MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 17

Intelligence 17 IOCs YARA 11 File information Comments

SHA256 hash:	f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90
SHA3-384 hash:	05d5cec76388cf232aec24af4820d7269c7ff1a29bebd143e6131b1d72881a298d306cc0ce8e1674aedae2322f1b472b
SHA1 hash:	acf622c7eb1fdee888f57ecad30c25442deb8d85
MD5 hash:	b1aa438194d968942e1971004fb3d628
humanhash:	mobile-robin-leopard-four
File name:	file
Download:	download sample
Signature	Amadey Create hunting rule
File size:	202'240 bytes
First seen:	2025-12-13 08:52:39 UTC
Last seen:	2025-12-13 13:36:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9d20241135260a6283527b95f11fc551 (3 x Amadey, 2 x SVCStealer, 1 x Stealc)
ssdeep	3072:mLkiHgZn7CNFBneOI7Aeq63oNZ4rKypSiDX9I24+lgNd+F0PWMelS:mLkiHC7JOI7+5Z4rWk9IHDd+FUK
Threatray	25 similar samples on MalwareBazaar
TLSH	T16D148C243680C072E4B7027145FC9B32597DBE624BB11ADBB3E80F9D8AB45D26B31767
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	Amadey b80777 dropped-by-amadey exe

Bitsight

url: http://62.60.226.159/z.exe

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

amadey

ID:

File name:

f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-12-13 08:38:57 UTC

Tags:

stealer stealc loader auto amadey botnet svc auto-reg clipper diamotrix offloader crypto-regex auto-sch rdp upx

Link:

https://app.any.run/tasks/32041227-b93c-47bb-aff6-64e70ab8bf43

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44533/

Detection(s):

SecuriteInfo.com.Trojan.Dridex.1505.30053.30233.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693d29c4a675b653bd10c98b

Tags:

autorun emotet dridex

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug fingerprint lolbin microsoft_visual_cc update

Link:

https://www.filescan.io/uploads/693d29841eac7b9b76a8aba8/reports/ac115963-5e92-47da-9b55-2b60f2c4c6a3/overview

Verdict:

Malicious

Labled as:

Worm/SillyShareCopy

Link:

https://www.hybrid-analysis.com/sample/f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-13T05:49:00Z UTC

Last seen:

2025-12-14T12:08:00Z UTC

Hits:

~1000

Detections:

HEUR:Trojan-Banker.Win32.ClipBanker.gen HEUR:Worm.Win32.Generic Trojan.Scar.HTTP.C&C Trojan.Patched.HTTP.ServerRequest Trojan.Gatak.TCP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.Win64.StealC.sb Trojan.Snojan.HTTP.C&C Trojan-PSW.Lumma.HTTP.C&C Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Vimditator.sb Trojan.Win32.Agent.sb HEUR:HackTool.Win32.Inject.heur Trojan-PSW.Win32.Stealer.sb Trojan.Agentb.TCP.C&C MEM:Trojan.Win32.Cometer.gen Backdoor.Win32.Zegost.sb Trojan-PSW.Lumma.HTTP.Download Trojan-Dropper.Win32.Injector.sb Trojan.Win64.Agent.sb

Link:

https://opentip.kaspersky.com/f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90/results?tab=lookup

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6dd7c9ed-e732-4014-8fdf-88abbb1cbb11

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/b1aa438194d968942e1971004fb3d628

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90

Threat name:

Win32.Spyware.Stealc

Status:

Malicious

First seen:

2025-12-13 08:39:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6wuqujaijswrjl2562vdczhnvv3jujxdmsocxasd4ksajgb6poia._file

Verdict:

malicious

Label(s):

stealc

unc_loader_073

Amadey

79b120acdb37fd5b5fa927a6ffb370d5a7cbc8039f2e9b31831029d0f16bc38b

Amadey

9b7ebcd4b27ace0f237f2ccab58503340be62a43112f9c537d16f42d40abb715

Amadey

aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

Amadey

error

Amadey

+ 15 additional samples on MalwareBazaar

Result

Malware family:

svcstealer

Score:

10/10

Tags:

family:stealc family:svcstealer botnet:vvc discovery downloader execution installer persistence spyware stealer upx

Link:

https://tria.ge/reports/251213-kth2ms1rhn/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Drops autorun.inf file

Drops file in System32 directory

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Stealc family

SvcStealer, Diamotrix

Svcstealer family

Malware Config

C2 Extraction:

http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
http://196.251.107.23

Verdict:

Malicious

Tags:

JS_Nemucod

YARA:

n/a

Link:

https://app.threat.zone/submission/22fcd554-7bf7-45ca-865f-d9066487a76d

Unpacked files

SH256 hash:

f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90

MD5 hash:

b1aa438194d968942e1971004fb3d628

SHA1 hash:

acf622c7eb1fdee888f57ecad30c25442deb8d85

Link:

https://www.unpac.me/results/4f9e2989-df35-436d-b199-3214203b6ee4/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f5a90a24084c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3732856/

Cape

https://www.capesandbox.com/analysis/44533/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample