd.exe 15->33         started        signatures6 process7 dnsIp8 93 C:\ymB6Vye\HWQeR8i0.exe, PE32 20->93 dropped 95 C:\ymB6Vye\9gxDHG6p.exe, PE32 20->95 dropped 97 C:\ymB6Vye\6fwNGoFw.exe, PE32 20->97 dropped 161 Multi AV Scanner detection for dropped file 20->161 35 cmd.exe 1 20->35         started        127 steamcommunity.com 23.204.10.89, 443, 49717 AKAMAI-ASUS United States 24->127 163 Antivirus detection for dropped file 24->163 165 Detected unpacking (changes PE section rights) 24->165 167 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->167 173 4 other signatures 24->173 169 Suspicious powershell command line found 27->169 38 powershell.exe 27->38         started        40 conhost.exe 27->40         started        171 Contains functionality to start a terminal service 29->171 42 conhost.exe 31->42         started        44 9gxDHG6p.exe 31->44         started        46 conhost.exe 33->46         started        48 schtasks.exe 33->48         started        file9 signatures10 process11 signatures12 151 Suspicious powershell command line found 35->151 153 Uses cmd line tools excessively to alter registry or file data 35->153 155 Bypasses PowerShell execution policy 35->155 159 2 other signatures 35->159 50 HWQeR8i0.exe 35->50         started        53 6fwNGoFw.exe 15 35->53         started        56 conhost.exe 35->56         started        157 Loading BitLocker PowerShell Module 38->157 process13 file14 135 Binary is likely a compiled AutoIt script file 50->135 137 Found API chain indicative of sandbox detection 50->137 58 MRBA8uzS.exe 2 49 50->58         started        63 cmd.exe 50->63         started        65 cmd.exe 1 50->65         started        67 cmd.exe 50->67         started        99 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 53->99 dropped 101 C:\Users\user\AppData\Local\...\cecho.exe, PE32 53->101 dropped 103 C:\Users\user\AppData\Local\...103SudoLG.exe, PE32+ 53->103 dropped 105 2 other malicious files 53->105 dropped 139 Multi AV Scanner detection for dropped file 53->139 69 cmd.exe 1 53->69         started        signatures15 process16 dnsIp17 129 94.154.35.25, 49720, 49723, 49726 SELECTELRU Ukraine 58->129 131 45.141.233.196, 49724, 49727, 49733 ASDETUKhttpwwwheficedcomGB Bulgaria 58->131 133 167.160.161.247 ASN-QUADRANET-GLOBALUS United States 58->133 107 C:\Users\user\AppData\Local\...\v9d9d.exe, PE32+ 58->107 dropped 109 C:\Users\user\AppData\Local\...\8PdcY8X.exe, PE32+ 58->109 dropped 111 C:\Users\user\AppData\Local\...\1NjnoxK.exe, PE32 58->111 dropped 113 18 other malicious files 58->113 dropped 177 Multi AV Scanner detection for dropped file 58->177 179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 58->179 181 Contains functionality to start a terminal service 58->181 183 Creates multiple autostart registry keys 58->183 185 Suspicious powershell command line found 63->185 71 powershell.exe 63->71         started        74 conhost.exe 63->74         started        76 9gxDHG6p.exe 2 65->76         started        79 conhost.exe 65->79         started        87 2 other processes 67->87 187 Uses cmd line tools excessively to alter registry or file data 69->187 81 cmd.exe 69->81         started        83 conhost.exe 69->83         started        85 nircmd.exe 69->85         started        89 15 other processes 69->89 file18 signatures19 process20 file21 175 Loading BitLocker PowerShell Module 71->175 119 C:\ymB6Vye\MRBA8uzS.exe, PE32 76->119 dropped 91 tasklist.exe 81->91         started        signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/daeb66d4ad4a9298585c456eae7024a44d90e3d25d7e5522cf40451884383854
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/e94c97add6e37182d6cbeb1b41e819f1
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/daeb66d4ad4a9298585c456eae7024a44d90e3d25d7e5522cf40451884383854/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 15:55:00 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lvwnvfnjkjjqwc4ivxk44beurgzby6slv7fkiwpibcrrbbyhbka._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cyber_stealer family:gcleaner family:lumma family:stealc family:vidar family:xmrig family:xworm botnet:8208070b02ab19c5bccfbdc74ec6646e botnet:c0aea96f5dc5ea23da54dbccbac6de78 botnet:fbf543 botnet:logsdillercloud defense_evasion discovery execution loader miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250801-hmm1xawkv6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
CyberStealer
Cyber_stealer family
Detect Vidar Stealer
Detect Xworm Payload
Detects CyberStealer
Disables service(s)
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Modifies WinLogon for persistence
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xmrig family
Xworm
Xworm family
xmrig
Malware Config
C2 Extraction:
https://delfxus.today/xjdz
https://royaltbn.xyz/xaoi
https://columnez.shop/xlak
https://mixp.digital/amnt
https://woodenso.top/xaoi
https://foundrr.bet/zuqy
https://eartheea.life/itiz
https://glassma.live/alpz
https://nanoceus.run/agkr
https://mocadia.com/iuew
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://t.me/RONALDOORMESSSSI
https://dravq.asia/wixj/api
http://94.154.35.25
hexa.dnsframe.com:66
http://vppvpkcapital.shop
185.156.73.98
45.91.200.135
https://t.me/dz25gz
https://steamcommunity.com/profiles/76561199880530249
https://paxrobot.digital/webpanel/
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/0b08a9d7-4e6b-4feb-8cda-13d69a086271
Unpacked files
SH256 hash:
daeb66d4ad4a9298585c456eae7024a44d90e3d25d7e5522cf40451884383854
MD5 hash:
e94c97add6e37182d6cbeb1b41e819f1
SHA1 hash:
112b0ebda1f192e30280d56cc202f26096c87d3c
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
SH256 hash:
e878dfb85bfe69b96b2a854e85f77d77d04391bde93a6406cf3929288230298e
MD5 hash:
e98cb3c0653d77eca31048b2d638d57f
SHA1 hash:
4dea6d708ec43750bcbbea93c650392f65613a50
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
SH256 hash:
168b8cfdd77defedea49d2bd1b500a61be934042f25ae71780f9daa1918d6ff6
MD5 hash:
40fb81e7e11f0e23a8326f66812ba4f0
SHA1 hash:
917901a4601725ed9dcd58fb890bdb9c4ea23626
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
SH256 hash:
d3fdfec1dcbd750679b7da39d79cb299450ac9fbb6910795accc0b0df1643f47
MD5 hash:
45c10f4c962e9b03e49683ed668fd858
SHA1 hash:
4f6ba497c542ca9bfbddfb9ab7452054af1c863a
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
SH256 hash:
15c324e2382123c086af2754cc03548ce321f001ba45a127774e407014481861
MD5 hash:
e4d3e236c65b179aa2798466eb624675
SHA1 hash:
979f6e8f4f5ce3e7755879ca61b044a6d0b1bdb5
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
SH256 hash:
3c7959d26a0e983a65a0f0cb9501567ad6b7149f9052e649649d1f4f8390480a
MD5 hash:
d6a28e90544f88191342edd75cd1732b
SHA1 hash:
25f16dc288f9f819b113f090227c32f36704c6d1
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
SH256 hash:
a04a637effdfeeeb3b4f5f6ba7f4ea1508d79cda864d1c429e3cb2d53c166ca7
MD5 hash:
06b0536c530753f9066e571221470459
SHA1 hash:
41a6a35ca874dfdcdf931f8004df7b81e97d4cd4
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
SH256 hash:
9926e0d72043c9a6f3e0d4b0076a1bc9078fecab193c7767b009fcd242197326
MD5 hash:
ccf8274c0cacf19c2ad43cc75911a90a
SHA1 hash:
f0b552d8d9782741002cc8c292eb1c90e6f64df8
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/7e82d0af-c184-4312-922c-632486a3b5af/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/daeb66d4ad4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/daeb66d4ad4a9298585c456eae7024a44d90e3d25d7e5522cf40451884383854

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18240/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments