MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0020d4df86d5fc878cdf9f071d1fd10821335649eaf1f39a1f891b6c0769b6fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	0020d4df86d5fc878cdf9f071d1fd10821335649eaf1f39a1f891b6c0769b6fe
SHA3-384 hash:	fd7236fa6f6f00022c2597e400ac8f68c3a40731f46fca5b82678938d0f853c0b475ac0c1342b47c6bfaac2bea1e1dfd
SHA1 hash:	00885d315a2719948b575ceb6700b86b2b7419d6
MD5 hash:	6cab16e43f8e50ade94c350ea29a3ff5
humanhash:	alaska-bacon-magazine-sink
File name:	6cab16e43f8e50ade94c350ea29a3ff5.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	280'064 bytes
First seen:	2022-01-16 17:36:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	80720d283b0420bbcbb388cde3e0df65 (6 x RedLineStealer, 2 x Amadey, 2 x RaccoonStealer)
ssdeep	6144:Z9h+IP2paCHVJPqt2W7cMVB2hLqiJDIel8hxoB+ZRnjjmEiA9gu:ZL32prbit2W7cMahLLNIel842RnmEhB
Threatray	3'740 similar samples on MalwareBazaar
TLSH	T1A2549D10BBA0D035E5B712F84A7A97AC752E7BB15B3490CF62D12AEE16396E0DC30717
File icon (PE):
dhash icon	25ac1378319b9b91 (29 x Amadey, 24 x Smoke Loader, 14 x RedLineStealer)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
78.47.113.209:5404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
78.47.113.209:5404	https://threatfox.abuse.ch/ioc/295482/

Intelligence

File Origin

# of uploads :

# of downloads :

516

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6cab16e43f8e50ade94c350ea29a3ff5.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-16 17:38:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/94d40170-c99b-4121-b18a-2db7ba32a8d8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/219623/

Detection(s):

Win.Dropper.Mikey-9917324-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Searching for synchronization primitives

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4362/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware mikey packed

Link:

https://www.filescan.io/uploads/61e45785e997359713f99255/reports/42562e41-8d20-4ecc-abba-b0c25be969c3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50f6430c-4cfc-48ec-8d5e-2a1fafa5c091

Result

Threat name:

Raccoon RedLine SmokeLoader Tofsee Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/921417

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

Changes security center settings (notifications, updates, antivirus, firewall)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to detect sleep reduction / modifications

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has nameless sections

Performs DNS queries to domains with low reputation

Sigma detected: Copying Sensitive Files with Credential Data

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Raccoon Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Tofsee

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-01-16 17:36:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aaqnjx4g2x6ipdg7t4dr2h6rbaqtgvsj5ly7hgq7renwyb3jw37a._file

Verdict:

malicious

Amadey

09a996ac5f7ab1a72f0ae488b92997555ef0e89afb8a534b1f608b6e25f40ae1

Amadey

0bc78b7c85f56566d4a7d5698935a3b4147648588cda45ee1b320fc2489f4c4d

Amadey

40e53888088f51617c2460792d953c5d3a8503eb17c3389614d3f8412bf1661d

Amadey

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

Amadey

adfea20237be615461c44fea423d6043fc74bf1c5303ee33fcecd8acd201291e

Amadey

c2c074381d900532e327a4667664949b3436f8896a1be2e7ead279863cf98036

Amadey

e2e0fcbe61bd5439f825ed3f7f997ecae0e7674a154654b2c3f76b87f2bf190c

Amadey

e5cf74bc10575dcf4a34e37eca0b6765c0dab19eee8d107ee26193f801ac206a

Amadey

+ 3'730 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:amadey family:arkei family:raccoon family:smokeloader family:tofsee family:xmrig botnet:default agilenet backdoor discovery evasion miner persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220116-v6kq4sgahm/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Deletes itself

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Arkei Stealer Payload

XMRig Miner Payload

Amadey

Arkei

Raccoon

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Tofsee

Windows security bypass

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

xmrig

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://file-file-host4.com/tratata.php
patmushta.info
parubey.info
185.215.113.35/d2VxjasuwS/index.php