MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bb7089cb231edd0bd09d9611b41f6f23e12e5110dee1c97a1346ef57198c41f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: 8bb7089cb231edd0bd09d9611b41f6f23e12e5110dee1c97a1346ef57198c41f
SHA3-384 hash: f849e83e492311e24b9ae8cf9aa5ae5cd978e1c8eca735b939fa5545c5844c3a1d5f6dd3e8a0fb19c5da73764929b7ba
SHA1 hash: b97e49007f7d75ae33bf67de303a737a1bb1e080
MD5 hash: 983909e9e67f6f54976187f51d865ddd
humanhash: black-gee-pizza-eighteen
File name:983909e9e67f6f54976187f51d865ddd.exe
Download: download sample
Signature Amadey
File size:849'984 bytes
First seen:2020-07-31 16:11:33 UTC
Last seen:2020-07-31 16:49:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 16c09ddb85a9e96fa54b810088d37fac
ssdeep 6144:RJvDXmfICMc3DyL+vpor9l9fDzFjVbbDhRTFzth7tTDLl9fDzFjVbbDhRTFzth7w:RJ7mpARI
TLSH 8A05AA3FB748DBA199C24DF49E75C3C204FB91A61B0293D580AEA95524EFC7ED43807A
Reporter @abuse_ch
Tags:Amadey exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
50
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
Amadey
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Signature
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadey\'s stealer DLL
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255475 Sample: HARbRs760D.exe Startdate: 01/08/2020 Architecture: WINDOWS Score: 100 54 g.msn.com 2->54 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Yara detected Amadey\'s stealer DLL 2->70 72 Yara detected Amadey bot 2->72 74 2 other signatures 2->74 9 HARbRs760D.exe 4 2->9         started        13 bdif.exe 2->13         started        signatures3 process4 file5 52 C:\ProgramData\1321ba6d1f\bdif.exe, PE32 9->52 dropped 90 Detected unpacking (changes PE section rights) 9->90 92 Detected unpacking (overwrites its own PE header) 9->92 94 Creates files in alternative data streams (ADS) 9->94 15 bdif.exe 18 9->15         started        20 WerFault.exe 13->20         started        22 WerFault.exe 3 10 13->22         started        signatures6 process7 dnsIp8 58 217.8.117.52, 49747, 49748, 49749 CREXFEXPEX-RUSSIARU Russian Federation 15->58 44 C:\Users\user\AppData\Local\Temp\cred.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\Temp\scr.dll, PE32 15->48 dropped 50 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 15->50 dropped 60 Detected unpacking (changes PE section rights) 15->60 62 Detected unpacking (overwrites its own PE header) 15->62 64 Uses cmd line tools excessively to alter registry or file data 15->64 24 rundll32.exe 15->24         started        28 reg.exe 1 15->28         started        30 reg.exe 1 1 15->30         started        32 3 other processes 15->32 66 Writes to foreign memory regions 20->66 file9 signatures10 process11 dnsIp12 56 192.168.2.5, 443, 49704, 49705 unknown unknown 24->56 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->76 78 Tries to steal Instant Messenger accounts or passwords 24->78 80 Tries to steal Mail credentials (via file access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Creates an undocumented autostart registry key 28->84 34 conhost.exe 28->34         started        86 Creates multiple autostart registry keys 30->86 36 conhost.exe 30->36         started        88 System process connects to network (likely due to code injection or exploit) 32->88 38 conhost.exe 32->38         started        40 conhost.exe 32->40         started        42 schtasks.exe 1 32->42         started        signatures13 process14
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 16:13:04 UTC
AV detection:
27 of 48 (56.25%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Creates scheduled task(s)
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
NTFS ADS
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Blacklisted process makes network request
Executes dropped EXE
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:win_amadey_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 8bb7089cb231edd0bd09d9611b41f6f23e12e5110dee1c97a1346ef57198c41f

(this sample)

  
Delivery method
Distributed via web download

Comments