MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 20


Intelligence 20 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091
SHA3-384 hash: 3f1d6b6d7e56608bc462da846b94d4414b11ba2f5d37d1004e7f879fe703bdcc53734272e027710aa3a305b84293be75
SHA1 hash: 889e570e85d3b1db0ea039c171b69d9f87a76777
MD5 hash: b8856ad35346120c9961a4a49f0c46d8
humanhash: mountain-october-spring-charlie
File name:b8856ad35346120c9961a4a49f0c46d8.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:506'368 bytes
First seen:2025-12-18 08:56:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1b7e9db6a3681d8b4e75fe6a58cec23 (1 x Amadey, 1 x SVCStealer)
ssdeep 6144:HeynuG7MCVB+nRVjnT2XvZgXXvWsIvWX+qY0X46odgaKnIz+QfUdAiIEwc/5f3n+:HeyB7MCVAzVaWX+CYg7ni+PdA7xb7PH
Threatray 29 similar samples on MalwareBazaar
TLSH T10FB4D049376410B8E4678238C9579A0AF7F27866077097CF13A483BE6F677D19A3D322
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.6% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
KINS
Details
KINS
possibly: configuration data including urls and a missionid, cryptocurrency addresses, and extracted components
Link:
https://research.acce.ciphertechsolutions.com/results/b6c85395-4f4d-4977-81d4-1fb5b6f9cf76/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-12-17 22:03:02 UTC
Tags:
stealer stealc auto-sch auto-reg crypto-regex amadey botnet anti-evasion clipper diamotrix python evasion golang upx delphi inno installer
Link:
https://app.any.run/tasks/c4d5ff25-4ae3-49a3-826e-61e05f2b79c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45387/
Detection(s):
Win.Downloader.Marte-10058294-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6943c1e74d2b81828c3b8c5c
Tags:
downloader dropper emotet hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug exploit explorer fingerprint lolbin packed
Link:
https://www.filescan.io/uploads/6943c1ea3f8fdbf8e94a8999/reports/c0c0ce7a-62f1-4596-b1e3-9882555102b3/overview
Verdict:
Malicious
Labled as:
Trojan.Loader.Marte.6.Generic
Link:
https://www.hybrid-analysis.com/sample/e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-17T19:23:00Z UTC
Last seen:
2025-12-18T12:48:00Z UTC
Hits:
~100
Detections:
Trojan-Banker.Win32.ClipBanker.aglj Trojan.Win64.Agent.sb HEUR:Trojan.Win32.Agentb.gen VHO:Backdoor.Win32.Androm.gen Trojan-PSW.Lumma.HTTP.Download PDM:Trojan.Win32.Generic VHO:Trojan-Banker.Win32.ClipBanker.gen Trojan-Dropper.Win32.Dapato.sb Trojan-Downloader.Win32.Gomal.sb Trojan-Banker.Win32.ClipBanker.sba VHO:Trojan-PSW.Win32.Lumma.gen Trojan.Agentb.TCP.C&C Trojan-PSW.Win32.Lumma.yiu Trojan-Dropper.Win32.Injector.sb Trojan.Scar.HTTP.C&C HEUR:Trojan-Banker.Win32.ClipBanker.gen HEUR:HackTool.Win32.Inject.heur Trojan-PSW.Vidar.HTTP.C&C Trojan-PSW.Win32.Lumma.yiv Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Agent.sb Backdoor.Win32.Androm Trojan.Gatak.TCP.C&C Trojan-PSW.Win32.Lumma.zbd Trojan-PSW.Lumma.HTTP.C&C MEM:Trojan.Win32.Cometer.gen Trojan-Downloader.Agent.HTTP.C&C Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091/results?tab=lookup
Malware family:
Gapz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e086ca47-31df-4c05-af86-31f6c1607769
Result
Threat name:
Amadey, Clipboard Hijacker, Stealc v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1835489
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Clipboard Hijacker
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1835489 Sample: xCRvZF5tN0.exe Startdate: 18/12/2025 Architecture: WINDOWS Score: 100 140 ip-api.com 2->140 154 Suricata IDS alerts for network traffic 2->154 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 14 other signatures 2->160 14 xCRvZF5tN0.exe 2 1 2->14         started        18 syshost.exe 2->18         started        20 FnHotkeyUtility.exe 2->20         started        22 6 other processes 2->22 signatures3 process4 file5 138 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 14->138 dropped 248 Found evasive API chain (may stop execution after checking mutex) 14->248 250 Creates autostart registry keys with suspicious names 14->250 252 Creates multiple autostart registry keys 14->252 260 4 other signatures 14->260 24 explorer.exe 55 14 14->24 injected 254 Contains functionality to start a terminal service 18->254 256 Found direct / indirect Syscall (likely to bypass EDR) 18->256 258 Allocates memory in foreign processes 20->258 signatures6 process7 dnsIp8 152 62.60.226.159, 49684, 49686, 49688 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 24->152 128 C:\Users\user\AppData\Local\...\F9A9.tmp.exe, PE32+ 24->128 dropped 130 C:\Users\user\AppData\Local\...487.tmp.exe, PE32+ 24->130 dropped 132 C:\Users\user\AppData\Local\...\3001.tmp.exe, PE32+ 24->132 dropped 206 System process connects to network (likely due to code injection or exploit) 24->206 208 Benign windows process drops PE files 24->208 210 Unusual module load detection (module proxying) 24->210 29 E487.tmp.exe 2 24->29         started        33 F9A9.tmp.exe 1 2 24->33         started        35 3001.tmp.exe 24->35         started        37 4 other processes 24->37 file9 signatures10 process11 file12 134 C:\Users\user\AppData\Roaming\syshost.exe, PE32+ 29->134 dropped 222 Antivirus detection for dropped file 29->222 224 Multi AV Scanner detection for dropped file 29->224 39 syshost.exe 28 29->39         started        136 C:\Users\user\...\5B21727AFCDE1253131813.exe, PE32+ 33->136 dropped 226 Found evasive API chain (may stop execution after checking mutex) 33->226 228 Creates multiple autostart registry keys 33->228 230 Contains functionality to inject threads in other processes 33->230 246 4 other signatures 33->246 44 audiodg.exe 1 33->44         started        232 Hijacks the control flow in another process 35->232 234 Allocates memory in foreign processes 35->234 236 Modifies the context of a thread in another process (thread injection) 35->236 238 Potentially malicious time measurement code found 35->238 46 HelpPane.exe 35->46         started        240 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->240 242 Sample uses process hollowing technique 37->242 244 Found direct / indirect Syscall (likely to bypass EDR) 37->244 48 audiodg.exe 37->48         started        signatures13 process14 dnsIp15 144 158.94.208.102, 49692, 49698, 49708 JANETJiscServicesLimitedGB United Kingdom 39->144 146 178.16.53.7, 49693, 49697, 49721 DUSNET-ASDE Germany 39->146 148 196.251.107.104, 49706, 49725, 49742 ANGANI-ASKE Seychelles 39->148 108 C:\Users\user\AppData\Roaming\a3dacb, PE32+ 39->108 dropped 110 C:\Users\user\AppData\Local\Temp\...\dr.exe, PE32+ 39->110 dropped 112 C:\Users\user\AppData\Local\Temp\...\dmtx.exe, PE32+ 39->112 dropped 118 6 other malicious files 39->118 dropped 182 Multi AV Scanner detection for dropped file 39->182 184 Contains functionality to start a terminal service 39->184 186 Unusual module load detection (module proxying) 39->186 50 ustool.exe 39->50         started        54 dmtx.exe 39->54         started        57 c.exe 39->57         started        65 2 other processes 39->65 188 Changes the view of files in windows explorer (hidden files and folders) 44->188 190 Injects code into the Windows Explorer (explorer.exe) 44->190 192 Writes to foreign memory regions 44->192 202 2 other signatures 44->202 150 196.251.107.23, 49701, 80 ANGANI-ASKE Seychelles 46->150 114 C:\Users\user\AppData\...\OygyvYhxfzMV.exe, PE32 46->114 dropped 116 C:\Users\user\AppData\Local\...\ustool[2].exe, PE32 46->116 dropped 194 Early bird code injection technique detected 46->194 196 Found many strings related to Crypto-Wallets (likely being stolen) 46->196 198 Allocates memory in foreign processes 46->198 204 3 other signatures 46->204 59 chrome.exe 46->59         started        61 chrome.exe 46->61         started        63 chrome.exe 46->63         started        200 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 48->200 file16 signatures17 process18 dnsIp19 94 C:\Users\user\AppData\Local\...\ustool.tmp, PE32 50->94 dropped 162 Multi AV Scanner detection for dropped file 50->162 67 ustool.tmp 50->67         started        142 ip-api.com 208.95.112.1, 49749, 80 TUT-ASUS United States 54->142 96 C:\Users\user\AppData\Local\Temp\TH2F26.tmp, PE32+ 54->96 dropped 98 C:\Users\user\AppData\Local\Temp\TH231F.tmp, PE32+ 54->98 dropped 164 Antivirus detection for dropped file 54->164 166 Tries to harvest and steal ftp login credentials 54->166 168 Tries to harvest and steal browser information (history, passwords, etc) 54->168 180 5 other signatures 54->180 70 chrome.exe 54->70         started        72 msedge.exe 54->72         started        170 Hijacks the control flow in another process 57->170 172 Allocates memory in foreign processes 57->172 174 Modifies the context of a thread in another process (thread injection) 57->174 176 Sample uses process hollowing technique 57->176 74 HelpPane.exe 57->74         started        100 C:\Users\user\AppData\Roaming\defcomsys.exe, PE32+ 65->100 dropped 178 Creates multiple autostart registry keys 65->178 76 defcomsys.exe 65->76         started        79 conhost.exe 65->79         started        81 taskkill.exe 65->81         started        83 timeout.exe 65->83         started        file20 signatures21 process22 file23 102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 67->102 dropped 104 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 67->104 dropped 85 ustool.exe 67->85         started        218 Multi AV Scanner detection for dropped file 76->218 220 Unusual module load detection (module proxying) 76->220 signatures24 process25 file26 106 C:\Users\user\AppData\Local\...\ustool.tmp, PE32 85->106 dropped 88 ustool.tmp 85->88         started        process27 file28 120 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 88->120 dropped 122 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 88->122 dropped 124 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 88->124 dropped 126 11 other malicious files 88->126 dropped 91 FnHotkeyUtility.exe 88->91         started        process29 signatures30 212 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 91->212 214 Allocates memory in foreign processes 91->214 216 Found direct / indirect Syscall (likely to bypass EDR) 91->216
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/b8856ad35346120c9961a4a49f0c46d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091/
Verdict:
Malicious
Threat:
VHO:Trojan-Banker.Win32.ClipBanker
Link:
https://tip.neiki.dev/file/e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091
Threat name:
Win64.Trojan.PowerLoader
Create hunting rule
Status:
Malicious
First seen:
2025-12-18 08:57:11 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5g36gvw6gtjepbbwsidxfyybcyxaew4tzjzsnkmtjtrkszjvociq._file
Verdict:
malicious
Label(s):
unc_loader_074
Create hunting rule
Similar samples:
1e9ba2ed031e0830c98277462670dd7850c8bd3c4da9e0a87273a1cce32b0008
Amadey
60acc48765bbe492e56f8e1665bf041973f23501422a73fd87dd2b79922246b6
Amadey
66cee30a999770e51c8a80b6aa279607cbbb27bb581bf8763421777559869281
Amadey
811471a5b0b641fb1f8e9e077f54f9f631022cb1f8372f2daca3323c7e7128d6
Amadey
843e64968f7369cc8895bc0b4384eb04f9efefb0311b05968612737436ca84d4
Amadey
90e8364f36c97d2e247abb93fbe28b682a286765fc6600ee15db377121c3703f
Amadey
aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb
Amadey
cf990c07f431feebbb06b928ee77b2882f7753c47f315fbdcdfbb6467c40eca3
Amadey
error
Amadey
f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90
Amadey
+ 19 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:svcstealer downloader persistence stealer
Link:
https://tria.ge/reports/251223-px9qzsypfs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
Verdict:
Malicious
Tags:
Win.Downloader.Marte-10058294-0
YARA:
n/a
Link:
https://app.threat.zone/submission/59f6d71e-574c-459e-aa31-0c8e6fa62999
Unpacked files
SH256 hash:
e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091
MD5 hash:
b8856ad35346120c9961a4a49f0c46d8
SHA1 hash:
889e570e85d3b1db0ea039c171b69d9f87a76777
Detections:
win_sdbbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/211f3dcf-25a6-4683-aa0d-611b767d3a9d/
SH256 hash:
0963f044513d523292a340588f97d4d31fe4823a95e16a47a8217ee6e5581a70
MD5 hash:
53bac7df8377a7b1a68a6c52bfbfdd69
SHA1 hash:
82be4aa082a10be0b8ce6e74cb6e65b3b1bdd956
Link:
https://www.unpac.me/results/211f3dcf-25a6-4683-aa0d-611b767d3a9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:win_sdbbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.sdbbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe e9b7e356de34d2478436920772e301162e025b93ca7326a9934ce2a965357091

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3736153/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45387/

Comments