MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8cb739dc56d68cf6124b2f5befa57f906d43bfdf7bc314aded4d601ebd51297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: a8cb739dc56d68cf6124b2f5befa57f906d43bfdf7bc314aded4d601ebd51297
SHA3-384 hash: ec35a20b3c0356265194d454909a34170d3a01398ebc5176ad598fb146ad137b2076846fd24aac57faf9d6b33debf74e
SHA1 hash: 0289f2187c7d04885c58591682fb0ee777d141b1
MD5 hash: 633cd326ca9d43b7ce9165f0d16e0b91
humanhash: mango-uranus-ceiling-iowa
File name:633cd326ca9d43b7ce9165f0d16e0b91.exe
Download: download sample
Signature Amadey
File size:847'424 bytes
First seen:2020-07-31 10:02:40 UTC
Last seen:2020-07-31 11:09:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 841c66fbfdd98c985cdefc826bf3e1b8
ssdeep 6144:YvjXmfICMc3DyL+vpor9l9fDzFjVbbDhRTFzth7tTDLl9fDzFjVbbDhRTFzth7ts:YbmGC
TLSH 0C059A3FB748DBA099C24DF49E75C3C204FB91A61B0297D581AEA95124EFC7ED43807A
Reporter @abuse_ch
Tags:Amadey exe


Twitter
@abuse_ch
Amadey C2:
http://217.8.117.52/gBvqLn4Dc/index.php

Intelligence


File Origin
# of uploads :
2
# of downloads :
31
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
Amadey
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Signature
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadey\'s stealer DLL
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255271 Sample: K8nV75EpfX.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 50 g.msn.com 2->50 52 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->52 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Yara detected Amadey\'s stealer DLL 2->68 70 Yara detected Amadey bot 2->70 72 3 other signatures 2->72 9 K8nV75EpfX.exe 4 2->9         started        13 bdif.exe 2->13         started        signatures3 process4 file5 48 C:\ProgramData\1321ba6d1f\bdif.exe, PE32 9->48 dropped 88 Detected unpacking (changes PE section rights) 9->88 90 Detected unpacking (overwrites its own PE header) 9->90 92 Creates files in alternative data streams (ADS) 9->92 15 bdif.exe 16 9->15         started        signatures6 process7 dnsIp8 56 217.8.117.52, 49721, 49723, 49725 CREXFEXPEX-RUSSIARU Russian Federation 15->56 40 C:\Users\user\AppData\Local\Temp\cred.dll, PE32 15->40 dropped 42 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 15->42 dropped 44 C:\Users\user\AppData\Local\Temp\scr.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 15->46 dropped 58 Detected unpacking (changes PE section rights) 15->58 60 Detected unpacking (overwrites its own PE header) 15->60 62 Machine Learning detection for dropped file 15->62 64 Uses cmd line tools excessively to alter registry or file data 15->64 20 rundll32.exe 15->20         started        24 reg.exe 1 15->24         started        26 reg.exe 1 1 15->26         started        28 3 other processes 15->28 file9 signatures10 process11 dnsIp12 54 192.168.2.3, 443, 49614, 49677 unknown unknown 20->54 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->74 76 Tries to steal Instant Messenger accounts or passwords 20->76 78 Tries to steal Mail credentials (via file access) 20->78 80 Tries to harvest and steal ftp login credentials 20->80 82 Creates an undocumented autostart registry key 24->82 30 conhost.exe 24->30         started        84 Creates multiple autostart registry keys 26->84 32 conhost.exe 26->32         started        86 System process connects to network (likely due to code injection or exploit) 28->86 34 conhost.exe 28->34         started        36 conhost.exe 28->36         started        38 schtasks.exe 1 28->38         started        signatures13 process14
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 10:04:07 UTC
AV detection:
23 of 31 (74.19%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Blacklisted process makes network request
Threat name:
Suspicious File
Score:
0.70

Yara Signatures


Rule name:win_amadey_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a8cb739dc56d68cf6124b2f5befa57f906d43bfdf7bc314aded4d601ebd51297

(this sample)

  
Delivery method
Distributed via web download

Comments