MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 9

Intelligence 9 IOCs YARA 40 File information Comments

SHA256 hash:	dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb
SHA3-384 hash:	792b93b693b3c0e5f5819d57071e2d1bc03d21c45c7add5d3352276b8fd33650b7fee0eff10908f0e3248f29e4900b10
SHA1 hash:	5ae860b76720de563a624e13cf79fff0248511aa
MD5 hash:	de2c915331e1f9713e8948f9fceda80d
humanhash:	mirror-north-uncle-twenty
File name:	CommonGatewayServerUltimate(3).exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	24'895'488 bytes
First seen:	2025-09-19 17:55:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cf276c2bb83f4154b42219e50ef65804 (1 x Amadey)
ssdeep	393216:4VoBuOLxbcq/+K7swhSvv81/a2VGWOKp5MRsaRr:zuOaqt7s6SvcyCZQRt
TLSH	T16047CF33A26584BDC81AA5314562D339DA349F104F249AC3B7AFB9586C731DC5EF3A0E
TrID	31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6) 19.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.1% (.EXE) Win64 Executable (generic) (10522/11/4) 11.5% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika	pebin
Reporter	BlinkzSec
Tags:	Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CommonGatewayServerUltimate(3).exe

Verdict:

No threats detected

Analysis date:

2025-09-19 17:59:33 UTC

Tags:

themida upx ip-check

Link:

https://app.any.run/tasks/7a5216ce-4881-4640-9420-aa33d8bc4454

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/28374/

Detection(s):

SecuriteInfo.com.HTML-8319.UNOFFICIAL

Win.Malware.Generic-10032482-0

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68cd9954246a2631bd31289d

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Searching for analyzing tools

Searching for the window

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

amadey anti-vm borland_delphi explorer fingerprint hacktool keylogger lolbin microsoft_visual_cc obfuscated obfuscated oct packed packed packer_detected remote safengine_shielden threat

Link:

https://www.filescan.io/uploads/68cd993e73af424b47e7daba/reports/cdf3e0ee-ece2-4e8a-baa2-90346ec36fad/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb

Verdict:

Unknown

File Type:

exe x32

First seen:

2025-09-19T15:13:00Z UTC

Last seen:

2025-09-19T15:13:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb

Verdict:

inconclusive

YARA:

9 match(es)

Tags:

.Net Executable Html PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/de2c915331e1f9713e8948f9fceda80d

Gathering data

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-09-19 17:49:18 UTC

File Type:

PE (Exe)

Extracted files:

234

AV detection:

14 of 24 (58.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3vwygy6coypxpfekks7bsln34vr5fwu53d4seebfi5rrzs6ql25q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250919-whythaek4w/

Behaviour

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

red_team_tool trojan Win.Malware.Generic-10032482-0

YARA:

Chinese_Hacktool_1014 Windows_Generic_Threat_da0f3cbb

Link:

https://app.threat.zone/submission/b7806f8c-c6c7-4510-87a9-9f3c71f20925

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dd6d8363c276/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	Chinese_Hacktool_1014 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a chinese hacktool with unknown use

Rule name:	Chinese_Hacktool_1014 Create hunting rule
Author:	Florian Roth
Description:	Detects a chinese hacktool with unknown use

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Hacktools_CN_Panda_andrew Create hunting rule
Author:	Florian Roth
Description:	Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	Windows_Generic_Threat_da0f3cbb Create hunting rule
Author:	Elastic Security

Rule name:	win_amadey_bytecodes_oct_2023 Create hunting rule
Author:	Matthew @ Embee_Research

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/