MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddc9c0cb55dc2a75b46a07ae1bd26d2aed8d3982ab039f4e9dbeab67721aff8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 11

Intelligence 11 IOCs YARA 9 File information Comments

SHA256 hash:	ddc9c0cb55dc2a75b46a07ae1bd26d2aed8d3982ab039f4e9dbeab67721aff8a
SHA3-384 hash:	b66f8d222e5bf2f8d9e3aa7852dffbdc02710715e7060d67795c9023c1577a7a7d8b849ea73e540113c5f2595fa9c153
SHA1 hash:	91b8aeadc7a3c6526897ea430622cd4af32b9322
MD5 hash:	95a083049831608cc89df71343b64cea
humanhash:	sixteen-wolfram-ohio-west
File name:	file
Download:	download sample
Signature	Amadey Create hunting rule
File size:	1'102'336 bytes
First seen:	2026-06-09 18:00:38 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	a252cd53ebc44617e8418747345d10c1 (8 x Amadey)
ssdeep	24576:KLCrua2InCFeiwzFJEUoBmx4I1bzNEhzcJZjF:K+ruaRnC0iwzFgI4oJZjF
TLSH	T1E2359D16B941C071D49401706269BFF2593CAA35672145DBFBD02EB2AD305F3BE3AB2B
TrID	22.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win64 Executable (generic) (6522/11/2) 17.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.7% (.EXE) Win32 Executable (generic) (4504/4/1) 7.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	Amadey cred.dll dll dropped-by-amadey e7b4fe plugin

Bitsight

url: http://spasopro.at/Lsge63sd3/Plugins/cred.dll

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Amadey

Details

Link:

https://research.acce.ciphertechsolutions.com/results/8350c8af-8d45-414b-b086-030eb6f7d436/

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70346/

Detection(s):

Win.Keylogger.Zusy-10017136-0

YARA.SEKOIA_Loader_Amadey_Stealer_Plugin.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2854e234eaf30d8ce459ee

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/ddc9c0cb55dc2a75b46a07ae1bd26d2aed8d3982ab039f4e9dbeab67721aff8a

Verdict:

Clean

File Type:

dll x32

First seen:

2026-06-09T14:44:00Z UTC

Last seen:

2026-06-10T12:57:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/ddc9c0cb55dc2a75b46a07ae1bd26d2aed8d3982ab039f4e9dbeab67721aff8a/results?tab=lookup

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e77ac7a-81d2-47e7-b863-fee2b1f8c383

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ddc9c0cb55dc2a75b46a07ae1bd26d2aed8d3982ab039f4e9dbeab67721aff8a

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddc9c0cb55dc2a75b46a07ae1bd26d2aed8d3982ab039f4e9dbeab67721aff8a/

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2026-06-09 18:01:53 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xe4bs2v3qvhlndka6xbxutnflwy2omcvmbz6tu5x2vwo4q276fa._file

Verdict:

malicious

Label(s):

amadey

Similar samples:

error

Amadey

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/260609-wltnysgs7r/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

ddc9c0cb55dc2a75b46a07ae1bd26d2aed8d3982ab039f4e9dbeab67721aff8a

MD5 hash:

95a083049831608cc89df71343b64cea

SHA1 hash:

91b8aeadc7a3c6526897ea430622cd4af32b9322

Link:

https://www.unpac.me/results/fdbf5707-2756-4493-b20b-c5f7dfe07bfc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddc9c0cb55dc2a75b46a07ae1bd26d2aed8d3982ab039f4e9dbeab67721aff8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	StealerDLL_Amadey Create hunting rule
Author:	NDA0E
Description:	Detects Amadey's Stealer DLL

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.